‘Browser Isolation’ Takes On Entrenched Web Threats

Few desktop and mobile applications are as heavily used as web browsers, yet browsers also introduce a slew of potential security exposures, no matter how carefully they’re locked down. Large organizations have relied on so-called “browser isolation” services to deal with this risk for years, but these tools are often slow and clunky. As a result, many companies only require them for the most sensitive work; otherwise, employees would search for workarounds. On Tuesday, the internet infrastructure firm Cloudflare is debuting its own version—a service aptly named Browser Isolation—that the company says is just as fast, and sometimes faster, than browsing without the protection.

Browsers, by definition, are an open door. Their job is to receive data from web servers and send back information. This means, though, that in addition to legitimate, benign web data, users can end up downloading malware or malicious attachments through a browser. And hackers can also find vulnerabilities in a browser’s own code and exploit them to attack targets. 

“The browser is the stuff of nightmares for chief information security officers,” says Cloudflare CEO Matthew Prince. “Inherently, every time it runs, the browser is downloading completely foreign code and running it on the device. Browsers do a good job of sandboxing and controlling the risk that’s there, but on an almost weekly basis you’re going to see some sort of vulnerability in one of the major browsers that’s allowing people to potentially break out of that sandbox.”

Browser isolation services like Cloudflare’s, which has been in beta testing since October, protect computers by running the browser in a controlled container away from your other services and data. That way, any shady code your browser unwittingly tries to execute isn’t actually running on your computer and can get flagged. That process, however, takes time: time to load pages remotely, beam them down to your computer somehow, and then deal with all the interactions involved in web browsing, like entering login credentials for a site or even simple user inputs like clicking and scrolling. It all introduces opportunities for lag, which is why many browser isolation services are so slow and buggy. 

Cloudflare’s service is part of a new generation of cloud services that aim to be more usable by smoothing out all that back and forth. In January 2020, the company acquired a small firm, S2 Systems, that Prince says had a different approach than most of the tools out there. Many services have approached the problem by loading a page in the isolated environment and then sending information about site components, or even every individual pixel color, to a user’s computer to display. But S2’s approach instead taps into the draw commands a browser sends to a computer’s GPU in a normal browsing situation. It captures these as a page loads in its cloud container and then transmits them to the user’s computer so the processor can essentially draw a recording of what the webpage looks like.

The idea is to watch a projection of your browsing in real time. With the stakes of web security so high, competitors have also felt the urgency to improve browser isolation in the hope of making the tools more appealing and ultimately more ubiquitous. 

“Despite high security spending, many organizations struggle with security incidents associated with the web browser,” says Matt Ashburn, a former CIA officer and National Security Council director who now heads strategic initiatives at the browser isolation company Authentic8. “As long as a two-way connection is allowed from a computer to the internet, advanced adversaries and criminals will find a way to remain successful.”

As has been the case with other security initiatives, though, Cloudflare has the scale to quickly promote new offerings to a massive customer base. Browser Isolation will be a simple add-on to the existing Cloudflare for Teams suite of services for enterprises.