SlideShare a Scribd company logo

Why a virtual browser is important for your enterprise

David Strom
David Strom

A browser needs more sophisticated and granular security controls that work with a variety of network and cloud-based services and websites.

Technology
1 of 7
Download to read offline
By David Strom The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully. Why a Virtual Browser is Important For Your Enterprise
2 The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully. The web browser is the security sinkhole of today’s enterprise infrastructure. More malware enters via the browser than any other place across the typical network. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle and other exploits all take advantage of the browser’s creaky user interface, huge attack surface and the gullibility of most end users. Numerous studies, including Verizon’s Data Breach Investigation Report, show that in addition to executable code, a huge percentage of breaches occurs due to user activity (see chart), where half are caused by insiders or just plain errors, not because of any particular infection. These errors include unintended data leakage because of poor password choices, or bad online habits (such as connecting to rogue public hotspots), and other activities such as accessing cloud-based data from personal devices that could potentially leak data to unauthorized endpoints. This doesn’t surprise many savvy security managers who have had to deal with these incidents over time. Aiding and abetting this situation is the fact that the web browser has become the defacto universal user applications interface, even for other things besides web servers. It is the mechanism of choice for modern software and services. Look at the growth of web-based email services: a decade ago they were a novelty. Now they are the norm. Even printers and DSL modems now come with web control panels. THE WEB BROWSER But because of this ubiquity, it puts a burden on browsers to handle security more carefully. However, many of the early browsers weren’t up for the task. These early tools didn’t have to support the vast array of content types that they serve up today. And they also didn’t have to contend with the numerous exploits that are now at large and in the wild. Still, some IT managers have tried to fight off browser-based infections with a variety of security counter-measures. Fortunately for them, modern browsers have gotten noticeably more secure and better at warning end users as they are about to inflict harm to their computers. But in the hacking arms race, often this isn’t enough. No matter which web browser you use, even if you turn up your security settings to the highest possible choices you won’t be adequately protected. As a recent test of browsers defending against socially engineered malware from NSS Labs showed, (see chart) no browser is perfect. Microsoft’s Internet Explorer was able to block 99.9% of malware samples used, but the other browsers scored much lower in being able to block malware – in some cases, less than a third of the samples were blocked. That is a pretty sad state of affairs. One cause is how browsers and web servers are designed: the browser dutifully downloads and executes its HTML code from a wide variety of servers, without any regard for what this content could be. Why a Virtual Browser is Important For Your Enterprise David Strom @dstrom, strominator.com (From the Verizon Data Breach Incident Report 2015, frequency of incidents collected.) NSS Labs Browser Security Comparative Analysis, 2016: average block rate for socially engineered malware by browser. MISCELLANEOUS ERRORS CRIMEWARE INSIDER MISUSE PHYSICAL THEFT/LOSS WEB APP ATTACKS DENIAL OF SERVICE CYBER-ESPIONAGE POS INTRUSIONS PAYMENT CARD SKIMMERS 29.4% 25.1% 20.6% 15.3% 4.1% 3.9% 0.8% 0.7% 0.1% INTERNET EXPLORER LIEBAO BROWSER CHROME SOGOU EXPLORER OPERA 360 SAFE BROWSER FIREFOX SAFARI 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 99.9% 85.1% 70.7% 60.1% 28.8% 6.3% 4.2% 4.1%
But even turning up the security settings isn’t really a solution. If you do this, your users will be enormously frustrated. This is because turning up these security settings will prevent your users from conducting business on numerous websites: either blocking pop-ups that are needed to navigate a poorly-designed site, stopping forms from collecting important information, or making your browsing session miserable in some other fashion. This makes it hard for enterprises to secure access to their users’ personal websites. This gets us to our first issue: A browser needs more sophisticated and granular security controls that work with a variety of network and cloud-based services and websites. At first glance the number of security settings is a mind-numbing long list of options, but it is difficult to impossible for even the most highly organized IT manager to manage them without a lot of additional software. As we mentioned earlier, the spread of web-based application interfaces means that employers also need to be able to regulate access to various SaaS-based apps, especially more sensitive ones that involve personnel, customer information, and company confidential data. Having secure sign-ons and more secure methods of conducting web-based transactions is also needed. Third, the browser is not a monolithic piece of software. It relies on a constellation of plug-ins, add-ons, and helper objects to render complex web pages correctly and stream content, play animations, and perform other advanced features. Keeping this collection of add-ons working securely is no easy task, because each add-on increases the attack surface and vulnerabilities available to attackers. Finally, the web browser is deeply integrated into most desktop operating systems. There is a reason why Internet Explorer and Windows Explorer look and feel the same: it is because browsing a website and your own local hard drive uses the same code base. Separating the web from the rest of your network resources isn’t easy. Good cases in point are the numerous ransomware attacks that leverage the native browser interfaces to encrypt local and network-attached files. ENTER THE VIRTUAL BROWSER WHAT FEATURES A VIRTUAL BROWSER SHOULD OFFER THE ISSUES WITH WEB BROWSER SOFTWARE The challenge is to balance the security needs of the organization between the personal needs and accessibility demanded by each user. A browser can be so secure that it isn’t useful, and block so much content that it will quickly be abandoned by users in search of some other way to connect to their websites of interest. This balance of security and usability means that more granular control over the security options is needed so that enterprises can deliver the most appropriate level of browser security and functionality to their end users. This situation is why a new class of virtual or security-aware browsers has been invented. The idea is to create a virtual browser that offers some kind of sandboxing protection to keep malware and infections from spreading across the endpoint computer. This means any web content can’t easily reach the actual endpoint device that is being used to surf the web, so even if it is infected it can be more readily contained. While client-side sandboxing has been around for more than a decade, the real innovation here has been the ability to minimize impact on local resources by taking advantage of the cloud to make the whole process as seamless as possible. The ideal virtual browser should offer the following features: Isolate and prevent all user data from persisting on a borrowed or public PC after a browsing session is concluded. Like the mobile management tools, it should clean up after use to protect data leakage. Ideally, a virtual browser should be able to keep all browsing information protected on a separate and secure network. Enforce corporate acceptable use policies to allow/block specific content categories and website URLs. Enforcing security policies across a collection of browsers isn’t an easy matter: most standard browsers have individual policy settings that can be circumvented by a knowledgeable user. The best virtual browsers approach this by having a centrally managed collection of policies that can be applied like firewall rule sets across the entire user population. 3Why a Virtual Browser is Important For Your Enterprise David Strom @dstrom, strominator.com
Prevent file downloads/uploads and cut/paste operations so that files and other data can’t transit a browser session into the other parts of an endpoint. This could be part of the security policy settings above. For example, you could set your policy so that file uploads are disabled and file downloads are enabled. This is to prevent accidental file exfiltration, but does allow users to download reports and other items they may need to get work done on their desktops. You could set a companion policy for cut/paste to the clipboard to correspond to these settings. These policies are similar to what has already been done with mobile management products that try to isolate browsing sessions from the rest of the smartphone operating system and app collection. Log sessions to aid in remediation or reconstruction in case of any attacks or data destruction. Again, this is similar to numerous other security products that track network activity. And ideally these logs should be encrypted with a customer-supplied key to secure this information even further. Offer single sign-on features to allow users to share credentials for a collection of SaaS-based services. This makes it easier for a user to open their browser and be ready to work by having their logins to various sites pre-loaded. Better authentication should be available for these credentials too. The best virtual browsers should have the ability to add multi-factor authentication (MFA) for better security to access the overall browsing session and for logins to specific apps. Support plug-ins and other browser extensions to make common content accessible and have functional parity with standard Chrome/Firefox browsers. Provide anonymous surfing: the virtual browser can be configured to provide an IP address that is outside your corporate domain, along with adjusting other browser user agent characteristics. HOW SILO WORKS Authentic8’s Silo is one of the virtual, cloud-based browser products available. It is a separate executable for Windows, Mac iOS and Ubuntu that installs its own application. When you run this app, it first connects across the Internet to a Linux virtual container that sits in various datacenters around the world. This Linux-based container is currently running Firefox v44 core with some additions to make it more secure. Silo updates its browser OS as Firefox releases its own updates, of course. Network Speed Silo has a couple of advantages: first, your apparent connection speed is much greater than what you typically will have, since Silo makes its connection to destination websites from where its containers are located at Internet peering points. You can set geographical connections to the fastest location to further optimize performance so that the path is streamlined even further. This takes advantage of the faster connections from these locations, which increases the apparent browsing speed on your local desktop. In our test Silo was about 100 times faster compared to our standard DSL connection (see screenshot) the top half shows the speeds from our local desktop, compared to the bottom much faster speeds from using Silo). LOCAL NETWORK SILO 4Why a Virtual Browser is Important For Your Enterprise Silo runs on a faster machine, on a faster network. David Strom @dstrom, strominator.com
Endpoint Protection Authentication User Control Third, to begin browsing with Silo, you need to authenticate yourself and login to your Silo account. This is because Silo stores personal information (if the user or the IT administrator so desires) about the browsing session such as cookies, bookmarks and authentication credentials to SaaS-based sites. If users don’t want any of this data stored, they don’t have to authenticate themselves. Authentication can happen either by entering a PIN (see screenshot) or through integration with some other enterprise identity management solution. Authenticating to the browser can be an issue for some end users, and we’ll get to that under some of the drawbacks. An IT administrator sets up various protection policies to each account, assigning particular roles and granular rules for each class of user. This includes having multi factor authentication rules and a single sign-on portal for frequently used apps. It also protects all the information transmitted during that browsing session, since everything is encrypted from your endpoint to the Authentic8 data center. And having separate logins means IT can easily and quickly revoke access for one user without impacting the logins for others. Users also have access to information about their logins (see screenshot). Second, any content delivered to the Silo-based virtual container doesn’t enter your own endpoint. All web-collected content (HTML flash, Javascript, and so on) stays inside the virtual instance and outside the reach of the endpoint. Indeed, each virtual browsing session is destroyed when a user logs out. Silo’s policy settings can enable or prohibit uploads, downloads, or both. More than a dozen different policy settings can be applied across your entire browsing population (see screenshot). 5Why a Virtual Browser is Important For Your Enterprise Admin-defined policy capabilities. Dynamic PIN-based authentication. User-available settings. David Strom @dstrom, strominator.com
Finally, Silo also has a very flexible file storage feature (see screenshot). You have several choices, depending on what level of security and functionality you require: Silo has some nice collaboration features that are built-in. It has the beginnings of a single sign-on portal that your workgroup can use to bring up a series of web sites and automatically log in to them at the start of each browsing session. This means you can setup a shared corporate Twitter account for example, or set up other shared accounts, making them more secure since they can only be accessed from within the Silo session and under IT control. With all of these options, administrators can obtain log data of file and account usage. And files can be stored on an encrypted file system that is only available to a user from within the Silo browser. You can direct any files to a temporary cache that gets erased after you logout of your browsing session. This allows you to manipulate files without having to touch the endpoint device itself. You can share files among a team that remain in a protected workspace, and manage how much pooled storage is allocated per user too. This can help integrate the storage with each individual’s secure browser. You can freely download and upload files from your endpoint, provided the policies allow it. THE DISPOSABLE BROWSER HOW TO COLLABORATE SECURELY Taken together, these features create what we could call a disposable or stateless browser. This means that with Silo you can start a browsing session, connect to various websites and other online resources, get your work done, and then log out, without leaving any evidence or cookies or other digital traces of where you have been and what you have done. Set up in this fashion, no code ever reaches your endpoint device. How often have you been on the road and needed additional security to prevent these footprints from being created on a borrowed or shared PC? That is where this kind of browser comes in handy. You bring up the software and don’t have a lot of work to get online, knowing that you have the maximum protection possible for your surfing. This also provides other benefits for cybersecurity researchers who wish to use the anonymity of their connection but still be able to analyze browsing content. Authentic8 has data centers located at numerous sites around the globe, and administrators can set up to use a specific one as the default endpoint. For example, a user in New York City may launch a new browser instance from the data center located in Sao Paolo, Brazil. This connection would not only have the externally facing IP address appropriate to Brazil, but the browser itself would present language and time zone characteristics of someone typically originating from Brazil. In addition, Silo users can change the language of the browser’s keyboard while keeping the desktop keyboard language intact. This makes it easier for temporary users to customize their browsing session without having to change the rest of the desktop environment. Finally, the session can carry the user agent identifier of Windows and Chrome as a host operating system/browser combination, or other combinations from the bottom toolbar (see screenshot). Why a Virtual Browser is Important For Your Enterprise 6 Integrated, encrypted file storage. Changing Silo fingerprint characteristics. David Strom @dstrom, strominator.com
Why a Virtual Browser is Important For Your Enterprise Like most such portals, IT managers can setup and revoke access to all of these applications with just a few mouse clicks. (see screenshot) 7 DOWNSIDES OF THE VIRTUAL BROWSER: WHAT DOESN’T WORK IN CONCLUSION As we mentioned earlier about the secure file storage features, Silo can also set up a pooled shared storage volume so members of the workgroup can share files securely. Included in the software are a number of file viewers so that end users can see, over an encrypted session, common documents such as Microsoft Office, PDFs, text files, MP3s and MP4s without having to leave the protected browsing environment. Taken together, these features make sharing work product amongst a team more productive. No piece of software is perfect, and even Silo won’t stop every future piece of malware under every circumstance. If you enable file downloads, a rogue PDF file could slip through your defenses. But still, it has the necessary controls in place to provide a solid array of protection features. As we mentioned earlier Silo requires some kind of authentication to enable its protective features. Many users aren’t accustomed to doing this in order to run a browsing session, or take some time to get used to dealing with activity timeouts (if this is specified in the policy section) requiring re-authentication to continue their session. There are ways around this, but it is still a step users might not be accustomed to. Silo isn’t as faithful as it could be in terms of displaying web content. If you look at the test site html5test.com, you can see the more than one hundred different activities that it uses to grade each browser. A standard Windows Firefox v45 scores 459 out of a possible 555 points, so even an ordinary browser with default settings doesn’t display everything. Silo scores 451 points, just slightly lower. (The Chrome browsers do better at HTML5 compatibility tests than those based on Firefox like Silo.) Also, Silverlight-based sites (such as Netflix) aren’t supported, because there is no Linux version of this plug-in available. All in all, Silo represents a solid alternative for protecting your endpoints and having the most secure browsing experience that offers a nice balance between IT control for its enterprise security and allowing users the functionality to access their personal web content. While the notion of logging into a browsing session adds an extra step, the additional security functions available and speeds gained in web access are worth the tradeoff. About the Author David Strom (@dstrom, strominator.com) is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network security, Internet applications, wireless and web services for more than 25 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel, and electronics industries, including the editor-in-chief of Network Computing print, DigitalLanding.com, and Tom’s Hardware.com. He began his career working in varying roles in end-user computing in the IT industry. He has a Masters of Science, Operations Research degree from Stanford University, and a BS from Union College. About Authentic8 Founded in 2010 by principals from Postini, Authentic8 is redefining how the browser is used to access web data. They address a real problem, have a novel approach, and thrive on delighting customers. Their thesis is simple. As business apps move to the cloud, the browser is more important than ever. Yet it's an unmanageable resource, especially as users login from anywhere and any device. Authentic8 thinks its a problem worth solving, but it requires a radical shift in thinking. Its flagship product, Silo, is a cloud-based secure virtual browser. Silo creates a perfect insulation layer between the user and the web, keeping all web code isolated in a contained environment but delivering an encrypted display of the browser session. Contact Authentic8 info@authentic8.com or call 877.659.6535 Try Silo for free at WWW.GETSILO.COM A typical Silo portal page. David Strom @dstrom, strominator.com

Recommended

The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity JobDavid Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 

Recommended

The Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsThe Practice of Cyber Crime Investigations
The Practice of Cyber Crime InvestigationsAlbert Hui
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity JobDavid Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacyDavid Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsDavid Strom
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking backDavid Strom
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media worldDavid Strom
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersDavid Strom
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches David Strom
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)David Strom
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosDavid Strom
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter failsDavid Strom
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingDavid Strom
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and nowDavid Strom
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakesDavid Strom
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkDavid Strom
 
Big data analytics
Big data analyticsBig data analytics
Big data analyticsDavid Strom
 
Emerging computing trends 2015
Emerging computing trends 2015Emerging computing trends 2015
Emerging computing trends 2015David Strom
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sDavid Strom
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies David Strom
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

More Related Content

More from David Strom

Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacyDavid Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsDavid Strom
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking backDavid Strom
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media worldDavid Strom
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersDavid Strom
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches David Strom
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)David Strom
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosDavid Strom
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter failsDavid Strom
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingDavid Strom
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and nowDavid Strom
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakesDavid Strom
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkDavid Strom
 
Big data analytics
Big data analyticsBig data analytics
Big data analyticsDavid Strom
 
Emerging computing trends 2015
Emerging computing trends 2015Emerging computing trends 2015
Emerging computing trends 2015David Strom
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sDavid Strom
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies David Strom
 

More from David Strom (20)

Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking back
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your network
 
Big data analytics
Big data analyticsBig data analytics
Big data analytics
 
Emerging computing trends 2015
Emerging computing trends 2015Emerging computing trends 2015
Emerging computing trends 2015
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco's
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Why a virtual browser is important for your enterprise

  • 1. By David Strom The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully. Why a Virtual Browser is Important For Your Enterprise
  • 2. 2 The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully. The web browser is the security sinkhole of today’s enterprise infrastructure. More malware enters via the browser than any other place across the typical network. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle and other exploits all take advantage of the browser’s creaky user interface, huge attack surface and the gullibility of most end users. Numerous studies, including Verizon’s Data Breach Investigation Report, show that in addition to executable code, a huge percentage of breaches occurs due to user activity (see chart), where half are caused by insiders or just plain errors, not because of any particular infection. These errors include unintended data leakage because of poor password choices, or bad online habits (such as connecting to rogue public hotspots), and other activities such as accessing cloud-based data from personal devices that could potentially leak data to unauthorized endpoints. This doesn’t surprise many savvy security managers who have had to deal with these incidents over time. Aiding and abetting this situation is the fact that the web browser has become the defacto universal user applications interface, even for other things besides web servers. It is the mechanism of choice for modern software and services. Look at the growth of web-based email services: a decade ago they were a novelty. Now they are the norm. Even printers and DSL modems now come with web control panels. THE WEB BROWSER But because of this ubiquity, it puts a burden on browsers to handle security more carefully. However, many of the early browsers weren’t up for the task. These early tools didn’t have to support the vast array of content types that they serve up today. And they also didn’t have to contend with the numerous exploits that are now at large and in the wild. Still, some IT managers have tried to fight off browser-based infections with a variety of security counter-measures. Fortunately for them, modern browsers have gotten noticeably more secure and better at warning end users as they are about to inflict harm to their computers. But in the hacking arms race, often this isn’t enough. No matter which web browser you use, even if you turn up your security settings to the highest possible choices you won’t be adequately protected. As a recent test of browsers defending against socially engineered malware from NSS Labs showed, (see chart) no browser is perfect. Microsoft’s Internet Explorer was able to block 99.9% of malware samples used, but the other browsers scored much lower in being able to block malware – in some cases, less than a third of the samples were blocked. That is a pretty sad state of affairs. One cause is how browsers and web servers are designed: the browser dutifully downloads and executes its HTML code from a wide variety of servers, without any regard for what this content could be. Why a Virtual Browser is Important For Your Enterprise David Strom @dstrom, strominator.com (From the Verizon Data Breach Incident Report 2015, frequency of incidents collected.) NSS Labs Browser Security Comparative Analysis, 2016: average block rate for socially engineered malware by browser. MISCELLANEOUS ERRORS CRIMEWARE INSIDER MISUSE PHYSICAL THEFT/LOSS WEB APP ATTACKS DENIAL OF SERVICE CYBER-ESPIONAGE POS INTRUSIONS PAYMENT CARD SKIMMERS 29.4% 25.1% 20.6% 15.3% 4.1% 3.9% 0.8% 0.7% 0.1% INTERNET EXPLORER LIEBAO BROWSER CHROME SOGOU EXPLORER OPERA 360 SAFE BROWSER FIREFOX SAFARI 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 99.9% 85.1% 70.7% 60.1% 28.8% 6.3% 4.2% 4.1%
  • 3. But even turning up the security settings isn’t really a solution. If you do this, your users will be enormously frustrated. This is because turning up these security settings will prevent your users from conducting business on numerous websites: either blocking pop-ups that are needed to navigate a poorly-designed site, stopping forms from collecting important information, or making your browsing session miserable in some other fashion. This makes it hard for enterprises to secure access to their users’ personal websites. This gets us to our first issue: A browser needs more sophisticated and granular security controls that work with a variety of network and cloud-based services and websites. At first glance the number of security settings is a mind-numbing long list of options, but it is difficult to impossible for even the most highly organized IT manager to manage them without a lot of additional software. As we mentioned earlier, the spread of web-based application interfaces means that employers also need to be able to regulate access to various SaaS-based apps, especially more sensitive ones that involve personnel, customer information, and company confidential data. Having secure sign-ons and more secure methods of conducting web-based transactions is also needed. Third, the browser is not a monolithic piece of software. It relies on a constellation of plug-ins, add-ons, and helper objects to render complex web pages correctly and stream content, play animations, and perform other advanced features. Keeping this collection of add-ons working securely is no easy task, because each add-on increases the attack surface and vulnerabilities available to attackers. Finally, the web browser is deeply integrated into most desktop operating systems. There is a reason why Internet Explorer and Windows Explorer look and feel the same: it is because browsing a website and your own local hard drive uses the same code base. Separating the web from the rest of your network resources isn’t easy. Good cases in point are the numerous ransomware attacks that leverage the native browser interfaces to encrypt local and network-attached files. ENTER THE VIRTUAL BROWSER WHAT FEATURES A VIRTUAL BROWSER SHOULD OFFER THE ISSUES WITH WEB BROWSER SOFTWARE The challenge is to balance the security needs of the organization between the personal needs and accessibility demanded by each user. A browser can be so secure that it isn’t useful, and block so much content that it will quickly be abandoned by users in search of some other way to connect to their websites of interest. This balance of security and usability means that more granular control over the security options is needed so that enterprises can deliver the most appropriate level of browser security and functionality to their end users. This situation is why a new class of virtual or security-aware browsers has been invented. The idea is to create a virtual browser that offers some kind of sandboxing protection to keep malware and infections from spreading across the endpoint computer. This means any web content can’t easily reach the actual endpoint device that is being used to surf the web, so even if it is infected it can be more readily contained. While client-side sandboxing has been around for more than a decade, the real innovation here has been the ability to minimize impact on local resources by taking advantage of the cloud to make the whole process as seamless as possible. The ideal virtual browser should offer the following features: Isolate and prevent all user data from persisting on a borrowed or public PC after a browsing session is concluded. Like the mobile management tools, it should clean up after use to protect data leakage. Ideally, a virtual browser should be able to keep all browsing information protected on a separate and secure network. Enforce corporate acceptable use policies to allow/block specific content categories and website URLs. Enforcing security policies across a collection of browsers isn’t an easy matter: most standard browsers have individual policy settings that can be circumvented by a knowledgeable user. The best virtual browsers approach this by having a centrally managed collection of policies that can be applied like firewall rule sets across the entire user population. 3Why a Virtual Browser is Important For Your Enterprise David Strom @dstrom, strominator.com
  • 4. Prevent file downloads/uploads and cut/paste operations so that files and other data can’t transit a browser session into the other parts of an endpoint. This could be part of the security policy settings above. For example, you could set your policy so that file uploads are disabled and file downloads are enabled. This is to prevent accidental file exfiltration, but does allow users to download reports and other items they may need to get work done on their desktops. You could set a companion policy for cut/paste to the clipboard to correspond to these settings. These policies are similar to what has already been done with mobile management products that try to isolate browsing sessions from the rest of the smartphone operating system and app collection. Log sessions to aid in remediation or reconstruction in case of any attacks or data destruction. Again, this is similar to numerous other security products that track network activity. And ideally these logs should be encrypted with a customer-supplied key to secure this information even further. Offer single sign-on features to allow users to share credentials for a collection of SaaS-based services. This makes it easier for a user to open their browser and be ready to work by having their logins to various sites pre-loaded. Better authentication should be available for these credentials too. The best virtual browsers should have the ability to add multi-factor authentication (MFA) for better security to access the overall browsing session and for logins to specific apps. Support plug-ins and other browser extensions to make common content accessible and have functional parity with standard Chrome/Firefox browsers. Provide anonymous surfing: the virtual browser can be configured to provide an IP address that is outside your corporate domain, along with adjusting other browser user agent characteristics. HOW SILO WORKS Authentic8’s Silo is one of the virtual, cloud-based browser products available. It is a separate executable for Windows, Mac iOS and Ubuntu that installs its own application. When you run this app, it first connects across the Internet to a Linux virtual container that sits in various datacenters around the world. This Linux-based container is currently running Firefox v44 core with some additions to make it more secure. Silo updates its browser OS as Firefox releases its own updates, of course. Network Speed Silo has a couple of advantages: first, your apparent connection speed is much greater than what you typically will have, since Silo makes its connection to destination websites from where its containers are located at Internet peering points. You can set geographical connections to the fastest location to further optimize performance so that the path is streamlined even further. This takes advantage of the faster connections from these locations, which increases the apparent browsing speed on your local desktop. In our test Silo was about 100 times faster compared to our standard DSL connection (see screenshot) the top half shows the speeds from our local desktop, compared to the bottom much faster speeds from using Silo). LOCAL NETWORK SILO 4Why a Virtual Browser is Important For Your Enterprise Silo runs on a faster machine, on a faster network. David Strom @dstrom, strominator.com
  • 5. Endpoint Protection Authentication User Control Third, to begin browsing with Silo, you need to authenticate yourself and login to your Silo account. This is because Silo stores personal information (if the user or the IT administrator so desires) about the browsing session such as cookies, bookmarks and authentication credentials to SaaS-based sites. If users don’t want any of this data stored, they don’t have to authenticate themselves. Authentication can happen either by entering a PIN (see screenshot) or through integration with some other enterprise identity management solution. Authenticating to the browser can be an issue for some end users, and we’ll get to that under some of the drawbacks. An IT administrator sets up various protection policies to each account, assigning particular roles and granular rules for each class of user. This includes having multi factor authentication rules and a single sign-on portal for frequently used apps. It also protects all the information transmitted during that browsing session, since everything is encrypted from your endpoint to the Authentic8 data center. And having separate logins means IT can easily and quickly revoke access for one user without impacting the logins for others. Users also have access to information about their logins (see screenshot). Second, any content delivered to the Silo-based virtual container doesn’t enter your own endpoint. All web-collected content (HTML flash, Javascript, and so on) stays inside the virtual instance and outside the reach of the endpoint. Indeed, each virtual browsing session is destroyed when a user logs out. Silo’s policy settings can enable or prohibit uploads, downloads, or both. More than a dozen different policy settings can be applied across your entire browsing population (see screenshot). 5Why a Virtual Browser is Important For Your Enterprise Admin-defined policy capabilities. Dynamic PIN-based authentication. User-available settings. David Strom @dstrom, strominator.com
  • 6. Finally, Silo also has a very flexible file storage feature (see screenshot). You have several choices, depending on what level of security and functionality you require: Silo has some nice collaboration features that are built-in. It has the beginnings of a single sign-on portal that your workgroup can use to bring up a series of web sites and automatically log in to them at the start of each browsing session. This means you can setup a shared corporate Twitter account for example, or set up other shared accounts, making them more secure since they can only be accessed from within the Silo session and under IT control. With all of these options, administrators can obtain log data of file and account usage. And files can be stored on an encrypted file system that is only available to a user from within the Silo browser. You can direct any files to a temporary cache that gets erased after you logout of your browsing session. This allows you to manipulate files without having to touch the endpoint device itself. You can share files among a team that remain in a protected workspace, and manage how much pooled storage is allocated per user too. This can help integrate the storage with each individual’s secure browser. You can freely download and upload files from your endpoint, provided the policies allow it. THE DISPOSABLE BROWSER HOW TO COLLABORATE SECURELY Taken together, these features create what we could call a disposable or stateless browser. This means that with Silo you can start a browsing session, connect to various websites and other online resources, get your work done, and then log out, without leaving any evidence or cookies or other digital traces of where you have been and what you have done. Set up in this fashion, no code ever reaches your endpoint device. How often have you been on the road and needed additional security to prevent these footprints from being created on a borrowed or shared PC? That is where this kind of browser comes in handy. You bring up the software and don’t have a lot of work to get online, knowing that you have the maximum protection possible for your surfing. This also provides other benefits for cybersecurity researchers who wish to use the anonymity of their connection but still be able to analyze browsing content. Authentic8 has data centers located at numerous sites around the globe, and administrators can set up to use a specific one as the default endpoint. For example, a user in New York City may launch a new browser instance from the data center located in Sao Paolo, Brazil. This connection would not only have the externally facing IP address appropriate to Brazil, but the browser itself would present language and time zone characteristics of someone typically originating from Brazil. In addition, Silo users can change the language of the browser’s keyboard while keeping the desktop keyboard language intact. This makes it easier for temporary users to customize their browsing session without having to change the rest of the desktop environment. Finally, the session can carry the user agent identifier of Windows and Chrome as a host operating system/browser combination, or other combinations from the bottom toolbar (see screenshot). Why a Virtual Browser is Important For Your Enterprise 6 Integrated, encrypted file storage. Changing Silo fingerprint characteristics. David Strom @dstrom, strominator.com
  • 7. Why a Virtual Browser is Important For Your Enterprise Like most such portals, IT managers can setup and revoke access to all of these applications with just a few mouse clicks. (see screenshot) 7 DOWNSIDES OF THE VIRTUAL BROWSER: WHAT DOESN’T WORK IN CONCLUSION As we mentioned earlier about the secure file storage features, Silo can also set up a pooled shared storage volume so members of the workgroup can share files securely. Included in the software are a number of file viewers so that end users can see, over an encrypted session, common documents such as Microsoft Office, PDFs, text files, MP3s and MP4s without having to leave the protected browsing environment. Taken together, these features make sharing work product amongst a team more productive. No piece of software is perfect, and even Silo won’t stop every future piece of malware under every circumstance. If you enable file downloads, a rogue PDF file could slip through your defenses. But still, it has the necessary controls in place to provide a solid array of protection features. As we mentioned earlier Silo requires some kind of authentication to enable its protective features. Many users aren’t accustomed to doing this in order to run a browsing session, or take some time to get used to dealing with activity timeouts (if this is specified in the policy section) requiring re-authentication to continue their session. There are ways around this, but it is still a step users might not be accustomed to. Silo isn’t as faithful as it could be in terms of displaying web content. If you look at the test site html5test.com, you can see the more than one hundred different activities that it uses to grade each browser. A standard Windows Firefox v45 scores 459 out of a possible 555 points, so even an ordinary browser with default settings doesn’t display everything. Silo scores 451 points, just slightly lower. (The Chrome browsers do better at HTML5 compatibility tests than those based on Firefox like Silo.) Also, Silverlight-based sites (such as Netflix) aren’t supported, because there is no Linux version of this plug-in available. All in all, Silo represents a solid alternative for protecting your endpoints and having the most secure browsing experience that offers a nice balance between IT control for its enterprise security and allowing users the functionality to access their personal web content. While the notion of logging into a browsing session adds an extra step, the additional security functions available and speeds gained in web access are worth the tradeoff. About the Author David Strom (@dstrom, strominator.com) is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network security, Internet applications, wireless and web services for more than 25 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel, and electronics industries, including the editor-in-chief of Network Computing print, DigitalLanding.com, and Tom’s Hardware.com. He began his career working in varying roles in end-user computing in the IT industry. He has a Masters of Science, Operations Research degree from Stanford University, and a BS from Union College. About Authentic8 Founded in 2010 by principals from Postini, Authentic8 is redefining how the browser is used to access web data. They address a real problem, have a novel approach, and thrive on delighting customers. Their thesis is simple. As business apps move to the cloud, the browser is more important than ever. Yet it's an unmanageable resource, especially as users login from anywhere and any device. Authentic8 thinks its a problem worth solving, but it requires a radical shift in thinking. Its flagship product, Silo, is a cloud-based secure virtual browser. Silo creates a perfect insulation layer between the user and the web, keeping all web code isolated in a contained environment but delivering an encrypted display of the browser session. Contact Authentic8 info@authentic8.com or call 877.659.6535 Try Silo for free at WWW.GETSILO.COM A typical Silo portal page. David Strom @dstrom, strominator.com