This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The browser has become the most important application people use, whether for accessing business applications or leisure purposes. 451 Research says three out of every four applications will be delivered via the cloud by 2017, and of course the browser is the front end to all those apps.
Unfortunately, today's browsers are inherently insecure. If you do a search on the term "browser" in the National Vulnerability Database hosted by the National Institute of Standards and Technology (NIST), you're likely to turn up about 700 reported vulnerabilities, many of which are high criticality. The list covers a range of browsers for PCs, Macs and mobile devices. The summaries of the vulnerabilities include scary phrases like, "allows remote attackers to inject arbitrary HTML code," and "allows remote attackers to spoof URLs via a crafted document," and so much more. Simply using a browser to access a website or hosted application can open a gaping hole through which attacks can gain a network foothold.
But the security problem goes deeper than browsers being vulnerable to exploits. We humans are at fault, too. We do careless things, like clicking on an unfamiliar link in an email, opening an unsolicited attachment, or visiting web pages that have been surreptitiously compromised. Our actions inadvertently lead to credentials being stolen, malware being planted and networks being hacked.
The methods used today to fix the vulnerabilities, stop the exploits and educate end users are insufficient. Too many breaches that start with the browser continue to happen. The fact is, the typical browser is outside of any sort of policy control that IT implements.
To tackle these problems Authentic8 developed Silo, which essentially runs the browser in the cloud instead of on the endpoint. The system allows the browser to run in a secure container environment in a remote location. This virtual browser isolates users from web-borne exploits and protects sensitive data by enforcing policies that control what people can and cannot do with their browser.
To get started, the user installs a client app that is said to be similar to a Webex app in that it's small and simply displays the remote information. This app establishes a secure point-to-point SSL connection to the Silo cloud application and renders the benign image data from the remote session, but no Web code (e.g., HTML, cookies, files, etc.) is downloaded or run locally.
When a user launches Silo Authentic8 builds a one-time-use browser in a secure container in the cloud. That browser is built fresh from a clean image at the start of each session and all Web code executes in the container, not on the endpoint, so it is Authetic8’s surface area that gets exposed to exploits, threats and attacks—not the end user's environment.
To the user it looks and feels just like a normal browser session, including full rendering of all content, web elements, audio and video, and yes, even the ads. However, all the code is executed in the cloud with only a remote rendering of that information on the client device. Authentic8 calls this an insulation layer between the Web and the client. When the user is done with his session, Authentic8 destroys the virtual machine and there is no "residue" from the session left behind.
The ability to create that insulation layer between the web service and the client device is necessary but not sufficient. Authentic8 has added a set of policy controls that allows an administrator to define policies around what a user can and cannot do in the browser. These policies can add things like content filtering, forced implementation of multifactor access control, single sign-on, and DLP polices that control data upload/download, copy/paste and printing. All of these policies are managed from a central console and the administrator gets a full audit log of how people are using the applications. This helps the organization deal with regulatory compliance requirements in addition to providing additional security.
According to Authentic8, two of the top use cases for this solution are to control personal use of the browser at work, and to strictly control specific business applications. In the first scenario, Silo can be configured as a throwaway browser for people to get to personal websites and applications such as their online banking, personal email or social media. This is well suited to organizations in a regulated environment that still want to allow employees to do a little personal business while at work.
In the second scenario, there might be a team that needs access to business applications like general ledger, sales force automation, or HR on-boarding/off-boarding. Silo can manage the single sign-on for these employees to get access to their specific applications. They can be authenticated with multifactor authentication, and when they login there can be particular data policy controls. For instance, users can be restricted to downloading data from the application only to authorized work devices. Employees wouldn't have access to these applications from their personal mobile or home device. What's more, the users wouldn't even know their credentials to login from any other location or device because Silo's single sign-on manages the credentials on the users' behalf.
Accessing websites and applications via untrusted browsers is a risky activity these days. Authentic8 is designed to eliminate the risk and bring a measure of enterprise control back to the most important application that people use today—the browser.