Embedded browser security features can be highly effective against cyber-risk – but they also create new trade-offs to navigate
Among the three pillars of cyber-security – technology, processes and people – the human factor is seen by many as the weakest link. In contrast, another school of cyber-security thought argues that humans can only present these vulnerabilities where technology leaves gaps in cyber-defences.
Although a technological silver bullet for preventing employees from falling victim to identity theft, phishing or other forms of social engineering hasn’t been developed yet, we have already seen the emergence of a number of tools that aim to turn exposed enterprise systems into walled gardens with a sentry at the gates.
Networks, devices and browsers – where should be the first line of defence?
In the 2000s, as internet adoption rose sharply and businesses increasingly gained a foothold in the digital realm, cyber-threats became more real. As a result, VPNs or virtual private networks took centre stage, tunnelling traffic securely to enterprise resources, servers and databases.
When Covid hit in 2020, leading to an increase in workers accessing enterprise systems from private laptops and often unprotected networks, IT departments could initially fall back on VPNs to stave off as many of the intensifying cyber-attacks as possible.
However, it soon became evident that VPNs aren’t suited to securing BYOD and remote work arrangements. Where VPNs fall short is that they operate as encrypted tunnels, preventing anyone breaching the company network and exfiltrating information. But they don’t perform any security checks on the data that does enter the network.
Furthermore, while VPNs have integrated user authentication features, they are not designed to carry out any other forms of access management. This will, for example, thwart the application of the principle of least privilege, where a user only has access to the enterprise resources necessary for completing a specific task.
Enterprise browsers
One of the main themes on the keynote stage of Infosecurity Europe 2024 was enterprise browsers, the latest toolkit for protecting enterprise systems – this time, at the browser level.
Enterprise browsers pitch themselves as more secure, user-friendly means of implementing VDI (a type of desktop virtualisation technology), a security solution that has seen wider adoption after the shortcomings of VPNs became evident.
To safeguard end-devices from all types of cyber-threat, in a VDI, the desktop operating system runs and is managed in the cloud, thus creating a defence for end-devices from all kinds of cyber-threat.
The virtual desktop image in the cloud is then delivered to the device of the employee, who can carry out tasks and access enterprise applications and services as if these were running locally – with some caveats.
Log-in delays, session interruptions and inconsistent performance are the potential bugbears in the VDI user experience that enterprise browsers undertake to improve, leveraging the fact that they aren’t cloud-based.
Some enterprise browser providers even go as far as to tout their products as a solution that has all the value of VDI without the above-mentioned trade-offs. And thanks to being installed locally, enterprise browsers don’t require any of the virtualisation or network routing that VDIs do.
How can an enterprise browser change the employee experience?
Enterprise browsers with a contextual awareness of identity, device, application and geolocation can be rather flexible regarding their logging and audit features.
Relying on these capabilities, the enterprise browser can flexibly jump from deep audit mode for managing critical company data to anonymised but audited logging to a complete user-privacy setting.
At its most stringent, it can enable security teams to fully control basic functions such as copy/ paste, download, upload and screenshot capture.
This has the potential to liberate employees from the anxiety and pressure cyber-security training and phishing exercises present by removing the sword hanging over their neck, especially in working environments where three strikes for cyber-security missteps can lead to dismissal.
The deep-audit capability can intervene to prevent mouse clicks, screenshot or keystrokes before ill-judged user behaviour takes place and serve as a highly effective tool for data loss prevention.
Nevertheless, the trade-off between security and user experience that enterprise browsers eliminate could reemerge as a security-versus-privacy issue. In an interview, Brian Kenyon, Chief Strategy Officer of Island, admits that privacy expectations in the US and EMEA countries are strikingly different.
While in the US employees, says Kenyon, “don’t have an expectation of privacy” when they work on a company laptops and networks, in Europe, workers’ and privacy rights are much stricter.
Therefore in each individual case of enterprise browser deployment it falls on the employer and the privacy policy of the company to strike the right balance between protecting the corporate network and offering the workforce a level of privacy that it’s still comfortable with.
To keep employees’ trust, transparency at all times of the level of granularity at which they are being inspected is paramount. Solutions such as an always-on awareness indicator in the URL bar are instrumental to preventing workers seeing these security and productivity tools as a form of surveillance.
As long as monitoring and auditing takes place in a transparent manner, enterprise browsers could become the tool of choice for protecting company networks, as well as for liberating employees from the stress of continuous cyber-vigilance, a scenario far too many of them still struggle with.
© 2024, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543