Register now for your free virtual pass to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit Karma, Stitch Fix, Appian, and more. Learn more.
If you haven’t heard of the enterprise browser category by now, you might want to check your pulse. These newcomers to the cybersecurity space have recently caught fire in the media and with investors, cementing their notion of the “secure enterprise browser” (SEB) on the radars of CISOs eager to bolster what little is left of their organizations’ security perimeters.
Earlier this year, Island, creator of the Enterprise Browser, became one of the fastest companies ever to reach Unicorn status after securing $115 million in venture capital just weeks after emerging from stealth (at a valuation of $1.3 billion). Meanwhile, Talon Cyber Security, creators of the TalonWork browser, announced the closure of a $100 million series A just earlier last month (they did not disclose their valuation). Both are considerable sums, especially for two young startups operating in a brand-new category. At the same time, these headline-grabbing investments aren’t entirely surprising, given the scope and severity of the challenges faced by CISOs in the new world of hybrid work.
Hybrid work, browserization provide fertile soil for SEBs
The rise of hybrid work, combined with the proliferation of enterprise SaaS applications, has fundamentally reshaped both the way we work and the IT architectures enabling that work. Under this new paradigm, web browsing has become the foundational access point through which the average employee performs nearly all of their day-to-day responsibilities — from checking email and making spreadsheets to sharing files and managing development processes.
While this growing trend of “browserization” has certainly been a boon for workplace productivity, it’s also left enterprise security teams scrambling to shore up their defenses amidst a flood of untrusted, unmanageable web connections. According to a recent report from Menlo Security, nearly two-thirds of organizations have had a device compromised by a browser-based attack in just the past 12 months. And there’s no indication that this trend will be slowing anytime soon.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
In March of this year, Google published a blog post confirming a dramatic rise in high-severity threats affecting Chrome and other Chromium-based browsers (that is, Microsoft Edge, Brave), and warned that this trend will likely continue for the foreseeable future. While they point to a number of contributing factors to explain the recent rise in Chromium-based exploits — including increased vendor transparency — they also rightfully point to the fact that browsers (and Chromium-based browsers in particular) are becoming increasingly attractive targets for malicious actors, thanks to both their increasing ubiquity and complexity.
“Browsers increasingly mirror the complexity of operating systems — providing access to your peripherals, filesystem, 3D rendering, GPUs — and more complexity means more bugs,” the author writes.
With web browsers increasingly resembling operating systems in both form and function, malicious actors are ramping up their efforts to undermine them in increasingly sophisticated ways. Unsurprisingly, these conditions have been fertile soil for cybersecurity start-ups of every stripe. Venture capital funding for cybersec startups leaped to nearly $30 billion in 2021 — more than double the amount invested just one year prior, lending some important context to the headline-grabbing sums secured by this new cohort of SEBs.
Minimizing friction, maximizing flexibility become mission-critical in secure browsing space
Given web browsing’s recent emergence as the modern employee’s primary gateway to work, it has become mission-critical for security solutions targeting the space to minimize friction for the end-user as much as humanly possible.
For players in the secure enterprise browser space, that has translated to the near-universal embrace of Google’s open-source Chromium project — the codebase on which Google’s Chrome and Microsoft’s Edge browsers are based on. With a combined market share of more than 67%, Chrome and Edge represent the closest thing to market dominance one can reasonably expect for the fractious browser space, making SEBs’ decision to build their solutions on Chromium a wise one.
Going with Chromium allows SEBs to minimize friction as much as possible for as many end-users as possible — allowing Chrome and Edge users to import preferences, plug-ins, and other bits of personalization to minimize friction at the point of adoption. Considering the fierceness with which most enterprise employees defend their preferred workplace tools, this will be an important distinction for SEBs moving forward.
However, while the SEB category’s decision-makers have certainly improved their odds of gaining acceptance from rank-and-file users by building on Chromium, they’ll still need employees to embrace a new browser; and admins to accept the installation and management of yet another endpoint agent.
What’s next? Going beyond the browser…
While the SEB is a welcome improvement to today’s status quo of secure web gateways and remote browser isolation, one can’t help but note some inherent limitations to the underlying principles. And as web browsing continues to play an increasingly central role in the workplace, you can be certain that the secure browsing wave won’t stop at SEBs.
The first and most important thing that next-generation solutions must address is the widening gap between web browsers and the act of web browsing. The English language hasn’t been a help to anyone on this front, but the bottom line is this: Not all web browsing actually happens in web browsers, and by a sizable margin.
Since 2019, the average enterprise SaaS portfolio has grown by 44.2% year-over-year. While many of the most widely-used enterprise SaaS applications — such as Slack, Outlook, and Dropbox — can be accessed via the browser, that doesn’t necessarily mean they are. Many users still opt for the native desktop versions of these applications for reasons ranging from superior user interfaces and expanded functionality all the way to plain-old force of habit.
Whatever the motivations may be, the moment a user clicks on a link or accesses a remote file in one of these applications, they’ve effectively moved the act of web browsing beyond the purview of the web browser itself. This often-overlooked segment of the browsing attack surface remains a concern for not only SEBs but virtually all of today’s prevailing secure browsing solutions.
For the time being, policies mandating the use of web applications within the secure browser environment (as opposed to desktop versions of said applications) may serve as a useful stop-gap. But, one can’t help but feel like there’s still a need for a more comprehensive solution to this particular problem — especially given friction’s notorious proclivity for inspiring noncompliance and shadow IT.
If we hope to secure the entire browsing attack surface, moving forward, the next generation of secure browsing solutions must find an effective, low-friction means of securing this growing segment of the browsing attack surface.
Reframing the secure browsing experience
In a world where web browsing plays such a fundamental role in employees’ work lives, the next generation of secure browsing solutions should make a frictionless user experience top priority. In a recent survey, 35% of respondents said that they already need to work around their company’s security policy simply to get their job done. In such a landscape, forcing adoption of new tools or imposing barriers is a risky proposition, especially when those tools are as fundamental to employees’ daily responsibilities as the web browser.
Moving forward, secure browsing solutions hoping to see widespread adoption must work toward an agentless, agnostic architecture — one that is capable of securing the entire web browsing vector, regardless of browser, application or device; and do so without causing undue disruption to the end user’s experience. And in the era of app sprawl and overwhelmed IT departments, easy deployment and management on the admin side will be a key value proposition for next-generation solutions looking to claim this budding category.
A critical first step in the battle for secure browsing
The dawn of the enterprise browser is a critical first step in the right direction for a cybersec field thrown into tumult by the new world of work-from-anywhere. While attempts have been made in the past to create a secure browser, it appears that now is the right place and right time for the concept to finally take off — and not a moment too soon.
But if history has taught us anything, it’s that forcing the adoption of any technology in the workplace is no easy feat. The very best security tools, those that stand the test of time, inevitably work behind the scenes, protecting users without them even being aware of their presence. While the secure enterprise browser is certainly a welcome development in today’s rapidly-evolving threat landscape, we’re sure to see much more innovation in the months and years to come.
Dor Zvi is cofounder and CEO of Red Access.