<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Security

What Is Remote Browser Isolation? RBI Explained

Schuyler Brown
by
Co-founder / CCO
StrongDM
5 min read
Last updated on: October 5, 2023
Get the Zero Trust eBook PDF PDF Get the Zero Trust eBook PDF
Found in: Security Secure Access Service Edge Zero Trust
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
What is Remote Browser Isolation?

In this article, we take a deep dive into Remote Browser Isolation (RBI), its history, and how it works. You'll learn about the common challenges associated with remote browser isolation and its importance in securing users from internet-based cyber threats. By the end of this article, you'll gain a complete understanding of remote browser isolation, as well as how it can be used to complement a Zero Trust framework.

What is Remote Browser Isolation?

Remote Browser Isolation (RBI) is an online security solution that protects users and endpoints from internet-based malware attacks by using a separate remote server to host web sessions.

Rather than the user accessing web content directly on the endpoint session, RBI creates a separate, contained environment hosted in a cloud service where they receive and navigate a visual web page stream—preventing active malware from causing harm.

History of Remote Browser Isolation

The strategy of isolated browsing, networks, servers, applications, and devices to prevent or maintain the effects of a cyber attack has been around for decades. It wasn't until 2010, however, that the first official browser isolation technology platform was developed, commercialized, and adopted by the National Nuclear Security Administration. The service gave government employees a secure internet surfing method through machine virtualization.

Significant development took place in 2018, when the Defense Information Systems Agency (DISA), the IT department within the Department of Defense (DoD), issued a request for information (RFI) regarding cloud-based internet isolation—the exact function of RBI. They had been interested in solutions for reducing the network security risks that come with employees browsing the web or rerouting to a malicious website through phishing emails.

While increasing in popularity, only 25% of enterprises have adopted remote browser isolation technology as of 2022.

Importance of Remote Browser Isolation

Without RBI, organizations and their users must rely primarily on traditional security controls such as antivirus and consistent software patching and updates to protect their endpoints. Both methods must identify the threats or vulnerabilities before the solution works, so they are susceptible to the unknown. RBI offers a solution to this problem.

For instance, antivirus solutions scan downloaded files and websites but will only detect and remove known malware that’s been identified and programmed into the tool. Alternatively, patching and updating applications, operating systems, and internet browsers assumes there are confirmed vulnerabilities or zero-day security flaws that cybercriminals can exploit.

Remote browser isolation does not require these levels of intelligence. It can block known and unknown internet-based malware and zero-day attacks because users directly avoid malicious web content with a remote browsing session in the cloud. This makes RBI crucial to creating a secure web gateway (SWG)—a key component of maintaining the Secure Access Service Edge (SASE) model.

Remote work demands secure remote browsing

As many employees now work from home, they aren't using typical methods to access their growing number of corporate resources and data. Instead of on-premise access to local private networks, much of their productivity applications and databases are in the cloud—accessible through the internet but vulnerable to bad actors. This heavy and relatively new reliance on web browsing alone requires up-to-date endpoint security tools, such as RBI.

Challenges of Remote Browser Isolation

While RBI takes a logical and proactive approach to secure endpoints, there are some significant computing and user experience drawbacks to consider before investing:

Slower Processing Speeds

Latency is a significant issue for a solid user experience. Users should expect high lag times and slow pixel loading speeds with the computing requirements needed to divert a web page to a remote server and then securely back to the endpoint.

Limited Website Support

While great for securely accessing simple web pages, RBI may not be suitable for complex websites. During pixel reconstruction and the rerouting back to the endpoint, the web page content could be incomplete or broken.

Infrastructure Stress

RBI essentially streams visual pixels of web pages to an endpoint. Streaming requires tons of bandwidth and processing power that can engulf an unsuitable infrastructure with slow speeds or even entire system shutdowns.

In addition to general technology challenges, RBI creates a significant financial burden for implementing and scaling the solution across an organization. Rerouting web traffic to remote cloud servers and pushing encrypted pixels to an endpoint demands lots of computing power and infrastructure reconfigurations. Those IT revamping projects are resource-intensive and extremely costly.

How Does Remote Browser Isolation Work?

RBI is a specific type of browser isolation that uses a third-party cloud provider or additional corporate server to separate an endpoint from the browser. Once activated, a user's web session gets processed in a sandboxed environment within the cloud. During that time, the website is scanned, evaluated for potentially harmful content, and rerouted back to the endpoint device.

From there, the user can enter keyboard and mouse requests through an encrypted channel and navigate the website as usual. All of the content on the page is viewable to the users through one of two visualization methods:

  • Pixel Reconstruction: The pixels are directly transmitted and pushed from the remote browser to the endpoint as displayed live images. Because it only streams visuals, no actual code gets processed on the endpoint.
  • Document Object Model (DOM) Mirroring: The web page and its malicious code get filtered and cleaned before being transmitted back to the user's device as a regular browsing session. This approach is significantly faster because it does not stream images back to the endpoint. However, it can be risky if certain content isn't detected and removed.

Both visualization approaches avoid running malicious website code directly on a device. One ensures that no code reaches it by only streaming images, and the other scans and filters out what it considers dangerous content before allowing the browsing session to occur.

Types of Remote Browser Isolation

Depending on the scope of the web isolation and specific resource, businesses can deploy different types of RBI solutions to mitigate cyber risks:

  • Remote Browser Isolation for Unauthorized Access Control: RBI is activated anytime an unknown user accesses an application or database—letting them only view the data and not alter it.
  • Document-Based Remote Browser Isolation: Any documents downloaded from the internet prompt RBI activation for view privileges only.
  • Remote Browser Isolation for Email Links: Used to protect from email-based attacks such as phishing scams. Activates RBI only when an email has embedded web links in which "view-only" gets prompted.
  • Comprehensive Remote Browser Isolation: Assumes all websites are risky—employing RBI for all web sessions.
  • Website-Targeted Remote Browser Isolation: Activates specifically when a user navigates to unknown pages or websites deemed risk using disposable sandbox environments for each session.

Browser Isolation vs. Remote Browser Isolation

RBI is a specific category of browser isolation that assumes the sandboxed environment managing the browser session runs on a cloud-based server. Businesses, however, could use other methods and technology to isolate their endpoints from web-browsing sessions.

For example, client-side browser isolation will run the website in an ordinary browsing session but isolate the operating system in a virtual environment to protect the endpoint. There's also on-premises browser isolation which works similarly to RBI. The main difference is that the session is processed and hosted on an internal server located in a local network rather than the cloud.

Remote Browser Isolation and Zero Trust

Like Zero Trust Architecture, remote browser isolation solves the security challenges from an undefined network perimeter where many employee users access network resources remotely through the internet. More internet usage means more browsing activity and a higher risk of malware on web pages.

In that sense, RBI is a core element of Zero Trust security that applies the "never trust, always verify" approach and network segmentation principles to internet browsing. RBI assumes all users are negligent or malicious and the websites they use are dangerous. The assumption prompts the activation of remote sessions on a separate server—protecting the endpoints while simultaneously keeping incidents separated from other parts of the corporate network.

How StrongDM Facilitates Remote Browser Isolation

StrongDM’s Dynamic Access Management (DAM) platform enables organizations to simultaneously adopt Zero Trust and SASE, while giving employees easy access to the devices, applications, and data they need to do their jobs. The solution helps administrators maintain an SWG for users and supports Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP)—allowing firms to run RBI sessions on the cloud environment of their choice.

StrongDM combines an extensive ecosystem of integration options, easy deployment, and a user-friendly interface into one holistic IAM solution. For these reasons, our platform is one of the top alternatives to Cloudflare and other Zero Trust Network Access (ZTNA) management and browser isolation vendors.

Start Your Browser Isolation Journey with StrongDM

Remote Browser Isolation protects endpoints from internet-based malware and zero-day attacks. By accessing web pages through a secure cloud server and rerouting the content back to the device as streamed pixels or filtered sessions, users can avoid direct interaction with malicious content and isolate themselves from online threats.

Learn more about how StrongDM's IAM platform enables businesses to incorporate web browser isolation into their cybersecurity program to protect their most valued data. Schedule a demo today.

About the Author

, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Cybersecurity Audit: The Ultimate Guide
Cybersecurity Audit: The Ultimate Guide for 2024
A cybersecurity audit is a comprehensive assessment of your organization's information systems, networks, and processes that identify vulnerabilities and weaknesses that cybercriminals could exploit. The audit also evaluates the effectiveness of your security controls, policies, and procedures and determines if they align with industry best practices and compliance standards.
How StrongDM Simplifies NIS2 Compliance for EU Organizations
How StrongDM Simplifies NIS2 Compliance for EU Organizations
The NIS2 Directive establishes comprehensive cybersecurity legislation across the European Union. Building upon its predecessor, the Network and Information Security (NIS) Directive, the goal of NIS2 is to standardize cybersecurity practices among EU Member States. Much like the General Data Protection Regulation (GDPR), NIS2 seeks to unify strategies and actions throughout the EU to fortify digital infrastructure against the escalating threat of cyberattacks.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
Water Utilities Cybersecurity Guide: Challenges & Solution
Water Utilities Cybersecurity Guide: Challenges & Solution
StrongDM is working with the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) on Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems. This effort provides a means to identify common scenarios among Water and Wastewaters Systems (WWS) sector participants, to develop reference cybersecurity architectures, and propose the utilization of existing commercially available products to mitigate and manage risk.
XZ Utils Backdoor Explained: How to Mitigate Risks
XZ Utils Backdoor Explained: How to Mitigate Risks
Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.