In 2022 there was tremendous hype around browser security and enterprise browsers. But while they claim to provide “enterprise grade security”, enterprise browsers are actually far from perfect. In fact, they have some critical downsides.
What are they and what’s the alternative? In this blog I will distinguish between browser security and enterprise browsers, address the pros and cons of each, and shed some light on the browser debt incurred when migrating to an enterprise browser. Read on to see which claims are made by enterprise browser companies and whether they can actually live up to them.
The browser needs more security. Is an enterprise browser the right solution?
In the last couple of years there were some tectonic shifts in IT. These shifts made traditional security solutions, like firewalls, SWGs, VDIs, and VPNs, irrelevant. Network security tools cannot inspect complex SaaS applications, which are becoming prevalent across the workforce. Employees work remotely and hate browsing via a VPN. Data is scattered between countless applications and is difficult to protect. Virtual desktops are expensive and provide poor performance; they are the wrong tool for the job of accessing web applications.
In other words, the most commonly used tools of the enterprise cybersecurity stack are becoming useless. This is a perfect storm that made organizations crave for a modern browser security solution that provides visibility, security, and control into every web session.
True browser security requires addressing the browser point of view, to ensure it takes into account end-to-end encryption and the rendering process. Taking into consideration the browser architecture, such a solution can be delivered in one of two ways:
- A browser extension on top of the existing browser (the result is similar to an EDR on top of the OS)
- Using Firefox or Chromium rendering engines to build a new browser (the result is similar to customizing a Linux/Android OS to create a new flavor)
What is an enterprise browser?
Enterprise browsers (AKA “secure enterprise browsers”) are Chromium-based (or Firefox-based) browsers that are built for the enterprise environment. They provide Chrome (or Firefox) rendering capabilities. But instead of the native Chrome/Edge features, they introduce their own security, management and identity features.
Enterprise browsers ask customers to say goodbye to their beloved Chrome, Edge, Firefox, and Safari in favor of something new and allegedly more secure. In return, they incur a monthly subscription fee, a not-so-simple deployment process, and rigid vendor dependency.
The claims made by enterprise browser vendors, intended to convince organizations to choose them, aren’t valid from my point of view. In the next section I will refer to each of these claims and provide my two cyber cents about them.
“Half a truth is often a great lie” – Benjamin Franklin
Claim #1: Chrome is the most vulnerable browser
FALSE
This is a classic example of survival bias. Google is not the most vulnerable browser, but rather the most patched browser! Google’s project zero is the best example of software vulnerability scanning in the history of IT.
Most Chromium vulnerabilities are discovered by Google’s engineers and only a few ever get to be exploited in the wild. Moreover, the number of distinct vulnerabilities required to successfully exploit this browser is on a steep rise. As a fact, the word on the digital street is that if you can perform remote code execution with a sandbox escape, you can sell it for a few million dollars.
You should actually be more worried about products that don’t disclose their vulnerabilities. If they don’t disclose them, they don’t fix them. Google, on the contrary, is open and transparent about Chromium’s vulnerabilities, maintains it as an open source project and demonstrates the fastest patching routine in the IT industry.
The underlying truth for CISOs is that Chromium browsers provide the best security architecture in their environment. It is actually the IT tools without proper vulnerability disclosure they should be worried about.
If you don’t agree, try and find a CISO that experienced a Chrome zero-day exploitation or just try to exploit Chrome yourself.
Claim #2: Enterprise browsers patch vulnerabilities faster than Chrome
MOSTLY FALSE
Google has a predictable software release lifecycle. Every software update is deployed according to the following steps: canary, beta, unstable, and stable. Sometimes it will take a few weeks for a new piece of code to go from being written to being deployed worldwide.
Some enterprise browsers claim to push software updates to production faster than Google, meaning they allegedly patch vulnerabilities faster than Chrome.
However, impactful vulnerabilities are actually patched by Google in an out-of-band manner, within days and outside of Chrome’s regular release lifecycle. This means that when dealing with a shit-hit-the-fan type of vulnerability (severe, exploited in the wild, etc.), Google makes an outstanding effort to fix it in no time.
This new piece of code in Chromium is not labeled as related to security issues and it goes straight to production. In other words, enterprise browsers have no way of knowing it is significant and which compatibility issues may arise.
My advice would be to ask your enterprise browser to release its version history. It is good practice for software vendors to be transparent about their actual release cycle.
Claim #3: Enterprise browser code is more secure than commercial browser code and is immune to attacks on the browser
MAYBE
Any piece of software has its vulnerabilities and security issues (even an enterprise browser). The question is – are there security gaps in standard browsers? The best way to answer that question is to check the ways that enable breaching commercial browsers.
The answer is provided by both malware and antivirus software. Both want access to the browser to monitor activity – malware to steal passwords and antivirus software to block malware. Both usually do this by deploying a local browser extension. This means that it’s difficult to monitor browser activity, as the browser is isolated in a sandbox with limited access to the rest of the system, and uses encryption to protect data. It is actually secure enough on the code level.
Gaps do exist, but not at the code level. Browser data files (cookies, password files, and downloads) can be accessed by malware. But this doesn’t require changing the entire browser. Additionally, if malware is what you are scared of, your best bet is to use an endpoint protection solution. Use the right tool for the job.
To add a side note – I would personally fear that the enterprise browser will introduce more vulnerabilities than those it could patch. The reason for this is that Chromium is supported by both Google and a huge ecosystem involved in its open source project. The Chromium code features an amazing standard for security baseline. I would fear much more from new code that interferes with the existing code and the existing way of work than of Chromium code.
Claim #4: Commercial browsers do not provide sufficient governance and management capabilities
PARTIALLY TRUE
For Google Workspace customers, Chrome Enterprise is free and provides out-of-the-box management capabilities. For Office365 users, there are managed Edge settings that can be set by device management tools. They are not as granular as enterprise browsers are, but these gaps can be solved with an enterprise browser extension.
An enterprise browser extension (such as LayerX) adds in-session management capabilities and controls various browser APIs. This enables customizing existing browsers and turning them into enterprise-grade secure browsers. While the browser brings the availability and reliability of web traffic, the extension adds security and governance capabilities on top of it.
As a matter of fact, this is exactly what browser vendors intentionally allow. Managed browsers (Chrome and Edge), as well as Firefox and Safari, all support rich and stable customization capabilities with enterprise browser extensions.
Claim #5: Extensions are not as powerful as the browser
IRRELEVANT AND MOSTLY FALSE
This claim is equivalent to saying that a tablespoon is more powerful than a teaspoon. It really depends on what you want to stir.
With regards to browser security, most use cases are related to the rendered content (in simple words – the websites we browse to). Extensions have the same accessibility to the rendered content (i.e post decryption, source code, DOM, browser debugger, and tons of fun stuff). This means that a simpler tool than the browser can get the job done with less effort.
Capabilities that an extension cannot handle are already treated quite well by the browser vendors. Google, Microsoft, Mozilla, and Apple are doing an incredible job in providing a SOTA product with tons of security features inside. In other words, you are not comparing enterprise browsers vs. an extension solution, but actually enterprise browsers vs. the Chrome+extension combo.
In addition, the power of enterprise browsers is a double-edged sword. The more changes they make to Chromium, the higher the chances are that they will fork from it, making them impossible to update in reasonable time frames. The meaning of this is that enterprise browsers are likely to make as little changes as possible into the Chromium code, while basing most of their security on a bundled extension or on a local proxy.
Claim #6: Enterprise browsers provide the same experience as Chrome
HALF THE TRUTH
It is Chromium that gives a SIMILAR experience to Chrome. The experience isn’t identical and no one promises that Google will keep sharing most of its code with its competitors. Over time, we see Google adding specific capabilities into Chrome that are not a part of Chromium.
What enterprise browsers won’t tell you
I anticipate that, in addition to their unique benefits, enterprise browsers will also have some unwelcome downsides that will bring many IT teams to tears in the upcoming years.
These downsides include:
- Unreliable and inconsistent patching routine: Enterprise browsers don’t publish their patching routines. But extrapolating from Brave and Edge, it may take them at least 12 hours (and up to several days) to patch Chromium zero-day vulnerabilities that were patched by Google in an out-of-band manner.
- Potential application incompatibility: Companies will keep building their applications for Chrome and Edge. But even if today an enterprise browser is fully compatible, no one guarantees that tomorrow will be the same. Any added code on top of Chromium may have its own issues and bugs, meaning employees may not have access to the applications they need to get their work done.
- Partial visibility: Your employees will still use commercial browsers as much as they can (for either work or fun). This means that you will be left with massive gaps, which might entail feature data loss and threats.
- The worst vendor lock in the history of cyber security: Imagine that you are using an enterprise browser. You are happy with it. However, a better enterprise browser arrives at a cheaper cost. How will you migrate? All your preferences, identities, passwords, and cookies are stored inside your existing browser. The browser companies advertise that all their cookies are encrypted and that all memory is fully isolated. If it does the job it says it does, then you will find yourself in a vendor lock.
- Losing free capabilities: Your existing browsers come with some amazing capabilities. Chrome has the best blocklist in the industry. Edge has the best local isolation service (AppGuard). Firefox brings incredible privacy features. The list goes on and on. Keep in mind that by using those browsers, you are getting great value at no cost.
- Infinite friction: Someday, something won’t work with the enterprise browser. It may be due to a problem on the enterprise browser vendor side, Google restricting the ability of other browsers to use Chromium, or a mere employee mistake. One thing is certain – the employee is most likely to say “this browser isn’t working. It sucks.” Using an enterprise browser will likely involve a lot of friction with your workforce as very few security products ask employees to change the way they work. Changing the way people work is more of a cultural burden than a security asset.
- The digital identity struggle: The number one feature of Chrome and Edge (the icing on the cake) is their integration with the cloud office identity. This means that for organizations using Google Workspace, Chrome gives a browser profile attached to the Google identity. For Office365 users, Edge gives a browser profile attached to the Microsoft identity. This means that almost every organization out there already enjoys a paid managed browser (either Chrome or Edge) that works amazingly with its relevant SaaS applications suite. Moving to another browser will degrade this experience and add yet another (unneeded) identity service to the IT stack. Instead of adding security, it will only cause confusion among employees and increase the overhead on IT.
The secure and frictionless alternative to enterprise browsers
There is one thing that the enterprise browser companies are spot-on about; the browser is the most important workspace and the most valuable visibility source into the organization. At LayerX we think that the solution for securing the browsers is simple – we need to bring as much security as possible to existing browsers.
The same way that operation systems are being secured by endpoint protection solutions (instead of a hardened Linux flavor) and email services by email security tools (instead of a customized “secure email”), a browser security platform is the solution for browser security concerns.
Using an enterprise browser extension brings all the possible security capabilities to the browser, without compromising the user experience.