A Guide To The Browser Isolation & Remote Browser Market And Its Vendors
I was present at the birth of browser isolation cybersecurity and have seen it grow into a vibrant space, full of amazing remote browser and browser isolation technologies. Its a hot topic right now, primarily because Gartner are recommending browser isolation technologies as one of the most effective ways an enterprise can reduce web based cyberattacks against their users.
Gartner are also predicting that 50% of enterprises will actively begin to isolate their employees web browsing activity over the next three years, so against this backdrop I wanted to outline the browser isolation space and its players for those interested in the remote browser isolation market.
In case you are not familiar with browser isolation cybersecurity or remote browsing technologies, check out my explainer posts below:
The Browser Isolation Technology Space
I maintain a directory of browser isolation vendors over on Index.co and the companies for this article have been taken from those directories.
The browser isolation technology space is split into what I think of as two distinct categories, client side browser isolation technologies and server side browser isolation technologies, each different in their approach.
Server Side Browser Isolation Technologies
Server side browser isolation technologies adopt the traditional security through physical isolation model, in that they physically isolate your web browsing cyber risks away from your internal networks and infrastructure.
Server side browser isolation technologies are hosted on server and delivered to the user as a service, with the browser isolation being done on the server.
The browser isolation technologies I list below are all server side.
WEBGAP — Before launching WEBGAP, the co-founding team (Guise Bule and Jun Yang) spent eight years working with the National Nuclear Security Administration at Lawrence Livermore and Sandia laboratories building browser isolation platforms for federal government employees, a model known as the Safeweb model within federal circles.
They have developed the newest browser isolation technology on the market and arguably the most scalable and cost-efficient on account of their grid distributed, containerized architecture which requires approximately 10x less server infrastructure than their virtualization based competitors.
WEBGAP quickly installs onto any cloud/virtual/physical server and lets users connect over the internet from any browser and begin isolating their browsing through the WEBGAP service in frictionless way, with no downloads, plugins or software installs required. They also have an option to configure your local browser to push all traffic through WEBGAP, providing a native experience.
WEBGAP is priced at $5 per user, per month, making them the most cost-effective browser isolation technology vendor on the market.
Authentic8 — Founded by Scott Petry and Ramesh Rajagopal, Authentic8 is another virtualization based technology, one that provides its users with a ‘disposable’ browser (non-persistent virtual browser) that they then use to browse the internet, what they call the Authentic8 Silo.
Using Authentic8 is fairly straight forward, you have to download their app and install it, then launch the app and browse through it. You are presented with an Authentic8 browser and do all of your browsing through it.
Authentic8 pricing starts at $10 per user, but they offer team discounts.
Symantec- The giant in the space, Symantec entered into the browser isolation market when they bought FireGlass in late 2017 which was a great move. Except for WEBGAP, FireGlass had the only containerized browser isolation platform, one that makes them highly scalable.
Symantec seem to be focusing their messaging on high risk internet users and C-level employees, they also pair the technology up with their endpoint and proxy solutions, making a nice addition to their security suite if you are an existing Symantec customer, possibly even an add-on freebie.
I have no information on Symantec’s web isolation pricing at the moment.
Menlo Security — Founded by Amir Ben-Efrain and Poornima DeBolle, Menlo Security was one of the early entrants to the browser isolation space and another vendor leveraging virtualization as a tool of isolation in their Menlo Security Isolation Platform (MSIP). They call their technology ‘Adaptive Clientless Rendering’ which seems a bit convoluted to me.
The problem with legacy browser isolation players like Menlo is that they seem to be stuck on the old virtualization model. Although virtualization isolates sessions well, the problem with virtualization as a tool of browser isolation is that combined with a SAN centralized architecture it makes it very expensive at scale, its just not a great vehicle for handling the browser compute load across thousands of simultaneous users. I think this is why their per user price point is so high, at $10-$15 a user a month, its expensive.
Client Side Browser Isolation Technologies
Client side browser isolation technologies try to accomplish the same goal as the server side kind, but rather than physically isolate the users browsing activity away from their local machine and network, client side solutions handle all of the isolation on the users machine. This does mean that you do not have to buy or rent servers to host your users browsers, but it also means that you break the security through physical isolation model in the process.
Am not sure what to think about that, we tried trusting the code already and that didn't work out so well, the reason the air-gap is the most common approach to browser isolation, I favor server side solutions because of this.
Apozy — The co-founding team behind the Apozy NoHack are Rick Deacon and Erhan Justice. They have a unique approach to client side browser isolation that I think sets them apart, rather than leverage client-side virtualization as Bromium have done, they leverage technology that is already built into the major browsers to deliver a sandboxed, safe environment. Specifically they use CSP headers to make malicious pages “read-only”.
This makes for a frictionless deployment and requires no extra infrastructure, no added integration overhead, which I think is really cool. I don’t have any approximate costs for Apozy, but their model implies cost efficiency.
Bromium — The co-founding team behind Bromium are Ian Pratt and Simon Crosby, who were co-founders of XenSource (bought by Citrix) before they went on to found Bromium. Coming from such a strong virtualization background, the two built the Bromium technology on top of a virtualization based stack, launching a kind of client-side hypervisor, one that sits above and below the guest operating system, what they call micro-virtualization.
Because Bromium is a client side solution and needs to be the lowest level software operating on the machine, it requires a very destructive install, you have to delete all the software and data on the machine, install Bromium and then rebuild your machines on top of the Bromium managed PC.
Bromium was one of the first companies I noticed emerging onto the browser isolation scene in 2010, although they have gotten traction and a lucrative partnership with Microsoft, the feedback I get from security professionals who use Bromium is that its too cumbersome to install across anything but a virgin estate of PC’s and requires a lot of manpower and resources to deploy.
Bromium are very cagey about their prices and I have heard different prices from different sources, so I am not able to comment on their pricing.
The Remote Browsing Space
You may not actually want to host or manage your own browser isolation technology, you may think it best to properly isolate browsing cyber risks away from your internal networks and place that risk outside of your corporate firewall, especially if you lack a strong cybersecurity team.
If thats the case, remote browsers are for you. Remote browsing solutions provide you with a fully hosted browser isolation platform that your users connect to over the internet, no server hosting required.
The companies below are taken from my remote browser vendors list, its worth noting that most of the remote browser vendors below do not actually have their own technology and some use off-the-shelf virtualization technology to deploy their solutions, something we did a decade ago.
WEBGAP — WEBGAP run a remote browser service powered by their own proprietary technology and sell their service directly to organizations and end users, they also provide their technology for on-site installation to the enterprise and fed gov spaces. Priced at $5 per user, per month, depending on the amount of users you have, the cost efficiency of their containerized technology and grid distributed architecture shows clearly.
Cigloo — Israel based Cigloo, founded by Hadar Eshel and Eli Lior, offers a remote browsing service aimed at Citrix users and based on the Citrix virtualization stack. They supplement this stack with their own proprietary proxy technology that sits between Citrix users and their virtual environment,so while they may not have their own technology, they do develop the proxy component of their remote browsing platform.
They do not publish prices publicly, so I have no idea of what they charge.
Lightpoint Security — I have no idea who founded Lightpoint, because they have zero presence on Linkedin and it doesn't say on their website, they do say that they founded by ex-NSA employees which must be pleasing to some.
Lightpoint offer a remote browsing service based on an unknown virtualized platform, they not develop their own technology by a number of cybersecurity professionals, they seem to be using off the shelf technology to deploy their solution. Although they do not have their prices listed, they used to display their prices at $9 per user per month last time I saw them.
I dislike Lightpoint because their website is terrible and offers little information, inspires no faith in them as a company, or their solution in my opinion, but then I do have a marketing background and I may be biased toward vendors who do not pay attention to the way they present themselves.
I did have one other company in my remote browser vendor directory, WebLife, but they were recently bought by Proofpoint and do not yet seem to have been integrated into Proofpoint’s technology offering.
If you think I missed anyone out, either remote browser isolation companies, or details on the companies I covered please let me know and for transparency purposes, also you should know that I am the co-founder of webgap and while I have tried hard to be fair and balanced in this article, I may be biased.
If you liked this article, follow me on Twitter and Medium using @guisebule to get notified when I publish something new!