Enterprise Browser Battle V1.0 — March-2023

35 min readMar 15, 2023

Summary (TLDR)

I am pleased to share my first report on a new product category — the Enterprise Browser. An Enterprise Browser is a special web browser for business use. It provides advanced security controls and auditing capabilities not found in popular “consumer” browsers like Chrome, Safari, and Edge.

These days, many businesses rely on SaaS solutions and web apps that run outside the secure confines of the corporate data center. And many people work from home over untrusted networks using unvetted devices that aren’t owned or managed by the company. An Enterprise Browser reduces the security risks posed by SaaS solutions, web applications, and remote workers. It helps protect businesses against data theft, certain types of malware, and other threats by embedding security controls directly into the browser.

For our inaugural investigation, we looked at three Enterprise Browsers: Citrix Secure Private Access from Tibco Software\Citrix, Google Chrome Enterprise from Google, and TalonWork from Talon Cyber Security. Our Google Chrome Enterprise analysis includes BeyondCorp Enterprise, a separately priced product from Google that adds secure enterprise browsing capabilities to Chrome. We compared and graded the solutions by analyzing 47 mutual product features and attributes. All three vendors received high marks, with Talon coming out on top in our ranking.

This is the first in a series of Enterprise Browser reports I plan to publish. In the coming months, we’ll expand our feature coverage and take a look at other vendors in this space. Of note, Island was invited to participate in this inaugural evaluation but declined to participate at this time.

I hope you find the information interesting and valuable. We had fun investigating the products and kicking the tires.

Please reach out to me on Twitter or LinkedIn with questions or feedback. Let us know what other Enterprise Browser features or vendors you’d like us to cover in future reports.

Introduction

It seems hard to believe, but for over thirty years, businesses have used remote Windows applications and VDI solutions to support offsite workers and centralize IT management. As a VDI security analyst, I’ve had a front-row seat to the action and have watched the VDI market grow and evolve at an incredible pace. I’ve always been amazed by how many organizations deploy VDI solutions without fully considering the security implications. Over the years, I’ve published a series of blogs and research reports to help companies evaluate VDI solutions and compare vendors purely from a security perspective.

Now I see a new IT moon rising — the Enterprise Browser. Businesses are using SaaS solutions and web apps to simplify IT operations, speed up software rollouts, and support new hybrid work models. But just like with the VDI market, organizations often fail to fully consider the security implications of using web-based applications and services. Individual business groups often sign up for SaaS solutions independently, without involving or even notifying corporate IT or information security teams.

An Enterprise Browser is a special-purpose browser with enhanced security functionality, designed explicitly with web-based business applications and remote users in mind. It provides enterprise-grade security controls and auditing capabilities that aren’t found in consumer-oriented browsers like Chrome, Safari, and Edge.

An Enterprise Browser can help defend against malware, data leakage, and other threats. It can help reduce shadow IT risks. And it is easier and less expensive to deploy and support than a traditional VDI-delivered browser.

Industry analysts like Gartner and IDC are closely monitoring this emerging space. It will be fascinating to watch this new market unfold in 2023. I plan to cover the Enterprise Browser market just like I previously covered the VDI market. Like with my VDI reports, my research will focus exclusively on the security aspects of these products. I won’t factor pricing or non-security-related features or attributes into my analysis.

One particular area I plan to pay close attention to in our first report is unmanaged devices. Employees working from home, contractors, and third parties like IT support vendors often access web applications and browser-based administrative consoles using outside devices over which corporate IT and security teams have little visibility and control. Unmanaged devices are a favorite target for threat actors. They are often poorly secured — running outdated or unpatched operating systems, software with known vulnerabilities, and inadequate endpoint security and antivirus solutions. Many Enterprise Browsers support endpoint posture assessment capabilities and other features to reduce the risks posed by unmanaged devices. We take a close look at those features in our first report.

The pandemic forever changed the way many of us work. Many businesses have permanently adopted hybrid work models and allow employees to work from home at least some of the time. Many employees spend most of their working days in the browser accessing Salesforce, Office 365, Google Workspace, and other SaaS solutions over untrusted networks. The browser is a logical place to implement strong security controls to protect confidential company data and defend against malicious activity.

Enterprise Browser Use Cases

An Enterprise Browser can benefit any business regardless of size or industry. You can use an Enterprise Browser to provide secure access to any browser-based business application including:

· SaaS solutions

· Internal web apps running on public clouds (AWS, Azure, Google Cloud, etc.)

· Internal web apps running on private clouds

You can also use an Enterprise Browser as a secure, hardened alternative to a consumer-grade browser for employees accessing non-work applications and websites from company-owned and managed devices.

An Enterprise Browser can help reduce your attack surface, protect against ransomware and other types of malware, and defend against data loss. You can use an Enterprise Browser to:

· Defend against insider threats and external threats

· Provide secure web access for managed devices and unmanaged devices

· Improve web security for onsite users and remote users

· Provide secure web access for various users (employees, contractors, freelancers, vendors, business partners, etc.)

Enterprise Browser Vendor Landscape

The Enterprise Browser market is in the early stages. Several established software vendors and several startups already offer products in this space, including:

· Citrix

· Google

· Microsoft

· Island

· Seraphic

· Talon Cyber Security

Selecting Vendors for this Report

I contacted several vendors to see if they would be interested in participating in our initial study and would be willing to provide a demo copy of their software. I investigated several established vendors, including Citrix, Google, Microsoft, and VMware. I was surprised to learn that VMware did not have a product in this space. I skipped over Microsoft because their Edge for Business product is aimed at managed devices, and this report spotlights unmanaged devices. Citrix and Google both agreed to participate.

For startups, I contacted Island and Talon Cyber Security, the names that came up most in my research and conversations. Talon accepted, but Island declined to participate.

In future reports, I plan to include other vendors such as Conceal, Epic Browser, Island, Microsoft Edge for Business, Perception Point’s Web Security, and Seraphic. If you work at any of these companies and want to participate in this project, don’t hesitate to get in touch with me on Twitter or LinkedIn.

A Quick Word about the Established Traditional Microsoft and Google Solutions

These two browsers are two of the most deployed worldwide for workforce usage. However, they also have significant disadvantages currently, with their traditional solution typically requiring total device management or user intervention to manage the browser. Google Enterprise gives user-level browser management granularity, which is helpful for unmanaged endpoint scenarios. Microsoft looks like, with the way they can package Edge, they could get into this space for unmanaged devices relatively quickly, but they will make more managing the whole machine and the browser as part of their management suite.

Enterprise Browser Vendors Covered in the Report

This report compares Enterprise Browser solutions from three vendors: Citrix, Google, and Talon Cyber Security.

Citrix

Citrix entered this browser space in 2018 when they introduced the bundling of a Chromium browser into their existing Workspace App client used for VDI access. This addition allowed Citrix administrators to publish resources that would be launched locally on the user’s endpoint instead of going to a published browser hosted somewhere. Around this time, App Protection was added to the same client that gave the applications the keylogger and screen capture protections which added some protection abilities not yet seen to this point in time. Then in 2021, they released their Secure Private Access (SPA) and Citrix Enterprise Browser (CEB) solution, a management plane for their Remote Isolation Browser (RBI) solution. This SPA introduced the ability to publish items to the local Workspace App Chromium browser and for specific URLs or conditions to send the users to the hosted Remote Isolation Browser, which was an excellent option for many deployments. They are not doing what many other vendors do, controlling most of the browser settings or all the settings to a managed download or a registration process to an existing browser. The Citrix SPA management console is a purpose-built solution that shows you what you need to control the experience. This complete solution can be purchased outside the typical DaaS, VDI, and NetScaler options many may be familiar with.

Google

Google created the Chrome browser in 2008, and in 2010, Chrome launched its first enterprise policies for local device management (i.e., via GPO). Then in 2019, they released their Google Chrome Browser Cloud management offering, leveraging Google Admin Console, allowing administrators to manage browser settings and get reporting for managed Chrome Browsers directly from the Admin Console. Their solution requires IT admins to enroll browsers using a token for device policies or by applying policies at the user level. IT can either manage this download centrally through a software distribution tool or enroll and begin managing existing Chrome installs already in their environment.

Google Chrome is available for free and includes a set of enterprise browser capabilities. Google also offers BeyondCorp Enterprise, a separately priced product that integrates with Chrome and provides additional secure enterprise browsing capabilities. Our Google Chrome Enterprise analysis includes the BeyondCorp Enterprise offering. We parenthetically note when the BeyondCorp Enterprise product fulfills a particular Google capability. Our scoring charts also use color coding to highlight BeyondCorp Enterprise’s capabilities.

Talon Cyber Security

Talon Cyber Security was founded back in 2021 and set out to make a purpose-built enterprise browser solution. Their solution looked at the most common weaknesses of existing browsers and added some controls and features that didn’t exist in standard Chromium-based browsers. Their enrollment model is much simpler than others, with a welcome email to a managed download, install, and log-in, and you are secured and ready to roll. Their policy engine and controls were purpose-built for this solution, resembling familiar firewall or group policy architectures.

The TalonWork browser provides various built-in enterprise security, like data leakage prevention features, threat protection functionality, and Zero Trust capabilities, such as granular authentication and authorization controls. Their solution integrates with popular identity providers to simplify user onboarding and policy enforcement. Talon also offers integrations with external file scanning and threat intelligence services like CrowdStrike Falcon Intelligence to defend against malware and block access to potentially harmful websites.

Talon Cyber Security is well funded (They raised $100M in 2022). They also have relationships with CrowdStrike and Microsoft. They are a Microsoft for Startups program member, and you can purchase their product on the Azure and AWS Marketplaces.

Scoring Methodology

To compare the three solutions side-by-side, we identified 47 mutual product features and attributed them to score them. To get our hands around the data and quickly grade and rank the vendors, we organized the features into seven distinct categories:

1. Delivery and Integration

2. Browsing Controls

3. Data Leak Prevention

4. Threat Prevention

5. Endpoint Filters

6. Extension Controls

7. Advanced Browser Options

To simplify the analysis and make the information easier to digest, we consolidated some features we felt were similar. Some of these solutions were surprisingly feature-rich and customizable. We could have easily looked at hundreds of features had we not focused only on capabilities common to all three products. In the future, we may expand our analysis to cover more features.

We used a ranked scoring system to identify the best solution in each feature category. Each vendor started with a perfect 100/A+ score. The best vendor in each category had zero points deducted. We deducted points from the other vendors to reflect feature deficiencies or security gaps compared to the best vendor. (In some cases, two or all three vendors received identical scores). We applied the deductions to create our final grade for each solution.

Detailed Analysis and Observations

1.0 Delivery and Integration

1.1 Delivery Type

There are many ways to deliver a browsing experience. The most common is the local installation of the browser, where a package is managed or unmanaged on a system. Another option is a hosted solution where the user connects to something that connects them to a browser. Both options provide isolation and control, but there are cost, performance, and feature tradeoffs to consider.

Citrix Secure Private Access — Local Managed (Secure Private Access) and Hosted (Remote Browser Isolation)

Google Chrome Enterprise — Local Managed

TalonWork — Local Managed

Citrix is more secure because it supports both delivery types. Talon and Google are tied for second because neither supports a remote browser isolation (RBI) option.

1.2 Supported Endpoint Operating Systems

We looked at the number of endpoint operating systems each product supports.

Citrix Secure Private Access — Five operation systems: ChromeOS, iOS, Linux, macOS, and Windows.

Google Chrome Enterprise — Six operating systems: Android, ChromeOS, iOS, Linux, macOS, and Windows

TalonWork — Four operating systems: Android, iOS, macOS, and Windows

Google scored highest because they can be used on all six primary operating system types: Android, ChromeOS, iOS, Linux, macOS, and Windows. Citrix is in second place with the ability to support five operating systems with Citrix Secure Private Access and Citrix Remote Browser Isolation with six operating systems based on its HTML 5 browser client. Talon is in third place with four operating systems.

1.3 Enrollment Type

There are many ways to distribute browser software and enroll new devices. Each vendor takes a different approach. Since we are focused on unmanaged devices for this first enterprise browser comparison, we are looking for solutions that make it easy and secure for users to download and set up the browser on their own endpoints with little or no corporate IT involvement.

Citrix Secure Private Access — CEB Download Workspace App & Install, RBI Browser Access to an HTML Browser

Google Chrome Enterprise — Download & Install then an Enrollment Token (Script\Reg File) or Google Cloud Identity Managed Profiles

TalonWork — Welcome Email, Download\Install

Talon has a more secure enrollment type because users must provision based on their Identity (IdP) Provider. TalonWork users will receive a welcome email prompting them to download the TalonWork browser. Citrix is in second place due to its flexibility of enrollment methods based on your requirements. With Citrix, when a user tries to access the configured resource, the controlled browser appears, whether the local Chromium-based browser or the Remote Isolation Browser, based on the protections required and policies configured. Google Chrome Enterprise is in third place, with its local or cloud-based management of an existing Google Chrome installation on the device.

1.4 VPN-less Access (Internal Apps)

This feature allows users to access internal applications from wherever they are without another VPN or VDI solution. A unified solution is more secure than other solutions requiring more servers, components, consoles, and solutions.

Citrix Secure Private Access — Yes, with an integrated gateway solution

Google Chrome Enterprise — Yes (BeyondCorp Enterprise)

TalonWork — Partial (Integration with leading VPN and ZTNA Solutions)

Citrix and Google are more secure because they allow users to access internal applications natively within their solutions. Talon is in third place based on relying on their integration with multiple VPN and ZTNA providers, which is valuable for customers who can leverage their existing investments vs. deploy a new solution.

1.5 Browser Use Enforcement

This feature prevents users from accessing specified web applications from a browser other than the Enterprise Browser sanctioned by corporate IT.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — Yes (BeyondCorp Enterprise)

TalonWork — Partial (Integrations with IDPs)

Citrix and Google are tied for first place. Citrix has the native ability to force the use of its solution based on its control of the network layer paired with its policy controls. TalonWork is in third place, offering multiple ways to enforce access, such as conditional access rules configured with a third-party Identity Provider.

1.6 Version Upgrade Control

Browsers are a common target for threat actors. Enterprise Browser vendors regularly release software patches and updates to address vulnerabilities. Version upgrade control features let you track and manage browser releases centrally and force upgrades across your user base outside typical endpoint update channels.

Citrix Secure Private Access — Partial (Tied to Workspace App)

Google Chrome Enterprise — Yes

TalonWork — Yes

Google and Talon are more secure because they can force specific versions and report on their managed browsers’ versions. Citrix is in third place because of its dependency on the Workspace App client being updated to update the Chromium version and requiring Chromium version reporting for each device. Citrix’s Remote Browser Isolation hosted solution is automatically patched. Still, the browser version is hidden from the user and administrator, so it is impossible to determine if it is the latest version with either delivery method without testing within the session.

1.7 Policy Update Durations

We measured the time it takes to propagate a policy change to an endpoint. Time is of the essence for containing risk and mitigating certain types of threats. An Enterprise Browser must update policies in seconds rather than minutes.

Citrix Secure Private Access — ~20 Seconds

Google Chrome Enterprise — ~20 Seconds

TalonWork — ~10–15 Seconds

Talon is more secure because they update most policies within 10–15 seconds after a change has been made. Citrix and Google are in second place, with many setting changes taking effect in less than 20 seconds and others taking effect on the next login. We saw the most variability with Google Chrome Enterprise, which took as short as 10 seconds and as long as 3 minutes to propagate changes.

1.8 Conditional Access Controls

This feature lets you control access to applications or websites based on a defined policy. This is a foundational policy expectation on most security-related systems where a baseline configuration can be applied to all devices. Some users, groups, devices, or filters allow them to be more secure or less secure based on their requirements.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — Yes

TalonWork — Yes, with more granular policies

Talon is more secure due to its ability to control the security policies based on users, groups, devices, device posture, and policies with more granular control capabilities from its singular policy engine. Citrix and Google are tied for second place for having basic controls, but fewer than Talon, and some policy administration is split between consoles in those solutions. This is a must-have feature for all vendors, and we expect vendors will extend the depth and breadth of these capabilities over time.

1.9 Idle Timeout Control

This feature automatically locks the browser session after a configurable period of inactivity. It is particularly useful for unmanaged devices, where users may have disabled native endpoint lock screen or screensaver functions.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — No (Coming Q1–23)

TalonWork — Yes

Citrix and Talon are more secure because they detect and control an idle user’s session. Google is in second place as they do not support this feature.

1.10 Browser Timeout Passcode

This feature is related to the Idle Timeout Control feature. This control allows a passcode to be created that allows the user to reauthenticate to the system beyond any idle endpoint protections. When sensitive data is being accessed, this can be a robust control to help prevent endpoint takeover. If this is a managed device, you will still typically have a password-protected screensaver set to a specific duration based on your compliance requirements.

Citrix Secure Private Access — No

Google Chrome Enterprise — No

TalonWork — Yes

Talon is more secure because they detect and control an idle user to lock the browser session. Google and Citrix are tied for second place as they do not support this feature.

1.11 Endpoint Protection Agent Integration

Some Enterprise Browsers offer integrations with third-party threat intelligence services and endpoint protection services for advanced file-scanning, URL-scanning, and device posture assessment functions. We expect many Enterprise Browser vendors to expand their integrations’ breadth and depth over time.

Citrix Secure Private Access — Partial (Coming 2023 CrowdStrike)

Google Chrome Enterprise — Yes

TalonWork — Yes

Talon and Google are more secure because they integrate with endpoint protection and threat intelligence vendors. Talon and Google integrate with CrowdStrike Falcon Intelligence for file scanning and URL filtering; and CrowdStrike Falcon Sensor for posture assessment of managed devices. Citrix is in third place as it will integrate into CrowdStrike later this year in 2023. This integration will even the playing field for this feature. We also know that each vendor will continue integrating with more endpoint protection solutions.

1.12 SIEM Integration

Most Enterprise Browsers let you forward logs and event messages to an external Security Information and Event Management (SIEM) system. SIEM solutions simplify threat detection and response by gathering, aggregating, and correlating events from various sources.

Citrix Secure Private Access — Yes (Analytics) (Splunk, Microsoft Sentinel, Kafka\Logstash Connection)

Google Chrome Enterprise — Yes (Palo Alto, Splunk, Chronicle)

TalonWork — Yes (Splunk, CrowdStrike LogScale, Microsoft Sentinel)

All three vendors are tied in this area, so customers are advised to determine which vendor provides the SIEM integration that best meets their needs.

1.13 Chromium Browser Policies

This feature lets you control the preferences available to a browser and, in this case, in the Secure Enterprise Browser space. They are all Chromium-based browsers currently. This can allow you to control everything you could typically control when the browser is being managed. This can become an essential filter in high-security industries as your organization may be required to configure specific browser settings to ensure a security baseline is applied.

Citrix Secure Private Access — Partial (4x Policies)

Google Chrome Enterprise — Yes

TalonWork — Yes

Google and Talon are more secure due to their ability to control with policies all accessible Chromium-based preferences via approach. Citrix is in third place based on them only having provisions only to configure four policies currently.

1.14 Authentication Integration

Most Enterprise Browsers integrate with external IdPs to simplify user provisioning, enable single sign-on (SSO) and enforce conditional access controls.

Citrix Secure Private Access — Yes, (Kerberos, SCIM, Okta, AzureAD, Ping, OneLogin, … Others)

Google Chrome Enterprise — Yes, (SCIM, Okta, AzureAD, Ping, OneLogin, … Others)

TalonWork — Yes, (SCIM, Okta, AzureAD, Ping, OneLogin, … Others)

Citrix is more secure using Kerberos authentication and the same SCIM integrations as the Google and Talon solutions. All three of these vendors can integrate with other identity providers. Some provide more native integration, but each allows SAML integration with other IdPs.

2.0 Browsing Controls

2.1 Website Control

Website access controls are an essential feature of any Enterprise Browser. Every Enterprise Browser at least supports basic allow list/deny list functionality. Some vendors support more advanced or granular access controls.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — Yes

TalonWork — Yes

Citrix, Google, and Talon are all tied for first place as they can control which websites users can visit based on users, groups, devices, and policies. They have varying policy control capabilities, but they all support this feature. This is a must-have feature for all vendors.

2.2 Control App Logins

This feature lets you control access to specific URLs, web applications, or website categories based on a user’s login credentials. You can use it to prevent employees from accessing personal accounts at work. For example, you could prevent users from copying business data to a personal cloud storage account (e.g., allow the user to access Dropbox only when using their corporate login credentials). The Enterprise Browser will block access if they try to log in to Dropbox using their personal credentials.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — Yes (BeyondCorp Enterprise)

TalonWork — Yes

Citrix, Google, and Talon are all tied for first place as they allow the control of application logins based on their policies and controls.

2.3 Browser Jailbreak Prevention

This feature can prevent users from escaping the browser session to open other applications. This can help ensure that the user can only access the specified resources and no other items and escape this controlled enclave.

4.1 Malicious URL Protection

This feature will evaluate the URLs entered into the browser session to check their risk level before allowing the users or presenting a block or warning. Many modern browsers will have this ability, especially Chromium-based browsers, but they differ in the depth of protection they offer.

Citrix Secure Private Access — Yes

Google Chrome Enterprise — Yes

TalonWork — Yes (More integrations)

Talon is more secure as it has more external connections to check if the URLs are potentially unsafe. Talon uses the native Chromium Safe Browsing capabilities like the other vendors. Also, it integrates with external threat intelligence services from vendors like CrowdStrike, Avira, and Webroot to automatically detect and block access to malicious sites such as phishing or credential harvesting sites. Citrix and Google are tied for second place as they have fewer URL threat detection integrations. Each system has varying policy capabilities regarding the URLs users can navigate based on users, groups, devices, and policies.

4.2 Read-Only Website Access

This feature lets you protect against phishing attacks and credential theft by granting users “read-only” access to untrusted websites and preventing them from entering their credentials.

Citrix Secure Private Access — No

Google Chrome Enterprise — No

TalonWork — Yes

Talon is the most secure as they support this feature. Citrix and Google do not support this capability.

4.3 Leaked Credential Monitoring and Notification

This feature automatically notifies the user if they attempt to log into a site using credentials that are known to be compromised in a third-party data breach. This feature also typically creates notifications and reports in the management console for the administrators to review.

Citrix Secure Private Access — No

Google Chrome Enterprise — Yes (BeyondCorp Enterprise)

TalonWork — No

Google is more secure as they support this feature. Citrix and Talon are tied for second place by not having this feature. We recommend that solutions have this protection as this is a common attack avenue with stealer logs and other attack methods.

4.4 Browser Patch Process

This feature describes the vendors’ ability to patch the browser when there are security vulnerabilities. With browsers being a primary application for most users worldwide, vulnerabilities are found to become an immediate risk for all organizations and users when released. Most browsers are updated at least monthly, depending on the severity of the vulnerabilities found. Depending on which Enterprise Browser solution you use and which browser they use will determine how long it will take for patches to make it to your systems and users. This relates to the Version Upgrade Control feature in section one but looks specifically at how long it will take to update the base browser.

This feature will require the endpoint to have a local certificate before accessing the resources. This would typically only be set up in high-security deployments, but many use cases could benefit from this configuration.

7.1 Set Custom Header\User-Agent

This feature is powerful when paired with other content control software, firewall, and other solutions to log and control aspects of the user’s web sessions. This configuration can identify the secure browser against other security products, such as firewalls, to apply relevant policies.

Citrix Secure Private Access — Partial

Google Chrome Enterprise — No

TalonWork — Yes

Citrix and Talon are more secure as they allow the ability to set each of these items. Google is in third place as they do not support this feature.

7.2 Basic Browser Audit

Browser Audit Results

This analysis was to understand what default settings these browsers use to understand their default security stance. Since all the browsers validated are, Chromium-based, we used the BrowserAudit.com website to probe each browser to check their security policies. This will always be a varying score because new tests are added regularly, and then some tests could be skipped because of networking timeouts and many other factors. This was the only way we could find a way to quantify the out-of-the-box settings for each of these solutions. We plan to do more testing on the recommended lockdown settings of Chromium-based browsers to see how much we can improve the scores below. Many of these solutions can also configure every Chromium-based policy like Google and Talon, allowing each of these to be secured further along with customizing the expected experience for your users.

Talon is more secure as they have fewer warning findings. Google is in second place, and Citrix is in third based on its two delivery options averaged, whereas if both settings were the same, it would have been a tie for first place. Overall, these findings were very similar between each vendor, and I’m sure the results will change over time as they make changes to their policies and as the Browser Audit team creates new tests.

Summary of Results

With all the 47 features compared between these vendors, we can see that the TalonWork secure enterprise browser wins with the highest security feature score. We want to add more vendors early later this year to see how it compares against many of the others in this emerging space.

As a reminder, we used a ranked scoring system to identify the best solution in each feature category. Each vendor started with a perfect 100/A+ score. The best vendor in each category had zero points deducted. We deducted points from the other vendors to reflect feature deficiencies or security gaps compared to the best vendor. In some cases, two or all three vendors received identical scores. We applied the deductions to create our final grade for each solution.

Security Feature Rank Overviews

Delivery and Integration — Rank

Browsing Controls — Rank

Data Leak Prevention — Rank

Threat Prevention — Rank

Endpoint Filters — Rank

Extension Controls — Rank

Advanced Browser Options — Rank

Security Feature Rank Summary

Overall, there was a good spread of ties and first places, which is good. There were more three-way ties than in our previous VDI and Endpoint comparisons. It’s good to see the ranking to know which are better in each category and which are tied.

Final Score Summary

Conclusion

An enterprise browser can clearly help any business reduce the security risks posed by modern web apps and SaaS solutions and by remote workers and unmanaged devices. The market is just starting, but we found that the early entrants already provide an unexpectedly broad array of features to help prevent data loss and malicious attacks. We were surprised by the feature differences between the three products we examined. We trimmed the list down to 46 mutual features for our first report, but we could have easily added twice as many.

Talon edged out Citrix in our first report. Google received a passing grade for their Chrome Enterprise Browser, including BeyondCorp Enterprise. The Enterprise Browser market is highly competitive and evolving rapidly. We plan to update this report quarterly to include additional vendors and features and provide additional insights for the community.

Please get in touch with me on Twitter or LinkedIn if you have any questions or comments. Let us know if there are additional vendors, products, features, or security policies you would like us to look at in future reports.

Scoring Appendix

The below summaries show the scores used per feature that were totaled and then subtracted from the 100 perfect scores for having all the features. A zero score is the best score, as the vendor doesn’t have a partial or full-point deduction for the feature we are comparing. Like a typical test in school, the fewer deductions, the higher your score will be.