- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we take a deep dive into Remote Browser Isolation (RBI), its history, and how it works. You'll learn about the common challenges associated with remote browser isolation and its importance in securing users from internet-based cyber threats. By the end of this article, you'll gain a complete understanding of remote browser isolation, as well as how it can be used to complement a Zero Trust framework.
What is Remote Browser Isolation?
Remote Browser Isolation (RBI) is an online security solution that protects users and endpoints from internet-based malware attacks by using a separate remote server to host web sessions.
Rather than the user accessing web content directly on the endpoint session, RBI creates a separate, contained environment hosted in a cloud service where they receive and navigate a visual web page stream—preventing active malware from causing harm.
History of Remote Browser Isolation
The strategy of isolated browsing, networks, servers, applications, and devices to prevent or maintain the effects of a cyber attack has been around for decades. It wasn't until 2010, however, that the first official browser isolation technology platform was developed, commercialized, and adopted by the National Nuclear Security Administration. The service gave government employees a secure internet surfing method through machine virtualization.
Significant development took place in 2018, when the Defense Information Systems Agency (DISA), the IT department within the Department of Defense (DoD), issued a request for information (RFI) regarding cloud-based internet isolation—the exact function of RBI. They had been interested in solutions for reducing the network security risks that come with employees browsing the web or rerouting to a malicious website through phishing emails.
While increasing in popularity, only 25% of enterprises have adopted remote browser isolation technology as of 2022.
Importance of Remote Browser Isolation
Without RBI, organizations and their users must rely primarily on traditional security controls such as antivirus and consistent software patching and updates to protect their endpoints. Both methods must identify the threats or vulnerabilities before the solution works, so they are susceptible to the unknown. RBI offers a solution to this problem.
For instance, antivirus solutions scan downloaded files and websites but will only detect and remove known malware that’s been identified and programmed into the tool. Alternatively, patching and updating applications, operating systems, and internet browsers assumes there are confirmed vulnerabilities or zero-day security flaws that cybercriminals can exploit.
Remote browser isolation does not require these levels of intelligence. It can block known and unknown internet-based malware and zero-day attacks because users directly avoid malicious web content with a remote browsing session in the cloud. This makes RBI crucial to creating a secure web gateway (SWG)—a key component of maintaining the Secure Access Service Edge (SASE) model.
Remote work demands secure remote browsing
As many employees now work from home, they aren't using typical methods to access their growing number of corporate resources and data. Instead of on-premise access to local private networks, much of their productivity applications and databases are in the cloud—accessible through the internet but vulnerable to bad actors. This heavy and relatively new reliance on web browsing alone requires up-to-date endpoint security tools, such as RBI.
Challenges of Remote Browser Isolation
While RBI takes a logical and proactive approach to secure endpoints, there are some significant computing and user experience drawbacks to consider before investing:
Slower Processing Speeds
Latency is a significant issue for a solid user experience. Users should expect high lag times and slow pixel loading speeds with the computing requirements needed to divert a web page to a remote server and then securely back to the endpoint.
Limited Website Support
While great for securely accessing simple web pages, RBI may not be suitable for complex websites. During pixel reconstruction and the rerouting back to the endpoint, the web page content could be incomplete or broken.
RBI essentially streams visual pixels of web pages to an endpoint. Streaming requires tons of bandwidth and processing power that can engulf an unsuitable infrastructure with slow speeds or even entire system shutdowns.
In addition to general technology challenges, RBI creates a significant financial burden for implementing and scaling the solution across an organization. Rerouting web traffic to remote cloud servers and pushing encrypted pixels to an endpoint demands lots of computing power and infrastructure reconfigurations. Those IT revamping projects are resource-intensive and extremely costly.
How Does Remote Browser Isolation Work?
RBI is a specific type of browser isolation that uses a third-party cloud provider or additional corporate server to separate an endpoint from the browser. Once activated, a user's web session gets processed in a sandboxed environment within the cloud. During that time, the website is scanned, evaluated for potentially harmful content, and rerouted back to the endpoint device.
From there, the user can enter keyboard and mouse requests through an encrypted channel and navigate the website as usual. All of the content on the page is viewable to the users through one of two visualization methods:
- Pixel Reconstruction: The pixels are directly transmitted and pushed from the remote browser to the endpoint as displayed live images. Because it only streams visuals, no actual code gets processed on the endpoint.
- Document Object Model (DOM) Mirroring: The web page and its malicious code get filtered and cleaned before being transmitted back to the user's device as a regular browsing session. This approach is significantly faster because it does not stream images back to the endpoint. However, it can be risky if certain content isn't detected and removed.
Both visualization approaches avoid running malicious website code directly on a device. One ensures that no code reaches it by only streaming images, and the other scans and filters out what it considers dangerous content before allowing the browsing session to occur.
Types of Remote Browser Isolation
Depending on the scope of the web isolation and specific resource, businesses can deploy different types of RBI solutions to mitigate cyber risks:
- Remote Browser Isolation for Unauthorized Access Control: RBI is activated anytime an unknown user accesses an application or database—letting them only view the data and not alter it.
- Document-Based Remote Browser Isolation: Any documents downloaded from the internet prompt RBI activation for view privileges only.
- Remote Browser Isolation for Email Links: Used to protect from email-based attacks such as phishing scams. Activates RBI only when an email has embedded web links in which "view-only" gets prompted.
- Comprehensive Remote Browser Isolation: Assumes all websites are risky—employing RBI for all web sessions.
- Website-Targeted Remote Browser Isolation: Activates specifically when a user navigates to unknown pages or websites deemed risk using disposable sandbox environments for each session.
Browser Isolation vs. Remote Browser Isolation
RBI is a specific category of browser isolation that assumes the sandboxed environment managing the browser session runs on a cloud-based server. Businesses, however, could use other methods and technology to isolate their endpoints from web-browsing sessions.
For example, client-side browser isolation will run the website in an ordinary browsing session but isolate the operating system in a virtual environment to protect the endpoint. There's also on-premises browser isolation which works similarly to RBI. The main difference is that the session is processed and hosted on an internal server located in a local network rather than the cloud.
Remote Browser Isolation and Zero Trust
Like Zero Trust Architecture, remote browser isolation solves the security challenges from an undefined network perimeter where many employee users access network resources remotely through the internet. More internet usage means more browsing activity and a higher risk of malware on web pages.
In that sense, RBI is a core element of Zero Trust security that applies the "never trust, always verify" approach and network segmentation principles to internet browsing. RBI assumes all users are negligent or malicious and the websites they use are dangerous. The assumption prompts the activation of remote sessions on a separate server—protecting the endpoints while simultaneously keeping incidents separated from other parts of the corporate network.
How StrongDM Facilitates Remote Browser Isolation
StrongDM’s People-First Access Platform enables organizations to simultaneously adopt Zero Trust and SASE, while giving employees easy access to the devices, applications, and data they need to do their jobs. The solution helps administrators maintain an SWG for users and supports Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP)—allowing firms to run RBI sessions on the cloud environment of their choice.
StrongDM combines an extensive ecosystem of integration options, easy deployment, and a user-friendly interface into one holistic IAM solution. For these reasons, our platform is one of the top alternatives to Cloudflare and other Zero Trust Network Access (ZTNA) management and browser isolation vendors.
Start Your Browser Isolation Journey with StrongDM
Remote Browser Isolation protects endpoints from internet-based malware and zero-day attacks. By accessing web pages through a secure cloud server and rerouting the content back to the device as streamed pixels or filtered sessions, users can avoid direct interaction with malicious content and isolate themselves from online threats.
Learn more about how StrongDM's IAM platform enables businesses to incorporate web browser isolation into their cybersecurity program to protect their most valued data. Schedule a demo today.
About the Author
Schuyler Brown, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.