The Rise of the Business Browser and the Future of Secure Browsing

If you haven’t heard of the corporate browser category, you might want to check your heart rate. These newcomers to cybersecurity have recently caught fire in the media and among investors, cementing their idea of ​​the “secure business browser” (SEB) on the radars of CISOs eager to strengthen what little remains of their organization’s security perimeters.

Earlier this year, Island, maker of the Enterprise browserbecame one of the fastest companies ever to achieve Unicorn status after securing $115 million in venture capital just weeks after coming out of stealth (valued at $1.3 billion). In the meantime, Talon Cyber ​​Securitymakers of the TalonWork browser, announced the closure of a $100 million series A just earlier last month (they didn’t disclose their rating). Both are significant sums, especially for two young startups operating in a brand new category. At the same time, these high profile investments are not entirely surprising, given the magnitude and severity of the challenges facing CISOs in the new world of hybrid work.

Hybrid work, browserization provide fertile ground for SEBs

The emergence of hybrid workcombined with the spread of enterprise SaaS applications, has fundamentally reshaped both the way we work and the IT architectures that enable that work. Under this new paradigm, web browsing has become the fundamental entry point through which the average employee performs nearly all of their day-to-day responsibilities – from checking email and creating spreadsheets to sharing files and managing development processes.

While this growing trend of “browserization” has certainly been a boon to workplace productivity, it has also caused enterprise security teams to scramble to fortify their defenses amid a flood of untrusted, unmanageable web connections. According to an recent report of Menlo Security, nearly two-thirds of organizations have hacked a device through a browser-based attack in the past 12 months. And there is no indication that this trend will slow down anytime soon.

In March of this year, Google published a blog post confirms a dramatic increase in very serious threats to Chrome and other Chromium-based browsers (i.e. Microsoft Edge, Brave), and warned that this trend is likely to continue for the foreseeable future. While they point to a number of factors that contribute to explaining the recent proliferation of Chromium-based exploits, including increased vendor transparency, they also rightly point to the fact that browsers (and Chromium-based browsers in particular) are becoming increasingly attractive. become targets for malicious actors, thanks to both their increasing ubiquity and complexity.

“Browsers are increasingly reflecting the complexity of operating systems — providing access to your peripherals, file system, 3D rendering, GPUs — and more complexity means more bugs,” the author writes.

As web browsers increasingly resemble operating systems in both form and function, attackers are stepping up their efforts to subvert them in increasingly sophisticated ways. Unsurprisingly, these conditions have been fertile ground for cybersecurity startups of all kinds. Venture capital funding for cybersec startups rose to nearly $30 billion in 2021 — more than double the amount invested just a year earlier, providing important context to the headlines secured by this new cohort of SEBs.

Minimizing friction, maximizing flexibility becomes mission critical in secure browsing space

Given the recent emergence of web browsing as the modern worker’s primary gateway to work, it has become critical for security solutions that aim to minimize end-user friction as much as humanly possible.

For players in the secure corporate browser space, this has translated into the near-universal embrace of Google’s open-source Chromium project — the codebase on which Google’s Chrome and Microsoft’s Edge browsers are based. With a combined market share of more than 67%Chrome and Edge are the closest to market dominance that you can reasonably expect for the tricky browser space, making SEBs’ decision to build their solutions on Chromium a wise one.

Going with Chromium allows SEBs to minimize friction for as many end users as possible – allowing Chrome and Edge users to import preferences, plugins, and other bits of personalization to minimize friction at the point of adoption. Given the fierceness with which most corporate employees defend their favorite workplace tools, this will be an important distinction for SEBs in the future.

While the SEB category decision makers have certainly improved their chances of adoption from regular users by building on Chromium, they will still need employees to embrace a new browser; and administrators to accept the installation and management of yet another endpoint agent.

What’s next? Going beyond the browser…

While the SEB is a welcome improvement over the current status quo of secure web gateways and remote browser isolation, one cannot help but notice some inherent limitations of the underlying principles. And as web browsing continues to play an increasingly central role in the workplace, rest assured that the wave of secure browsing doesn’t stop at SEBs.

The first and foremost thing that next-generation solutions need to address is the widening gap between web browsers and web browsing. The English language hasn’t helped anyone in this area, but the bottom line: Not all web browsing actually happens in web browsers, and by a significant margin.

As of 2019, the average enterprise SaaS portfolio grown by 44.2% year after year. While many of the most widely used enterprise SaaS applications, such as Slack, Outlook, and Dropbox, can can be accessed via the browser, that does not necessarily mean that they are. Many users still opt for the native desktop versions of these applications for reasons ranging from superior user interfaces and extended functionality to plain old habit.

Whatever the rationale, once a user clicks on a link or opens a remote file in one of these applications, they have effectively taken web browsing beyond the scope of the web browser itself. This often-overlooked segment of the browsing attack surface continues to be a concern not only for SEBs, but for virtually all current secure browsing solutions.

For now, policies that mandate the use of web applications within the secure browser environment (as opposed to desktop versions of said applications) can serve as a convenient stopover. But you can’t help but feel that there is still a need for a more comprehensive solution to this particular problem, especially given friction’s infamous tendency to inspire non-compliance and shadow IT.

If we hope the whole browse attack surface, move on, the next generation of secure browsing solutions must find an effective, low-friction way to secure this growing segment of the browse attack surface.

Reframing the secure browsing experience

In a world where web browsing plays such a fundamental role in employees’ work lives, the next generation of secure browsing solutions should make a hassle-free user experience a top priority. In a recent survey35% of respondents said they already need to get around their company’s security policies, just to get their job done. In such a landscape, enforcing new tools or imposing barriers is a risky proposition, especially when those tools are as fundamental to employees’ day-to-day responsibilities as the web browser.

Forward-thinking secure browsing solutions in hopes of widespread adoption should move toward an agentless, agnostic architecture—an architecture capable of securing the entire web browser, regardless of browser, application, or device; and do so without unnecessarily disrupting the end-user experience. And in the age of app sprawl and overwhelmed IT departments, easy implementation and management on the admin side will be a key value proposition for next-generation solutions looking to claim this nascent category.

A crucial first step in the battle for secure browsing

The dawn of the enterprise browser is a crucial first step in the right direction for a cybersec field that is in turmoil with the new world of working from anywhere. While efforts have been made in the past to create a secure browser, it seems now is the right place and the right time to finally get the concept off the ground — and not a moment too soon.

But if history has taught us anything, it’s that forced adoption of… each technology in the workplace is no mean feat. The very best security tools, which stand the test of time, inevitably work behind the scenes, protecting users without them even being aware of their presence. While the secure enterprise browser is certainly a welcome development in today’s rapidly evolving threat landscape, we’re sure to see a lot more innovation in the months and years to come.

Dor Zvi is co-founder and CEO of Red entrance.