Secure Browsing

Close the Security-Usability Gap with the Right RBI Solution

We’ve all been there before: There’s a promising new solution that can potentially improve your company’s security posture in a significant way. You bring it on board… and the trouble begins. Users complain that it interferes with their work. They look for ways to circumvent the new protections in the name of productivity, and too often find them.

Your helpdesk team is flooded with calls, which kills their productivity, too. You turn to the vendor, who tweaks settings and adds updates. And in the end, the security-usability gap is too great and the solution is mothballed.

Remote Browser Isolation Solutions Are Not All Created Equal

Since the debut of the first remote browser isolation solutions nearly a decade ago, too many remote browser isolation (RBI) solutions followed the pattern above. Today, however, RBI technology is fully mature. However, while some solutions use modern approaches that are so transparent that users can forget they are there, too many vendors are still selling 1st gen solutions based on cludgy, user-unfriendly technology.

If you’re considering RBI for your organization—as recommended by CISA and other cybersecurity experts–a quick look under the hood of competing RBI products can reveal some dramatic differences and help you choose wisely. Other differences are so clear that they’re plainly visible to any user, even without touching the hood.

In order to maximize user acceptance as well as protection from ransomware, phishing and zero-day exploits, savvy web security practitioners should be aware of all of these differences and take them into account when choosing which RBI platform to adopt.

RBI Basics

Before we get to differences in RBI solutions, let’s take a look at the technology principles that virtually all of them share. Network-based RBI solutions…

  • Spin up a virtual browser in an isolated container in the cloud or on a remote server
  • Execute websites that users navigate to in the virtual browser
  • Send only safe rendering information to the user’s device
  • Destroy the isolated container when the user stops browsing, along with the virtual browser and all website content within

So far, so good. But start digging into the details, and numerous questions arise:

Exactly where is the safe rendering info sent? A native browser on the user’s device like Google Chrome or Microsoft Edge? If not, what kind of browser? Does browsing feel “normal” to users?

Does the website’s “detour” through the isolated container result in a lag that users would notice?

Can users interact with websites like they usually do, or is some interactivity sacrificed? 

Do videos work? Audio? What about downloads? Can online conferencing like Zoom and Webex be isolated for secure virtual meetings?

Doesn’t this process take a ton of resources?

These are details that, depending on how well a solution is architected, determine whether your remote browser isolation roll-out will be successful or a time-wasting failure.

A Detailed Comparison: Ericom RBI vs 1st Gen Solutions

Let’s take a look at how 1st generation RBI solutions handle some of the details listed above and how Ericom RBI’s Next Generation solution handles them, starting with factors that are apparent to the naked eye of a user.

Birds Nest. Browsers Should Not.

For well over a decade, the browsing experience has been fairly stable. That means that today’s internet users have well-entrenched expectations when they open a browser: Tabs at the top for simultaneously browsing multiple sites, address bar below them, and for most, an increasingly clean “frame” with minimal clutter.

That experience is just what they get with Ericom RBI. Users browse with their usual browser(s), just as they always do, for a totally natural experience. Not much to say here, other than that we keep things normal.

In contrast, 1st Gen approaches to browser isolation use what’s sometimes referred to as a “browser in browser” or a “nested browser”, and otherwise could be referred to as just plain confusing. Users browse to an RBI solution provider URL in a tab of their usual browser, opening a site that has another browser nested within, complete with address bar and tabs. To browse, users are expected to enter URLs in the embedded browser, but if they (reasonably, in our opinion) open a new tab on the outer “nested” browser, then another embedded browser opens within that tab. Sound confusing? We think so, too.

Ericom RBI automatically protects all sessions, on any and all browsers a user runs. In contrast, other solutions require each type of browser to be configured independently by IT and Security teams, leading some organizations to restrict users to only one type of browser (which can lead to a lot of user community frustration and push-back).

The User Browsing Experience

Ericom RBI leverages mature, award-winning technology (including this year’s SC Awards Europe) that provides multiple browsing modes (more on this later) to maximize performance while protecting users and enterprises from threats. As a result, latency is extremely low, so even HD video and audio play smoothly and on-page navigation is seamless and precise.

Users of 1st Gen RBI solutions describe a disappointing experience that is “not enterprise class.” They report improper page rendering, issues with scrolling, bursty video and audio that stutters and jumps as it streams, and cursor navigation that lags physical mouse moves, making for a frustrating browsing experience.

A Word About Rendering Modes: The Technology that Drives User Experience

Many of the user experience issues mentioned above are due to differences in the rendering modes used in the various RBI solutions. In simple terms, rendering modes that act more intensively on a webpage in the remote browser are more likely to break elements of the page in the process, degrading performance and user experience.

First gen RBI solutions generally rely solely on an intensive rendering mode that is likely to cause issues with sites, especially sites with media elements like video and audio streaming. In contrast, Ericom RBI leverages a variety of rendering modes, applying the most intensive to the riskiest content and less intensive modes to content that poses less of a risk. The result is strong security from web-borne threats, combined with a browsing experience that won’t alienate users—if they even notice that RBI has been applied at all.

Not Just Browsing Protection: File Downloads and Printing

Additional capabilities provided by browsers – downloading attachments and printing from sites—are both essential for users and sources of risk. On the one hand, users depend on document downloads and printing for tasks ranging from accounting, research, order fulfillment and much, much more. On the other, document downloads to endpoints or printers are a key vector for malware and potential data loss.

Let’s have a look at how RBI solutions address these functions—or do not.

Advanced content disarm and reconstruction (CDR) capabilities that are integrated in Ericom RBI, sanitize attachments of any malware in the isolated container, before they are downloaded to user devices with all benign functionality intact. Documents are similarly sanitized before being downloaded for printing to protect end user devices. Printing can also be disabled by admins to address concerns about exfiltration of sensitive data.

Earlier generation RBI solutions do not include CDR. As a result, document downloads are either entirely blocked or passed through along with any malware within—causing user frustration and interfering with work in the first case, and opening organizations to significant risk in the latter. To print from websites, content must first be downloaded, exposing organizations to the same risk as attachments with RBI solutions that lack CDR.

Phishing Protection

All RBI solutions worthy of the name will protect endpoints from phishing sites that download ransomware, downloaders or other malware when an infected site is opened. But what about possible phishing sites that might trick users into entering credentials… but might rather be legitimate sites?

Ericom automatically opens suspected phishing sites in read-only mode so that users can get to site that they may possibly need, but are also protected from credential theft. In contrast, 1st gen RBI solutions offer only binary options for suspicious sites: Open as fully interactive or entirely block. Of course, attachments can be sanitized using the CDR technology described earlier, removing any malware from weaponized files prior to delivery to user devices.

Virtual Meeting Isolation

RBI solutions that fail to consistently stream video and audio content do not stand a chance of meeting the rigorous requirements for isolating virtual meetings. And beyond performance, the RBI technology needs to be capable of supporting key collaboration elements, like screen sharing, microphone use, and video-camera use in applications like Zoom, Teams, and Webex. No RBI solutions were able to support these elements until Ericom announced its patent-pending Virtual Meeting Isolation earlier this year. For organizations that do not permit installation of virtual meeting client apps because of security concerns with agents, Ericom Virtual Meeting Isolation is the only RBI solution available to secure the web portal approach of leading virtual meeting solutions.

Conclusion

Remote Browser Isolation solutions are emphatically not all created equal, and the differences have significant impact on the protections they provide, the user experience and ultimately, the likelihood of long-term success.

Want to know more about how to assess the solutions you’re considering? We’re happy to give you some pointers – just drop us a line!

Nigel Willis
Group CTO for EMEA | Ericom Software