Browser isolation technologies are gaining popularity as a way to lock down companies' business processes, as workers — especially remote workers — spend more time working on cloud applications through their browsers.

The security technology typically consists of using a security-enhanced browser locally or connecting to a remote virtual machine running a proprietary browser. In the past, companies used browser isolation very selectively, but the rise of remote work and the move to cloud infrastructure has made the browser the focus of many employees' workdays. The average worker spends three-quarters of the workday in the browser or in virtual meetings, according to a 2020 Forrester report sponsored by Google.

With more remote employees now working increasingly in the cloud, browser isolation has to protect corporate cloud services as well as the worker's device, says Amit Jain, senior director of product management at Zscaler, a cloud-based security company.

"For modern enterprises, the Internet is now the corporate network," he says. "This shift has enabled workers to work from anywhere, while being able to access the information they need for their jobs through cloud-based apps and private apps via the Web. [But] while this has provided maximum flexibility to workers, it has also significantly expanded the attack surface and has the potential to expose data."

The evolving threat landscape and the growth in remote work has convinced many companies to consider putting up additional defenses, such as browser isolation to protect their users, devices, and services.

Estimates of the security measure's popularity vary greatly, however, with a much-touted 2018 Gartner report estimating that about a quarter of companies would use browser isolation for some employees by 2022. A more recent survey of companies by a marketing and market research firm estimated that more than half of all companies (51%) have already deployed some form of Internet or browser isolation in 2023, up from 47% in 2020.

While business intelligence firm Forrester Research did not have numbers to share, the consultancy did say that more than half of users in its own survey are "doing all their work in the browser," says Paddy Harrington, a senior analyst for security and risk at Forrester.

"So businesses have to start recognizing that we've got to protect the browser, and I think that's what is sparking the rise of the enterprise browsers," he says. "We have to have more levels of defense, just because the attackers every year find new and inventive ways to hack stuff, and so their targets and techniques continue to shift."

Zero Trust Means Isolating Browsers

Companies have put an emphasis on adopting zero-trust architectures, and often, when adopted as a multipronged cloud service, browser isolation is built right in. With other vendors, browser isolation is part of an endpoint detection and response package. The former usually includes some form of cloud-based isolation, where a browser will run in a virtual machine in its own virtual machine or containers, while the latter includes local isolation, where a customer browser or browser extension will monitor content on a local device.

Both approaches have their advantages and disadvantages, Harrington says.

"Both of those different approaches are starting to gain traction, and a lot of the endpoint protection solutions are starting to add it into their network defense so that, as website traffic comes in, the security will crack it open and pick out any malicious code or phishing links before it even shows up in the browser," he says.

Whether the isolated browser runs remotely or locally is the first major decision that companies have to make. Remote browsers are managed by service providers, so they do not impact the local device on which workers access the Internet. However, when employees have to use both remote and local resources, the workflow is made more complicated, says Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.

"You get the power of scale with the cloud, and we can really hold threats away from the end user, as well as all of the customization that we do in the background," he says. "We don't need to worry about what endpoint you are on — if you're on a mobile device or anything else — we know it's just going to work."

To Isolate or Not

While larger firms in regulated industries have gravitated toward remote browser isolation for its ease of deployment and the actual physical air gap, small and midsize firms tend toward local browser isolation technology for its flexibility.

Remote or local? Standalone or integrated? Vendors are quite opinionated, of course.

"The technology should be fully integrated into the zero-trust platform providing threat protection for all Web activity and preventing data loss from sanctioned SaaS and corporate private apps," says Jain of Zscaler, which uses a cloud-based approach. "Moreover, HTML smuggling [and other] attacks can be better thwarted by an architecture that involves tighter combination of browser isolation and sandbox technologies."

Perhaps the most important consideration, however, is a platform that minimizes its impact on workers, says Menlo Security's Guntrip.

"It's not the fact of what we do — it's the fact that we do it without interfering with that digital experience of the end user," he says. "So they can interact with whatever they want. They can click on whatever they want, but we hold anything that's active away from them."