Web Browsers: Your Greatest Strength and Weakness

by Aaron Delp

March 11, 2020 | min

It’s 3:00 am and your Incident Response system has sent out an alert… again. Endpoint Protection on a user’s device has triggered an alarm and the investigation begins. Someone clicked a link in their browser and the clock is ticking to contain potential data leakage outside the organization or another round of ransomware is knocking at the door trying to find a way in.

This is an increasingly common scenario for today’s site reliability engineers (SREs). How we got here is actually a few trends in the data center all coming together to make the browser both the hero and the villain in today’s workplace. The browser is the gateway into both our personal and corporate data. We are moving away from a “fat client” world of applications installed on every workstation and device and into a world where the browser is the universal “thin client.” Instead of managing multiple applications (and dependencies), only one correctly configured and updated browser is required. But, this browser is still software that requires care and feeding and is now a central point of attack. Lastly, users continue to be the most vulnerable and unpredictable aspect of any organization. From social engineering to the escalation in phishing schemes, the majority of attacks seem to find a way to exploit one person who clicks on something in a browser. While the primary entry point may sound simple, the results can be catastrophic.

The browser has become the balance point between endpoint protection and client usability. The browser must be secured and updated in a way that doesn’t impact end users. By implementing secure browser technologies on Nutanix Xi Frame, organizations can isolate this most vulnerable entry point and seamlessly maintain and upgrade it without impacting the end user in any way. Security no longer has to be a trade off to usability.

Now that we have shown the importance of the browser in any modern IT infrastructure, let’s talk about four crucial factors to achieving a secure, performant user experience:

  • Enablement: How do we deliver a secure, compatible browser to end users?
  • Isolation: How can we isolate the browser to reduce the blast radius from an incident?
  • Regionalization: How can we ensure geographic quality of service and anonymity when needed?
  • Transparent Security: How can we make this experience seamless to end users?

Enablement: Finally deliver a compatible browser

Web applications come in many shapes and sizes, each with their own unique set of dependencies that have developed over time. Many organizations are faced with deployment of multiple browsers or versions of browsers to ensure compatibility with mission-critical applications. In some cases, users need to access Internet Explorer from non-Windows devices. Today, solving this problem is difficult at best. Many companies are left without a solution to enable mobile workers to work from any device, at any time, from anywhere to access critical applications. Additionally, the added burden of managing the configuration, plugins, and security of multiple browsers across all endpoints is daunting.

With Nutanix Xi Frame, SREs can centrally manage the configuration of corporate web browsers and provide access to applications through a browser to end user devices. Enterprise IT can create a common configuration and focus on delivery of this single common configuration vs. the overhead of multiple configurations. When a change is required, all users can be updated at the same time.. No more manual updates or configuration of laptops or other end point devices.

Isolation: Reduce the blast radius

The approach to security has changed dramatically in recent years. Gone are the days of protecting the perimeter with a walled approach to keep intruders at bay. As we move to a world of delivery of many applications as a service, old strategies are no longer effective. It is no longer a question of if intruders will get through, but when they will get through and how much access they will have once inside. We need to control the blast radius.

When a browser is compromised, attackers potentially gain access to all the data stored or connected to the endpoint device. With Xi Frame, the web browser is an isolated, stateless, dedicated cloud instance and all changes will be eradicated when the session is finished and the applications are closed. This approach to the solution significantly reduces risk of data exposure by the web browser. 

Xi Frame also greatly reduces the management burden by centralizing the browser to a single configuration. This centralized management approach ensures compliance and security and reduces Enterprise IT hours spent dealing with multiple browsers, in multiple configurations, on multiple platforms. Xi Frame can help any institution deliver a secure browser that integrates with corporate IT auditing and monitoring policies, without the need for complicated VPN software. While users browse the internet or corporate resources, IT security personnel have the peace of mind knowing that local cookie attacks and privacy concerns are mitigated, since all data resides within their controlled cloud perimeter.

Regionalization: Deliver performance and anonymous browsing

Many companies today operate worldwide. Because of this fact, many companies need to deliver regionalization of their applications. When delivering a regionalized browser, three key aspects must be considered: performance, data sovereignty, and misattribution. Xi Frame deployed in a public cloud is able to address all three.

Performance is a key consideration for a satisfied user. Latency and lag time are the kiss of death when a worldwide deployment is needed. By hosting in public clouds geographically dispersed, users gain the most performant experience possible.

Increasingly, compliance and Data Sovereignty issues will be a critical consideration in the protection of corporate assets and intellectual property. Xi Frame allows the deployment of cloud workloads within your account, in the regions you select, to adhere to data sovereignty requirements. 

Misattribution and anonymity in a digital world is a continual challenge. Historically, a complex set of proxy infrastructures was needed to solve this problem. Xi Frame removes this need by enabling users to run applications, including browsers in a dedicated, virtual instance in a public cloud provider of your choosing. By deploying this solution across regions, an added layer of obfuscation is achieved to further protect the privacy and security of the end user.

Transparent Security: Security and compliance without the complexity

IT security policies are more likely to break down as the complexity exposed to the user is increased. The more complicated the environment, the greater likelihood the end user will find a work around and attempt to bypass good intentioned IT security policies. When security is invisible for the end user, institutions are able to reduce staffing and resourcing costs across the board. Additionally, with the passing of data compliance laws such as GDPR, CCPA and the constant threat of ransomware the stakes to stay compliant have risen dramatically.

Nutanix Xi Frame enables organizations to deliver secure browsing at the click of a link without the complexity or overhead of corporate VPNs. Application sessions are delivered without the need for local installations, plugins, or dependency libraries. As a result, organizations can easily deliver a highly secure solution tailored to the needs of the business while staying streamlined and transparent to the end user experience.

Interested? Get started in minutes

If delivering a frictionless, secure, compliant browsing experience is of interest to you, I encourage you to take a Frame Test Drive today. Every Xi Frame account comes pre configured with Google Chrome to enable the deployment of a secure browsing environment in minutes. In no time, you can architect a global secure browsing solution for your organization.

© 2020 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site.