What is Remote Browser Isolation?

Remote Browser Isolation is a security technology that loads all web traffic away from a user and then sends them a secure version of the page. It’s a zero-trust approach to web security that’s especially effective against zero-days APTs, and other emerging threats.

 

Born in the early 2010s, browser isolation was created because traditional gateway-level security solutions couldn’t keep up with sophisticated online threats. By isolating all web browsing away from a user’s device, any malicious page or document presents a much lower risk.

How Remote Browser Isolation Works

Most commonly, RBI will use a client-server infrastructure to load pages remotely and then stream the content to the user.

Remote Browser Isolation functional diagram with 4 stages How Remote Browser isolation (RBI) works

   

  1. 1.      The user requests to visit a URL.
  2. 2.      The URL is sent to a secure server.
  3. 3.      The secure server loads said URL. Most RBI solutions offer detection capabilities at this point, like running the URL against a database of known malicious artefacts.
  4. 4.      The loaded page is streamed back to the user.
  5. 5.      The user can interact with the page remotely.

 

Other browser isolation solutions might be deployed on premises, not in the cloud. They might recreate pages locally, rather than streaming the content. But the common throughline is, as the name suggests, isolating potentially malicious web content from a user’s device. 

Why You Need Remote Browser Isolation

Remote Browser Isolation can be very effective against web threats. It can mitigate the impact of technical exploits, like:
 

  • Cross-site scripting (XSS): Including code injection that can, for example, trigger malicious JS scripts when a page is loaded.
  • Drive-by downloads: Malicious code on web pages that downloads files without the user’s consent.
  • Clickjacking: Which can be achieved through a variety of ways, like overlaying elements on a page, so users click on something else than what they intended.
     

Browser isolation can also minimize the impact of social engineering, in cases of:
 

  • Phishing: And not only when receiving email scams. RBI can be effective against phishing whenever users access spoofed content in their browser. This can include web pages, PDF files or obfuscated attachments. While usually delivered via email, these web threats are everywhere online. However, remember that RBI won’t neutralize all forms of phishing. It’s only effective in isolating some of the impacts of social engineering, like tricking users into downloading a malicious file.
  • Cross-site request forgery: When users are tricked into misusing their access to applications they’re already logged into.
  • Clickjacking: When it’s achieved through deceptive design, for example of ads that pretend they’re legitimate download buttons from a page.

Most business tools today, from document editors to analytics dashboards, are accessed from a browser. That’s why companies need to invest in a browser isolation tool. It’s a proxy between your enterprise’s devices, and the world wide web.

What are the different types of Browser Isolation?

Browser isolation has evolved in recent years due to increasing reliability on cloud services. As a result, there are a lot of ways to classify browser isolation technologies, based on where pages are loaded and the infrastructure of the BI solution.

 

Types of Browser Isolation Based On Where Pages are Loaded

  • Remote – Remote Browser Isolation refers to rendering the page completely off-site, usually in a cloud service managed by a third-party provider. It requires the least amount of integration effort, and it’s the most secure option for companies with limited resources to spare for security. Remote Browser Isolation can disrupt user experience because of latency. But that drawback can be minimized with proper server distribution and availability.
  • On-premises – Very similar to Remote Browser Isolation, but the web pages are loaded on-premises. This approach can demand more engineering resources, and a higher integration effort. You get a lot of overhead with admins having to install the app on PCs, managing updates, and forcing users to switch browsers. However, a lot of Remote Browser Isolation providers offer on-premises deployment, and they can streamline adoption.
  • Locally – Local browser isolation is possible through virtualization or sandboxing. Company devices can dedicate a small portion of their processing power to a “virtual computer”, or otherwise virtualized environment, that opens URLs for the user. This is the cheapest option, as the virtual environment runs on the devices of the users; you don’t have to pay for cloud workloads. When configured properly, it can also be secure. Unfortunately, this option requires a lot of integration effort. It also presents risks for the local device, as malicious code may be loaded on it. Not to mention, it runs on the resources of the device, which can be a problem for power users.

 

Types of Remote Browser Isolation Infrastructures

Remote Browser technology can be broken down in three categories, based on how web content reaches the user.
 

  • Streaming – this is the most common remote browser technology, and it’s self-explanatory. Web content is loaded remotely, then streamed back to the user much like a Netflix show or YouTube video.
  • DOM reconstruction – The DOM (Document Object Model) represents a web page in memory. It’s a logical tree, with multiple branches and nodes containing objects, like paragraphs, images, and line breaks. If all of this sounds foreign, here’s partly accurate TLDR: the DOM is the structure of a webpage.
    With DOM reconstruction, a web page is loaded and reconstructed remotely. If it contained malicious code, it’s usually stripped from the source code. Once it’s been sanitized, the webpage is loaded again in the user’s browser.
    DOM reconstruction can be as fast as streaming, while offering a more seamless browsing experience. However, if malicious code needs to be cut from a page, DOM reconstruction may be slower than streaming. It can also fail at removing all malicious elements, making it riskier than streaming.
  • Draw commands – Most modern browsers use Skia, a 2D graphics library, to render web pages. In this type of browser isolation, web pages are loaded remotely, and the “draw” commands of Skia are extracted. These commands are then sent back to the user, recreating the page independent of its source code.

Pros and Cons for Remote Browser Isolation

For the right enterprise, Remote Browser Isolation is the best solution against web threats. However, web isolation has its drawbacks, such as increased latency if not properly configured.

To help you make the best decision for your enterprise, here’s an overview of RBI’s benefits and drawbacks.

Remote Browser Isolation Benefits

  • Effective posturing against web threats. By isolating potentially malicious pages from end users, remote browser isolation is effective against browser threats. Whether they’re known exploits, or zero-day threats, RBI isolates all browser activity. Granted, RBI cannot neutralize all types of threats. For example, attackers can still hijack your browser session. But even in that case, using a reliable security provider for RBI can help you detect hijacking faster.
  • Secured sensitive data. Web threats can be an avenue for further compromise. For example, a drive-by download might deliver a ransomware payload to the target device, encrypting or even stealing data from it. If that ransomware payload is downloaded on the remote browser server, it can’t affect your enterprise.
  • Minimize the risks of technical vulnerabilities. Exploits can take advantage of many web features. For example, HTML smuggling uses JavaScript to manipulate files inside the browser, avoiding detection at the entry point. With RBI, even if a payload is smuggled through your firewall, it will only affect the remote server, not your organization's devices. Mature RBI solutions also offer enhanced detection capabilities, for example by analyzing web pages in real time to detect potential web threats.
  • Minimize the impact of social engineering. Phishing, clickjacking and plenty more social engineering tactics may use modern browsers to trick users. For example, spoofed pages masquerade as legitimate download portals, tricking users into downloading malicious files. Even if the end users you’re protecting fall victim to this kind of social engineering, the threat is contained on the remote browser.

 

Better user experience and less admin overhead. Without an RBI solution, companies might impose strict limits on the browsing activities of employees. With RBI, this aggressive stance on unknown, potentially malicious pages is not necessary​​​​.

Remote Browser Isolation Drawbacks

RBI can present drawbacks for companies, including:
 

  • Cost. Depending on the service you use, your threat model, and how much of your company’s work happens in a browser, RBI costs can add up. If your company already has reliable detection systems, and is happy to restrict browsing for its employees, it’s a cost you might not want to incur. However, with the increasing reliance on the cloud for everyday business processes, that might change in the future.
  • Latency. Because you’re loading pages remotely, you’re bound to experience some latency with RBI. However, reliable servers can make the ping unnoticeable.
  • Compatibility. No browser client is the same, which can lead to friction when adopting an RBI solution. It’s important to choose a solution that can offer feature parity with your existing browsers, especially for power users like web developers.

Diving Deeper Into Web Security

Remote Browser Isolation is a strong, zero-trust approach to neutralizing web threats. It can defend against cross-site scripting, clickjacking, phishing, and many more.

It’s not perfect. It won’t prevent all types of social engineering, and you can see some friction implementing it. But if you partner with a reputable RBI provider, you’ll mitigate any worries about latency, compatibility, or difficult integration.

If you want to find out more about cybersecurity, read our InfoZone guide on Endpoint Security.

How Bitdefender Can Help

Bitdefender licenses its Remote Browser Isolation to partners that want zero-trust web security. It’s part of our larger Sandbox Service, and it’s very easy to implement. Partners only need to account for a few API calls to set-up powerful RBI environments.

Bitdefedner RBI functional diagram How Bitdefender RBI works

Bitdefender RBI comes with extended session durations, timeout notifications, copy-and paste, as well as download capabilities.

At the moment, Bitdefender RBI is only available to a limited number of partners.

Inquire about our technology licensing portfolio to see if you qualify. 

Why do companies invest in Remote Browser Isolation?

Remote Browser Isolation is a web security technology that can protect users from browser-based threats. It offers a zero-trust approach to web security, making it attractive for companies that want to improve their posturing against common web threats.

What is the difference between RBI and SWG?

Remote Browser Isolation protects the endpoints of users against online threats. Secure Web Gateway (SWG) analyzes traffic coming into a network at the application layer. RBI and SWG are somewhat redundant – but they complement each other, because RBI employs a zero-trust approach, making it more effective against zero-days.

What are the advantages of Remote Browser Isolation?

The main advantage of Remote Browser Isolation is protection against emerging or advanced web threats. Because it isolates all user traffic, it can neutralize clickjacking, cross-site scripting, and even some forms of social engineering.