Two of the greatest trends driving corporate strategy in 2023 are security-savvy directors and regulatory compliance. This has led to impressive strides in the security stances of entire industries, particularly given the challenge of newly-perimeterless workspaces. Despite the progress, there remains one persistent oversight. The web browser plays a vital role in innovation and communication; the almost-unlimited access it provides to the world wide web is a source of both cutting-edge research and deep-seated vulnerabilities.
One response to this is the virtual browser. Whereas a traditional setup runs the browser directly on the local device, virtual browsers isolates the browser to a virtual environment. From the end-user’s perspective, not much appears to have changed; their browsing habits remain unimpeded, and webpages load reliably. In the eyes of an attacker, however, their malvertisement and browser-hosted payloads can no longer be dropped directly onto the user’s operating system (OS). This protective buffer is facilitated by the device’s own architecture. The most simple form of virtualization places a container around the active application. Any data created or changed by this application is not saved when the user exits, and is invisible to any OS component outside the sandbox.
Scaled up to a thousand-strong enterprise system, this isolated browsing environment may be shifted to a remote machine. This could look like a designated server within the enterprise, or take the cloud-based approach of a virtual desktop infrastructure environment. The implementation of this can be deeply complex, with tech teams having to juggle VDI infrastructure setup while battling to maintain online access for employees. Substantial client access licenses can weigh even heavier on annual budgets. Ultimately, though virtual browsers represent an impressive first step, a few key changes have since evolved browser protection solutions.
BUTTON [Learn about the LayerX browser protection platform.]
With web browsers still allowing secretive malware downloads, and data breach costs spiraling uncontrollably, virtual browsers can offer a number of key capabilities, each of which should be fine-tuned to fit your organization.
Virtual browsers offer protection by disrupting the traditional attack path used by malware. Typically, an end user device is authenticated, and assumed to be trusted by other devices within the same network. This assumed legitimacy means that a single malicious web server can disrupt departments, with collateral disruption that spreads from single user profiles to entire organizations.
Virtual browsers ringfence the browsing application. This means the app has no access – nor even visibility to – the underlying OS and device. Instead, each instance of a user’s virtual browsing session is isolated and discarded after use.
Occasionally, web-based applications require a specific browser version to run properly. Without virtualization, an organization is forced to choose between abandonment of this app and browsing on a deeply vulnerable system. However, virtual browsers offer a safer and secure form of interacting with web-hosted resources, while offering configuration options to mimic the older browser. This outdated browser no longer needs to be run on the machine, helping further defend against legacy web app vulnerabilities.
Just as a virtual browser can offer different versions of a browsing application, wholly new instances of different browsers are available at the press of a button. This can be vitally important to web developers that need to swiftly check the compatibility of their new site or app with all major browsers. With a virtual browser, their device no longer needs to be cluttered with – or handle the continuous patching of – Chrome, Edge, Explorer, Firefox, and more. Instead, one solution can be used to address any bugs, optimization and quirks across swathes of different user bases.
Browser virtualization offers a large degree of customization, with its various types spanning most enterprise configurations. The process of running a virtual machine for the browser can be split into two major architecture approaches. The first is the standalone application approach; the device’s Hypervisor is first used to segment a portion of its overall processing power. This is used to set up a wholly separate virtual machine, which contains a full version of the OS, and the browser application itself. This virtual machine offers a sanitized environment from which to browse. Some organizations choose the other major architecture – a virtual appliance. The same virtual machine structure is used, but with a focus on the minimum amount of OS reproduction to run the browser application alone.
These two approaches to virtual browsing can also be deployed in two different configurations. Local deployment sees the virtualization process occur on the end-user’s device, specifically when connecting to the enterprise’s network. Cloud deployment abstracts this to a third-party cloud server, making the virtual browser online; all web searches occur via this cloud virtual browser. Finally, the specific modes through which users interact with the browser can also range from anonymous to fully authenticated.
Anonymous browsing offers the same capabilities as a normal browser’s incognito mode. With this approach, the temporary nature of virtual browsing sessions is reflected in each user profile. Cookies, browsing history, and settings are all temporary, with each session renewing and discarding each element. Authenticated browsing offers a slightly more user friendly experience, as browsing is tailored to each user’s account. This saves cookies and histories between browsing sessions, and may provide higher benefits to productivity.
Despite the advantages offered by virtual browsers, there are a few major weaknesses that undermine the solution’s ability to bust browser security flaws.
Virtual browsers only isolate websites and the content served up within. End-user devices remain at risk from whole hosts of other web app vulnerabilities, alongside untrusted files sent through to their email inbox. To address this, virtual browsers can be implemented in tandem with other email and download security solutions, though such an approach can result in greatly overcomplicated tech stacks that rapidly spiral out of manageable scale.
Damaged User Experience
Alongside patchy protection, virtual browsers also diminish the user experience. This is commonly a larger issue with cloud-based virtual web browsers thanks to the extra steps taken in connecting users to the web. Data packets must now travel significantly further, and an already-weak broadband connection can really struggle. This is amplified when employees require real-time video streaming on work calls; the lag can sometimes be so disruptive that employees must make the lose-lose choice between productivity and security.
Introducing New Vulnerabilities
Finally, virtual browsers can be the cause of brand-new security flaws. In theory, malware that can jump from a virtual machine to the host’s own device is impossible. Unfortunately, this theory naively assumes the virtual machine’s hypervisor program is immune to all software bugs. The last year has seen swathes of exploits showing the contrary, such as VMware’s ESXi Hypervisor, which contains flaws that could compromise not just the host drive, but any other machine running on the server. For cloud-based browsers, traffic also becomes more difficult to monitor, thanks to the fact that these browsers store sensitive information outside the enterprise itself. Depending on where the cloud provider is based, this can even have ramifications on regulatory compliance.
Virtual browsers are similar in appearance to the remote web browser; both aim to separate an end-user’s device from the public internet’s untrusted servers. Virtual browsers operate on virtual machines, which are essentially wholly separate machines operating off one device’s resources. Remote web browsers, on the other hand, offer cloud-based containers – when in use, the end-user’s device simply relays a stream of visual data to and from its allocated container. Whereas virtual browsers reconstruct the entire interactable browsing platform, remote browser isolation (RBI) runs the code on third-party cloud servers, only producing a graphical representation of the user’s behavior.
The lower technical intensity of remote web browsing makes it an inherently more scalable and flexible approach to safe browsing. Virtual browsers require significant startup times, with heavy processes bloating wait time. while RBI represents some key advantages over virtual browsing, the next era of browser security evolution is here.
LayerX offers a cohesive, user-first security platform in the form of a lightweight browser extension. The deep granularity offered by this endpoint approach lends higher visibility to browser security than ever before – see every event, action, and threat. Real-time user and website behavior is fed into the Plexus Engine, which combines traditional attack recognition with cutting-edge intel for real-time threat analysis. This analysis returns to the extension, where enforcer scripts neutralize any intended browser attack with no impact on the end-user experience.
Finally, see all event analysis in the management console. Fuel enterprise-wide policies in response to on-the-ground intel, and take the leap toward tomorrow’s web browser security.