Remote Browser Isolation - A Guide To The Vendors In The Market
A quick guide to the remote browser isolation market and its technologies, with links to all of the key vendors.
The remote browser isolation space is one of the hottest niches in cybersecurity right now, with Gartner recommending browser isolation technologies as one of the most effective ways an enterprise can reduce web-based attacks against their users.
I tell people that I was present at the birth of the browser isolation space, by which I mean to say that I am intimate with the market and its vendors. I also maintain a remote browser isolation vendor directory so I can keep an eye on the key players.
It's a great space full of amazing remote browser and browser isolation technologies, each of which takes slightly different approaches and Gartner predicts that 50% of enterprises will actively begin to isolate their employee's web browsing activity.
With the remote browser isolation niche blowing up right now, I wanted to outline the key technologies in the market and give you an update on the key players in the market and their movements. Consider this a snapshot and rough guide and remember that I don't always get things right and if you weren't already knowledgeable about browser isolation check out the explainer posts below:
Explainers: What is browser isolation? + What is remote browsing?
The Remote Browser Isolation Space
The remote browser isolation space is split into three distinct categories, client-side browser isolation technologies, server-side browser isolation technologies and those vendors who leverage these technologies to provide remote browsers as a service, each trying to solve the same basic problem.
Server Side Browser Isolation Technologies
Server-side technologies take a tried and tested security through physical isolation approach, meaning that they physically isolate your user's browsers and all of the associated cyber risk away from your internal networks.
The delivery model for server-side browser isolation technologies is cloud-hosted remote browsers, with users logging onto remotely hosted browsers, with all of the actual browser isolation being done in the cloud.
The server-side remote browser isolation technologies I list below are ranked in terms of my favorites first and least favorites last.
WEBGAP — Before launching WEBGAP, their co-founding spent eight years working with the NNSA at Lawrence Livermore and Sandia national laboratories building browser isolation platforms for government employees, a model that has since become known as Safeweb by the thousands of fed gov employees who use it to surf the internet.
WEBGAP have a very cool approach in that they are trying to solve the bigger problems in browser isolation rather than the primary one. "Any fool can isolate browsers, the trick is to do it at vast scale in a cost effective way." their CTO told me.
The team at WEBGAP have developed the newest browser isolation technology on the market, but its still in private beta, so they have not really launched their product properly yet. By leveraging a containerized and grid distributed architecture, WEBGAP requires approximately 10x less server infrastructure than virtualization based competitors, representing significant cost savings over the long term.
WEBGAP's killer feature is their unique web page runtime rendering, which fetches web pages when a user requests them and strips out any potentially malicious code before delivering it to the user for display. This is all happens in real time and delivers a native user experience, with just 15 lines of code behind each web page.
WEBGAP's hosted solution is priced at $4 per user, per month, easily making them the most cost-effective remote browser vendor in the market.
Symantec/FireGlass - Symantec entered into the browser isolation market when they bought FireGlass in late 2017 which was a great move. Unfortunately FireGlass is a virtualized browser isolation platform, one that presents all of the usual problems you see when massively scaling a SAN centralized architecture.
Another problem with Symantecis that they use video streaming which consumes a ton of bandwith if you have lots of users. When we tested it, they also have a lot of interesting features that don't quite work yet, like multitenancy setup and file upload/download. Remember that FireGlass was a startup when Symantec bought them, so they are probably still evolving the product.
Symantec is focused on web isolation for high-risk internet users and C-level employees, possibly because of the high price points. They also pair the technology up with their endpoint and proxy solutions, making a nice addition to their security suite if you are an existing Symantec customer.
I have no information on Symantec’s web isolation pricing at the moment, if you do then I would love to hear from you!
Ericom - I always liked Ericom, they have been around since they were founded in 1993 by Eran Heyman, their current Chairman. Ericom has been developing software for a long time, mostly related to server-based computing, and before their foray into browser isolation was mainly focused on application access and application publishing for the enterprise.
They recently launched their own remote browser isolation solution called Ericom Shield, one which quite sensibly leverages containerization to deliver a hughly scalable remote browser platform withbuilt in file cleaning.
Authentic8 — Founded by Scott Petry and Ramesh Rajagopal, Authentic8 is another virtualization based technology, one that provides its users with a ‘disposable’ virtual browser upon which the user browses the internet, in what they call the Authentic8 Silo.
When I tested Authentic8 it was fairly straight forward to use, you first have to download their app and install it, then launch the app, familiarize yourself with their somewhat strange user interface and browse through it.
The performance was good and I could browse to any website easily enough, but they seemed to lack the more granular administrative features I would want to use to manage filtering and my users, it's clearly a product in development. Authentic8 pricing is listed $10 per user, but they offer team discounts.
Menlo Security — Founded by Amir Ben-Efrain and Poornima DeBolle, Menlo Security was an early entrant to the browser isolation space and yet another vendor leveraging virtualization as a tool of isolation in their Menlo Security Isolation Platform (MSIP). They call their technology ‘Adaptive Clientless Rendering’, bit of a mouthful.
The problem I have with legacy browser isolation players like Menlo is that they are stuck on the old virtualization based model of browser isolation.
Although virtualization can isolate browsing sessions perfectly well, virtualization is an inneficient vehicle for handling browser compute loads at scale, combine that with a SAN centralized architecture and it means that Menlo are expensive at almost any scale. With a price point of between $15-$25 per user per month only the biggest budgets can afford to use Menlo security.
Menlo are also incredibly picky about who they talk to, cherrpicking opportunities from what I am told and openly telling their prospects that if they are not a Fortune 1000 company they are not interested.
Client Side Browser Isolation Technologies
Client-side browser isolation technologies are trying to solve the same problem as the server side techs, but instead of isolating the user's browser onto a cloud server, they seek to isolate the users browsing activity on the endpoint. In my view, this model breaks the security through physical isolation model and asks us to trust the code again. I don't personally.
The good thing about server-side browser isolation technologies is that you do not have to buy or rent servers to host your user's browsers, which represents a solid cost saving if you have lots of users.
Apozy — The co-founding team behind Apozy NoHack are Rick Deacon and Erhan Justice. They have a unique approach to client-side browser isolation that I think sets them apart, rather than leverage client-side virtualization as Bromium has done, they leverage technology that is already built into the major browsers to deliver a sandboxed, safe environment. Specifically, they use CSP headers to make malicious pages “read-only”.
This makes for a frictionless deployment and requires no extra infrastructure, no added integration overhead, which I think is really cool. I don’t have any approximate costs for Apozy, but their model implies cost efficiency.
Bromium — Founded by Ian Pratt and Simon Crosby (previously founders of XenSource which was bought by Citrix) Bromium represented a completely different approach to isolating an enpoint from the internet.
Bromium built a funny kind of client-side hypervisor that sits above and below the guest OS, what they call micro-virtualization. Bromium can mean you need to buy new hardware because their hardware compatibility requirements mean that Bromium will not work on all PC's. If you already due for a hardware refresh, it's no big deal.
Bromium was one of the first companies I noticed emerging onto the browser isolation scene in 2010 and they have gotten traction and a lucrative partnership with Microsoft. What I am being told by the security professionals I speak to is that Bromium is a pain to install on anything but a virgin estate of PC’s, requiring manpower to deploy.
Bromium are very cagey about their prices and I have heard different prices from different sources, so I am not able to comment on their pricing.
The Remote Browsing Space
Best practice dictates that you move your user's browsers and the associated risks away from your local networks and infrastructure and many organizations are in the market for hosted remote browsers provided to them as a service.
Leveraging a cloud-hosted remote browser platform allows you to effectively isolate your organization from browser-based cyber attacks and dramatically enhance your overall cybersecurity posture in the process.
With most vendors offering a frictionless deployment model, remote browsers effectively enable organizations to mitigate web-based cyber threats against their users, without worrying about managing the hardware or risk.
Of the remote browser vendors I list below, some do not have their own browser isolation technology and instead rely on third-party virtualization technologies to deliver their service.
WEBGAP — Offers a cloud hosted remote browser service powered by a proprietary technology they call the WEBGAP Engine. They rent their remote browsers directly to organizations and individuals, also providing their software for on-site installation to enterprise and government customers.
Priced at $4 per user, per month, the cost efficiency of their containerized technology and grid distributed architecture means that WEBGAP will be a highly competitive remote browser solution when it comes out of beta.
Cigloo — Israel based Cigloo, founded by Hadar Eshel and Eli Lior, offers a remote browsing service aimed at Citrix users and based on the Citrix virtualization stack. They supplement this stack with their own proprietary proxy technology that sits between Citrix users and their virtual environment, so while they may not have their own technology, they do develop the proxy component of their remote browsing platform.
They do not publish prices publicly, I have no idea of what they charge.
Lightpoint Security — I have no idea who founded Lightpoint, because they have zero presence on Linkedin and it doesn't say on their website, they say that they were founded by ex-NSA employees which may reassure some of you.
Lightpoint offer hosted remote browsers based on an unknown virtualized technology stack I suspect is VDI. They clearly do not develop their own technology and seem to be using an off the shelf technology to deploy their solution. Although they do not have their prices listed, they used to display their prices at $9 per user per month the last time I saw them.
There was one other company in my remote browser vendor directory, WebLife, but they were recently bought by Proofpoint and do not yet seem to have been integrated into Proofpoint’s technology offering. I also missed out Blackberry who seem to offer some sort of secure browsing solution which seems to be virtualization based. For transparency purposes you should know that I am the co-founder of WEBGAP. While I work hard to be fair and balanced in my writing, like anyone I have my opinions.
Credit: Cover Art by Leila Ling