<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Meet StrongDM in person at Oktane 2023! Book a meeting with us here.

What Is Remote Browser Isolation? RBI Explained

In this article, we take a deep dive into Remote Browser Isolation (RBI), its history, and how it works. You'll learn about the common challenges associated with remote browser isolation and its importance in securing users from internet-based cyber threats. By the end of this article, you'll gain a complete understanding of remote browser isolation, as well as how it can be used to complement a Zero Trust framework.

What is Remote Browser Isolation?

Remote Browser Isolation (RBI) is an online security solution that protects users and endpoints from internet-based malware attacks by using a separate remote server to host web sessions.

Rather than the user accessing web content directly on the endpoint session, RBI creates a separate, contained environment hosted in a cloud service where they receive and navigate a visual web page stream—preventing active malware from causing harm.

History of Remote Browser Isolation

The strategy of isolated browsing, networks, servers, applications, and devices to prevent or maintain the effects of a cyber attack has been around for decades. It wasn't until 2010, however, that the first official browser isolation technology platform was developed, commercialized, and adopted by the National Nuclear Security Administration. The service gave government employees a secure internet surfing method through machine virtualization.

Significant development took place in 2018, when the Defense Information Systems Agency (DISA), the IT department within the Department of Defense (DoD), issued a request for information (RFI) regarding cloud-based internet isolation—the exact function of RBI. They had been interested in solutions for reducing the network security risks that come with employees browsing the web or rerouting to a malicious website through phishing emails.

While increasing in popularity, only 25% of enterprises have adopted remote browser isolation technology as of 2022.

Importance of Remote Browser Isolation

Without RBI, organizations and their users must rely primarily on traditional security controls such as antivirus and consistent software patching and updates to protect their endpoints. Both methods must identify the threats or vulnerabilities before the solution works, so they are susceptible to the unknown. RBI offers a solution to this problem.

For instance, antivirus solutions scan downloaded files and websites but will only detect and remove known malware that’s been identified and programmed into the tool. Alternatively, patching and updating applications, operating systems, and internet browsers assumes there are confirmed vulnerabilities or zero-day security flaws that cybercriminals can exploit.

Remote browser isolation does not require these levels of intelligence. It can block known and unknown internet-based malware and zero-day attacks because users directly avoid malicious web content with a remote browsing session in the cloud. This makes RBI crucial to creating a secure web gateway (SWG)—a key component of maintaining the Secure Access Service Edge (SASE) model.

Remote work demands secure remote browsing

As many employees now work from home, they aren't using typical methods to access their growing number of corporate resources and data. Instead of on-premise access to local private networks, much of their productivity applications and databases are in the cloud—accessible through the internet but vulnerable to bad actors. This heavy and relatively new reliance on web browsing alone requires up-to-date endpoint security tools, such as RBI.

Challenges of Remote Browser Isolation

While RBI takes a logical and proactive approach to secure endpoints, there are some significant computing and user experience drawbacks to consider before investing:

Slower Processing Speeds

Latency is a significant issue for a solid user experience. Users should expect high lag times and slow pixel loading speeds with the computing requirements needed to divert a web page to a remote server and then securely back to the endpoint.

Limited Website Support

While great for securely accessing simple web pages, RBI may not be suitable for complex websites. During pixel reconstruction and the rerouting back to the endpoint, the web page content could be incomplete or broken.

Infrastructure Stress

RBI essentially streams visual pixels of web pages to an endpoint. Streaming requires tons of bandwidth and processing power that can engulf an unsuitable infrastructure with slow speeds or even entire system shutdowns.

In addition to general technology challenges, RBI creates a significant financial burden for implementing and scaling the solution across an organization. Rerouting web traffic to remote cloud servers and pushing encrypted pixels to an endpoint demands lots of computing power and infrastructure reconfigurations. Those IT revamping projects are resource-intensive and extremely costly.

How Does Remote Browser Isolation Work?

RBI is a specific type of browser isolation that uses a third-party cloud provider or additional corporate server to separate an endpoint from the browser. Once activated, a user's web session gets processed in a sandboxed environment within the cloud. During that time, the website is scanned, evaluated for potentially harmful content, and rerouted back to the endpoint device.

From there, the user can enter keyboard and mouse requests through an encrypted channel and navigate the website as usual. All of the content on the page is viewable to the users through one of two visualization methods:

  • Pixel Reconstruction: The pixels are directly transmitted and pushed from the remote browser to the endpoint as displayed live images. Because it only streams visuals, no actual code gets processed on the endpoint.
  • Document Object Model (DOM) Mirroring: The web page and its malicious code get filtered and cleaned before being transmitted back to the user's device as a regular browsing session. This approach is significantly faster because it does not stream images back to the endpoint. However, it can be risky if certain content isn't detected and removed.

Both visualization approaches avoid running malicious website code directly on a device. One ensures that no code reaches it by only streaming images, and the other scans and filters out what it considers dangerous content before allowing the browsing session to occur.

Types of Remote Browser Isolation

Depending on the scope of the web isolation and specific resource, businesses can deploy different types of RBI solutions to mitigate cyber risks:

  • Remote Browser Isolation for Unauthorized Access Control: RBI is activated anytime an unknown user accesses an application or database—letting them only view the data and not alter it.
  • Document-Based Remote Browser Isolation: Any documents downloaded from the internet prompt RBI activation for view privileges only.
  • Remote Browser Isolation for Email Links: Used to protect from email-based attacks such as phishing scams. Activates RBI only when an email has embedded web links in which "view-only" gets prompted.
  • Comprehensive Remote Browser Isolation: Assumes all websites are risky—employing RBI for all web sessions.
  • Website-Targeted Remote Browser Isolation: Activates specifically when a user navigates to unknown pages or websites deemed risk using disposable sandbox environments for each session.

Browser Isolation vs. Remote Browser Isolation

RBI is a specific category of browser isolation that assumes the sandboxed environment managing the browser session runs on a cloud-based server. Businesses, however, could use other methods and technology to isolate their endpoints from web-browsing sessions.

For example, client-side browser isolation will run the website in an ordinary browsing session but isolate the operating system in a virtual environment to protect the endpoint. There's also on-premises browser isolation which works similarly to RBI. The main difference is that the session is processed and hosted on an internal server located in a local network rather than the cloud.

Remote Browser Isolation and Zero Trust

Like Zero Trust Architecture, remote browser isolation solves the security challenges from an undefined network perimeter where many employee users access network resources remotely through the internet. More internet usage means more browsing activity and a higher risk of malware on web pages.

In that sense, RBI is a core element of Zero Trust security that applies the "never trust, always verify" approach and network segmentation principles to internet browsing. RBI assumes all users are negligent or malicious and the websites they use are dangerous. The assumption prompts the activation of remote sessions on a separate server—protecting the endpoints while simultaneously keeping incidents separated from other parts of the corporate network.

How StrongDM Facilitates Remote Browser Isolation

StrongDM’s People-First Access Platform enables organizations to simultaneously adopt Zero Trust and SASE, while giving employees easy access to the devices, applications, and data they need to do their jobs. The solution helps administrators maintain an SWG for users and supports Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP)—allowing firms to run RBI sessions on the cloud environment of their choice.

StrongDM combines an extensive ecosystem of integration options, easy deployment, and a user-friendly interface into one holistic IAM solution. For these reasons, our platform is one of the top alternatives to Cloudflare and other Zero Trust Network Access (ZTNA) management and browser isolation vendors.

Start Your Browser Isolation Journey with StrongDM

Remote Browser Isolation protects endpoints from internet-based malware and zero-day attacks. By accessing web pages through a secure cloud server and rerouting the content back to the device as streamed pixels or filtered sessions, users can avoid direct interaction with malicious content and isolate themselves from online threats.

Learn more about how StrongDM's IAM platform enables businesses to incorporate web browser isolation into their cybersecurity program to protect their most valued data. Schedule a demo today.

About the Author

, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Unlocking Zero Trust: The Kipling Method for Policy Writing
Unlocking Zero Trust: The Kipling Method for Policy Writing
To embark on a successful Zero Trust journey, it's crucial to articulate and implement policies that align seamlessly with your business model. The Kipling Method serves as a guiding light in this endeavor. Let's delve into the six fundamental questions it poses.
Simplifying AWS Access with StrongDM Without Compromising Security Posture
Simplifying AWS Access with StrongDM Without Compromising Security Posture
Since Amazon Web Services first announced it in 2011, AWS IAM has evolved to become the gateway to the AWS Cloud. Organizations cannot interact with their cloud resources and its many services without it. Identity, not networking, is the real access boundary.
Privilege Escalation Attack Explained (How to Prevent It)
Cyber Resilience: The Why, the How, and the Way to a Better Framework
Cyber Resilience: The Why, the How, and the Way to a Better Framework
In today's rapidly evolving digital landscape, the concept of cyber resilience has taken center stage. This resilience refers to an organization's capacity to not only withstand but thrive in the face of cyber emergencies, such as the escalating menace of cyber attacks. This article delves into the critical importance of cyber resilience, shedding light on the ever-growing challenges and threats faced by organizations today, and how the right framework, like StrongDM, can fortify an organization's defenses and ensure uninterrupted operations in the wake of unexpected cyber incidents.
Break Glass Explained: Why You Need It for Privileged Accounts
Break Glass Explained: Why You Need It for Privileged Accounts
Identity and access management (IAM) and privileged access management (PAM) are critical security tools for modern organizations. However, they can sometimes bar users from accessing critical systems and services, potentially impacting production, customer experience, and cybersecurity. In urgent cases, a method of bypassing normal security controls to regain access—called “break glass”—is needed. In this post, we’ll walk you through the break-glass process—what it is, why it’s important, and how to execute it.