What Is Browser Isolation? Definition, Technology Components, and Vendors

Browser isolation is defined as a cybersecurity tactic that raises a near-impregnable barrier between a user’s internet activity and the larger computing environment in which they are operating. As malicious elements can’t get in or out, the risk of an attack is significantly reduced. This article explains browser isolation, its technological components and top five software vendors for 2021. 

Table of Contents:

• • What Is Browser Isolation?
  • 8 Components of a Browser Isolation System
  • Key Features of a Browser Isolation Software
  • Top 5 Browser Isolation Software Vendors in 2020-2021

What Is Browser Isolation? 

Browser isolation is defined as a cybersecurity tactic that raises a near-impregnable barrier between a user’s internet activity and the larger computing environment in which they are operating. This tactic is popular among enterprises that offer unrestricted web access to their employees but don’t want to compromise security. 

Browser isolation is similar to desktop virtualization, but in this case, you only stream the browser image instead of streaming the entire desktop. There are two types of browser isolation: 

1. Local isolation: In local isolation, the internet traffic reaches the user’s local infrastructure, where it is put in a sandbox or a virtual machine. The traffic passes through filtering and security policies so that the user views only safe data. Even if an unsafe element creeps in, as, in the case of zero-day attacks, the impact will be contained within the sandbox or virtual machine. Local browser isolation is a traditional isolation method, where an enterprise installs the entire topography on a user’s system.
2. Remote isolation: Remote browser isolation prevents internet traffic from getting anywhere near the user’s system. In remote isolation, filtering, sandboxing, and threat analysis occur on a remote server, either on a public or a private cloud. The user’s system remains free of online activity — the browsing session is hosted on a remote server and streamed to the user in real-time, simulating an on-premise browsing experience. 

In real isolation scenarios, the user doesn’t access any web content at all. In fact, a user cannot download or transfer online content to a local device in any way. A modified tactic called document object model (DOM) mirroring filters out unsafe elements so that they aren’t visible to the end-user. It allows some content to be routed in its original form. 

Remote browser isolation is increasingly gaining popularity due to the following advantages: 

• Saves client’s resources: Browser isolation consumes many resources in whichever environment you choose to host it. And understandably so. You need sufficient memory to create a temporary container for storing online data and dynamic activity footprints. You also need robust computing resources to process the data in real-time, analyze safe elements, create a live stream for the end-user, and support incoming traffic as well. Remote browser isolation lets you offload these resource requirements from the end-user client’s computer to a more powerful and often more cost-effective cloud environment.
• Enables greater security: Remote browser isolation on the cloud is highly secure. With on-premise systems, you only relocate the risk from the end user’s system to a server connected to your enterprise network. Let’s say a WFH newspaper journalist is accessing possibly malicious websites as part of their research work. A local isolation system will host the browsing activity in the newspaper’s headquarters, streaming the browser image to the employee’s home computer. In case of a web-based attack, the computer will remain safe, but the employer’s on-premise systems could be compromised. Remote browser isolation can address this by moving the hosting environment to a third-party cloud.
• Simplifies IT controls: It is easier for IT to implement bulk policies and configure browser isolation settings if multiple systems are hosted in a centralized cloud environment. IT teams can also remotely deploy compliance policies, setting up organization-specific traffic flows. In a modern enterprise environment, fully local browser isolation may not be feasible at scale because it means that the IT department must set up separate virtualization machines for each computing system. 

For these three reasons, the term browser isolation has become almost synonymous with remote browser isolation. 

Also Read: What Is Email Security? Definition, Benefits, Examples, and Best Practices

Why is browser isolation important?

A Gartner report published in 2018 found that cyberattacks were evolving at a rapid pace, and it was impossible to ensure “perfect prevention.” The report urged enterprises to assume compromise from the very outset and work towards isolating the attack. The report recommends implementing a browser isolation mechanism at the earliest, preferably one that doesn’t require a local agent. 

Companies are fast recognizing the risk that unsafe browsing experiences pose to the enterprise. Browser isolation is expected to be adopted by 25% of enterprises by 2022, according to the report. Essentially, a browser isolation solution lets you block threats without trying to detect a vulnerability, prevent an attack, or analyze malicious behavior. To achieve this, it uses eight key components. 

8 Components of a Browser Isolation System

A browser isolation system typically has eight components, forming a contained topography.

Components of a Browser Isolation System

1. Client: The end-user uses an interface called ‘the client’ to initiate a web request. The client can refer to an entity located on a desktop, a laptop, a smartphone, or any other computing device with an active internet connection and a functional browser. In a remote browser isolation system, the client is distinct from the hosting environment. But in a local system, the client and the isolation solution can co-exist on the same premises. 
2. Web security service: The web security service is an application that determines which traffic will be contained and how. Ready-to-use browser isolation solutions will come with a built-in web security service that can be configured as per your business needs. For example, you can choose to filter out traffic from certain websites completely, or you can display warnings or alerts if there is suspicious behavior. You can also block downloads conditionally. 
3. Threat isolation engine: This is an optional component that can selectively isolate online activity. In case you want to isolate some activity in a virtual environment while allowing others to pass as is, the threat isolation engine will come into action. It will run the requests it receives from the client in an isolated environment, as per your web security service configurations.
4. Secure and disposable container: A container is a standalone software unit that can run independently of its surrounding infrastructure. Typically, containerized software is used in cloud environments so that applications can be easily packaged for better portability. But there is one key difference here — software resides in non-disposable containers. The web security service initiates a secure and disposable container where the browser session can exist as a boxed-in package for browser isolation. Once the session ends, the container is duly dismantled.
5. Web socket: This is a secure channel through which data flows between the client and the web security service. The web socket is connected to the client in such a way that users can still interact with the browsers in real-time (scroll, type, etc.) without any loss in quality.
6.  Hosting environment: A hosting environment should ideally be a third-party cloud, where the entire browsing isolation solution (web security service, threat isolation engine, and container) can sit without ever touching the user’s local infrastructure. You could also host the solution on a private cloud, situated in an on-premise server or remotely. Finally, the hosting environment could be a virtual machine on the same system that houses the client – but this approach is the least secure of the three.
7. Public web: If the client is the destination for all traffic flowing through a browser isolation system, the public web is its origin. Once the client raises a request via its browser, the public web reads the request and initiates information transfer, just like in a regular browsing experience. But instead of relaying the information directly to the client, it directs it to the hosting environment, where it is passed through the browsing isolation solution.
8. Content: The content moving across a browser isolation system can be both malicious as well as harmless. In some cases, the user can view all content as the solution only isolates browsing activity but does not filter it. But some solutions provide an extra value add of content filtering, blocking any proved to be malicious. Here, users can interact only with safe or suspicious content in an isolated environment. 

These eight components make up the entire ecosystem in which browsing isolation operates. The ecosystem’s specifics can vary significantly depending on the solution you choose, remote or local, and the level. 

Also Read: Top 10 IT Intrusion Detection and Prevention Systems for 2021

Key Features of a Browser Isolation Software Configuration

Technically, it is possible to build all the components of a browser isolation system in-house and host it in an environment of your choice. However, this requires complex application development and cybersecurity skills and may not be suitable for scaling in the long term. That’s why browser isolation software is now a burgeoning market, valued at $1.8 billionOpens a new window as of 2019 and expected to cross $6.6 billion by 2027. 

This growth pace is faster than most other software categories, indicating a growing interest in ready-to-use software that can isolate browser activity. While various vendors provide differentiated offerings, all browser isolation software offerings are characterized by a few essential features: 

Features of a Browser Isolation Software

• Remote rendering: The software will fetch, execute, and render online content in a location away from the client — preferably away from the endpoint device itself. This ensures that external code doesn’t impact your local computing systems in any way, regardless of whether it is malicious or not.
• Drive-by download prevention: Drive-by downloads are a common attack type, where a user inadvertently downloads a malicious file into the system. These files may have clickbaity titles or might be executable files posing as legitimate documents. The software’s remote rendering techniques prevent users from downloading anything without obtaining approval.
• Email server support: Attacks like phishing or malicious attachments can turn the innocuous email into an attack vector. The browser isolation software should support a wide variety of web-based email servers like Gmail, Office 365, and Microsoft Exchange, among others, applying the requisite policies and rendering any embedded links as read-only content. This prevents users from being redirected to malicious websites through fraudulent links in a phishing email.
• Document protection: It is sometimes necessary to bypass the sandbox environment and download documents from the public internet to local systems for printing or archival, etc. The software should provide you with a safe way to do this, usually by transforming the original document into a safe and harmless format while retaining all the information.
• Policy-based controls: This feature lets you provision different web access policies based on the user role. For example, you might want to add a layer of security for new employees, preventing them from downloading any documents at all. Another department might need temporary download privileges to complete a task. Policy-based controls let you govern cybersecurity more pragmatically.
• Analytics: This is a crucial feature that sets leading platforms apart from laggards or in-house-built alternatives. The software should collect and collate browser activity data into informative reports, summarizing web access trends, malware site frequency, threat metrics, file metrics, etc. You can configure the software more optimally based on the analytics results.
• Web app management: Web apps like Office 365 let users stay productive by using a cloud-based alternative to a locally installed software tool. Browser isolation software should protect web app activity in addition to traditional browser activity. It can achieve this by continually analyzing web app traffic and dynamically isolating if a compromise is detected. 

In addition to this, vendors could add on unique features to stand out against competitors, such as advanced email security, ad blocking, deployment options, malware detection, etc. 

Also Read: What Is Real User Monitoring? Definition, Key Components, and Best Practices

Top 5 Browser Isolation Software Vendors in 2021

There are two kinds of software you can choose from — cybersecurity suites, including browser isolation, and standalone software vendors. For example, McAfee offers browser isolation as part of its Unified Cloud Edge solution suite. Proofpoint bundles it within its advanced threat protection offering. In this article, we will discuss five of the leading standalone software vendors that offer a dedicated browser isolation product.

Disclaimer: These listings are based on publicly available information and vendor websites. Readers are advised to conduct their own extended research on each software. The companies are listed alphabetically.

1. Apozy Airlock 

Overview – Apozy is a 2013 company that raised $2.2 million in 2019 to develop its native browser isolation product. Apozy Airlock is named among the best browser isolation software for 2020 by G2, with a rating of 4/5 on Capterra. 

Key features – Apozy Airlock comes with the following features: 

• • Dynamic threat protection against a database of 67.83 billion pages analyzing 12.20 trillion links per year
  • An ad blocker engine to filter malicious content, rendering ad-free pages to the end user’s client interface
  • Proxyless URL inspection to triage issues faster and eliminate false positives by as much as 100x times
  • Deployment in 53 seconds using the Google admin console, minimal configurations, and no need to install an agent 
  • Comprehensive protection across multiple channels, including popular web apps such as Slack, Jira, etc

USP – Airlock’s biggest advantage is its rapid deployment time which lets users quickly strengthen their cybersecurity posture with minimal IT intervention. Further, it can audit OAuth usage to detect if user credentials are at risk of being stolen. Airlock can also analyze browser extensions to remove any malicious plugins. 

Editorial comments – Apozy is among the few pure-play browser isolation software platforms out there, with a strong focus on G-suite activity protection. It is still in the startup stage but you can expect the offering to mature significantly over time. 

Pricing – Apozy Airlock starts at $3 per user for 1,001+ users in an enterprise. Pricing can go up to $10 per user, depending on the deployment numbers. 

Also Read: What Is Privileged Access Management (PAM)? Definition, Components and Best Practices

2. Authentic8 Silo Web Isolation Platform 

Overview – Authentic8 is a 2010 company specializing in web activity protection. It has two product variants, Silo for Research and Silo for Safe Access, both of which isolate browser activity in a remote sandboxed environment. 

Key features – Silo offers the following capabilities: 

• • The ability to conduct secure and anonymous research on the dark web 
  • Information capture, storage, and sharing within the sandbox environment 
  • Non-repudiable records of user’s online activity
  • Credential management for web apps 
  • Authenticated information storage in Silo, through SAML federation
  • Device-based access policies and privileges 

USP – Silo is a bleeding-edge software for secure online research, including browser fingerprint spoofing and language translation. 

Editorial comments – Silo’s numerous features can seem overwhelming at first, but its research and enterprise capabilities make it among the best browser isolation tools out there. 

Pricing – Silo is priced at $10 per user per month. 

3. CIGLOO Browser Isolation Management 

Overview – CIGLOO is a 2015 startup that offers browser isolation and security management for several productivity environments. It comes in both cloud-based and on-premise versions, using VMWare ESXi or Windows Hyper-V virtual appliances for the latter option. 

Key features – CIGLOO boasts of the following features: 

• • Partnership with Citrix to power a purpose-built browser isolation management solution for Citrix-based virtual workspaces
  • Remote secure browser through AWS Workspace, Microsoft Azure, or VCloud Air 
  • Full file sanitization before downloading online documents onto a local device 
  • Mail isolation when you click on any email link to avoid malicious URL interactions 
  • A powerful management console to provision corporate browsing policies based on user groups, location, browser compatibility, timeframe, etc 
  • Separates resource-intensive websites from mission-critical applications to maintain performance 

USP – CIGLOO’s documentation protection capabilities are particularly impressive. All downloads and uploads go through a remote isolated environment, where they are thoroughly sanitized before interacting with a local device. 

Editorial comments – Despite being relatively new, CIGLOO offers robust features that can meet most enterprise needs. For companies already using Citrix, this can be your go-to browser isolation solution. 

Pricing – Pricing starts at $20 per month per user.

Also Read: What Is Incident Response? Definition, Process, Lifecycle and Planning Best Practices

4. Menlo Security Isolation Platform 

Overview – Menlo Security’s patented isolation platform technology won it a staggering $75 million in investments in 2019. Since its inception in 2013, the company has held six funding rounds, which has powered its rise to the top of the browser isolation category as per G2. 

Key features – The Menlo Security Isolation Platform offers the following: 

• • Global elastic cloud, an always-on server cluster that enables 99.995% uptime for its cloud-based browser isolation functionalities 
  • Adaptive clientless rendering (ACR), a patented component of Menlo’s isolation architecture that selects the optimal encoding and transport mechanisms to deliver various content types
  • No agent installation required in the client system
  • Three security modules to protect against malware, documents/attachments, and phishing and credential theft
  • Can scale to thousands of users across locations via the cloud

USP – Menlo’s USP is undeniably its patented technology. ACR ensures that every content type is treated differently and delivered via the most optimal path so that the user experience remains extremely close to native. Further, Menlo’s Global Elastic Cloud is spread across eight data centers worldwide for superior performance in every geography. 

Editorial comments – This is among the most mature browser isolation software tools out there, ideal for large and globally-distributed enterprises. 

Pricing – Various sources have cited Melo’s price as around $150 per user 

5. Zscaler Cloud Browser Isolation 

Overview – In 2019, cybersecurity giant, Zscaler, acquired the browser isolation startup, Appsulate, to introduce its own browser isolation offering. 

Key features – Zscaler Cloud Browser Isolation comes with the following functionalities: 

• • Download, copy and paste prevention of data from web-based business applications
  • 100% security for traffic across both native browsers and cloud browser sessions
  • Simple configurations for deployment in mere minutes
  • Pixel streaming-based rendering to minimize risky interactions
  • Data exfiltration control to define user privileges on uploads, downloads, and clipboard sharing
  • Distributed across 150+ data centers worldwide 

USP – Appsulate’s powerful browser isolation software meets Zscaler’s expansive infrastructure to provide an advanced, enterprise-ready solution. Its USP is the 100% isolation tactic (rather than content disarm and reconstruction or CDR approaches that allow some interaction) to prevent any interaction at all. 

Editorial comments – If Authentic8 was all about empowering the user, Zscaler’s top priority is protecting the enterprise. It might offer slightly lower levels of interactivity but promises robust, reliable infrastructure. 

Pricing – Zscaler offers tailored pricing, depending on whether you deploy it as a standalone solution or integrate it with the company’s larger internet access security services. Its private access package for 50 users starts at $7,052 per annum.

In conclusion

As websites and web apps become central to our workflows, particularly in a post-coronavirus work-from-home world where so many of us rely on web-based communication, safe browsing is a must-have for cybersecurity. ResearchOpens a new window suggests that our use of web apps like Zoom, Slack, Teams, and Cisco Webex have grown 200%-600% this year, which has led to an enormous spike in malicious activity (sometimes as high as +1,350%). Browser isolation software acts as your defense against these threats, even as you empower end-users to stay productive, gain from publicly available resources, and engage in meaningful data exchange.

Do you agree that browser isolation will play a major role in cybersecurity in 2021? Comment below or let us know on FacebookOpens a new window , LinkedInOpens a new window , and TwitterOpens a new window . We would love to hear from you!