What Is Browser Isolation?

Browser isolation is a cybersecurity protocol that separates web browsing activity from local networks and infrastructure by operating in a secure environment. By hosting users’ browsing sessions in a secured virtual space, this technology establishes a protective barrier between potentially malicious web content and an organization’s endpoints, effectively neutralizing online threats.

Many cybersecurity attacks use browser-based vulnerabilities and threats. Current browser developers attempt to isolate web applications so malicious code cannot access a device’s operating system and low-level functionality. Although these attempts at isolation prevent some attacks, allowing a user to openly browse the internet adds exponential risk to the organization. True browser isolation contains all web activity within a closed virtualized environment without allowing any browser-based code to access other sections of the user’s device. A virtualized browser strategy is far more secure than traditional methods of web access.

Traditionally, users installed software on their desktops and ran applications locally. Data was typically stored on a network drive, but the application ran on the local machine. With the increased popularity of cloud computing, software now runs remotely so that data can be local or in the cloud. The easiest way to build applications that run remotely is to code them to execute in a browser, which means that most software-as-a-service (SaaS) applications use browsers.

Cybersecurity experts determined that browser-based applications were safer for users and enabled unencumbered access to application functionality. Users were familiar with browser navigation, so these applications also reduced user training time. Developers used browser controls and APIs for easier coding and worked with browser cybersecurity instead of writing their own.

As cybersecurity evolved, organizations found that a browser running in a virtualized environment could completely separate the browser application from the device’s underlying operating system. Providing users access to internet browsing introduces risks, but a virtualized environment and browser protect a user’s device from common malware as it cannot access the main system.

Because isolated browsers are more secure than standard installations, governments now use isolated browsers and virtualized technologies to protect internal network resources, sensitive data, and trade secrets. Security experts recommend an isolated browser approach to web browsing on machines with access to sensitive network resources and data to reduce risk from drive-by malware, phishing, and data theft.

Browser isolation works by sandboxing a web environment. That means the web browser runs in its own environment without interacting with the operating system. Imagine that you created a chemical concoction built within a glass bottle. Should the reaction create smoke and a foul smell, it cannot affect the environment outside of the bottle. This scenario is similar to how an isolated browser environment works.

Cloud-based applications such as Office 365, email (e.g., Gmail), movies, JavaScript-based games, and other cloud activities execute in a browser, but sophisticated threats can breach a traditional browser and access the underlying operating system. For example, browsers began disabling support for Adobe Flash when a vulnerability allowed an attacker to remotely control a user’s machine by simply opening a web page. This vulnerability, among others, began an ongoing interest in finding solutions that allowed users to browse the internet as needed without the threat of malware from simply opening an attacker-controlled website.

Most browser isolation technologies work by executing browser functions and activity on a remote cloud server. Instead of processes running on a local computer, all activity happens on the remote server. This setup isolates the user’s computer from anything running in a browser. The user sees the browser as if it’s running on their local computer, but all code, including client-side JavaScript, executes on the remote server. Should a user browse to a malicious web page, malware and other client-side malicious code would not penetrate the local device and the local device’s network.

Administrators can choose from three types of browser isolation—each provides different levels of protection and potential risks. In today’s business environment, web browsing is a must for users to find answers to questions and download important information. Unfortunately, allowing open browsing of the internet also increases security risk tremendously.

The dangers of internet browsing lead to “web content filters.” Web content filters block websites on the user’s browser based on a long list of reported malicious websites. This strategy has several problems: the list must be continuously updated to be effective, false negatives are common with newly created malicious websites, and attackers create dozens of malicious websites to bypass these protections. Also, web content filtering is typically based on categories. Administrators block specific categories from being accessed, which can affect business productivity if an essential safe site is added to a filtered category.

Another issue with traditional browser setups is cookies left on the local machine. Cookies often contain session IDs and other personal information. Attackers use cross-site scripting (XSS) to obtain cookies from a legitimate site and use malicious scripts to forward a cookie to their own web servers. With the stolen cookie, an attacker can perform cookie stuffing and session fixation, providing malicious access to activities in the context of the user session.

Browser isolation offers users much more relaxed access to the internet without affecting local network security. For most web browser environments, administrators use remote browser isolation. This type is the most common, but organizations can choose from three types:

• Remote browser isolation: The safest and most secure remote browser isolation executes everything, including the browser application and JavaScript, on a remote cloud server inaccessible to local network resources and data. It streams a view of a web page to the user’s device.
• On-premises browser isolation: An on-premises strategy does the same as remote browser isolation, but the server is located on the local network. This strategy is good for privacy but provides access to local network resources through the remote server. Administrators must sandbox the on-premises server to ensure that malware cannot access local network resources and data.
• Client-side browser isolation: Client-side browser isolation uses traditional virtualization by sandboxing web-based applications in a virtual machine. The browser and web applications run within the browser in a traditional sense, but the operating system and browser run in a virtualized environment.

Remote browser isolation is most common, but some environments do not have true virtualization. Administrators in a DOM mirroring environment allow specific web content to reach a user’s local machine, risking sophisticated threats. However, in a truly isolated environment, only a stream of the browser’s interface and activity reaches the user’s local machine.

Aside from added security, web browser isolation offers several more benefits. Its continued success in stopping malware and other web-based attacks has made browser isolation the chosen strategy for many organizations that need to allow users to browse the internet but require a way to reduce security risks.

Browser isolation has several benefits:

• Protection from malicious websites and web pages: Because no code executes on the local machine, client-based attacks using JavaScript are not possible.
• Protection from malicious links in phishing emails: After a user clicks a malicious link, the browser automatically opens, and the malicious web page loads. Should an attacker trick a user into clicking a malicious link, the isolated browser opens and stops malicious code from loading on the local machine.
• Protection from malicious downloads: When users navigate to a malicious website and download software, the remote server stores the malware on its local sandboxed storage. In a double-strategy attack using social engineering or other methods with malware, attackers could not load malicious files on the local machine.
• Protection from malicious ads: Although advertising platforms do what they can to stop malicious ads, some still get through the system. Since ads run on the virtualized browser on the remote server using isolation strategies, these ads cannot harm the user’s local machine.
• Hidden IP addresses: Should an attacker trick a user into accessing a website, the user’s IP address would be divulged. This IP address is usually the exit point from the corporate router, which can be attacked using a distributed denial-of-service (DDoS). In an isolated browser environment, only the remote server’s IP address is exposed to the attacker.
• Data loss prevention: Because malware can’t load on the user’s local machine, having an isolated browser environment improves data loss prevention (DLP) strategies.
• Gather user behavior analytics: All browser instances run on a centralized cloud server, so administrators can use analytics and monitoring tools to gather information about the sites users browse and access. These analytics can help determine if users fall for phishing and malware sites to offer them additional cybersecurity training.
• Reduced administrative overhead: Instead of using web content filters that generate alerts when users attempt to access a blocked site, administrators can eliminate the need for alerts. They simply read reports and review user behavior analytics to identify users needing more cybersecurity guidance.
• Stop web-based malware and drive-by attacks: Browser vulnerabilities leave the entire local machine and network vulnerable to zero-day attacks. With browser isolation, malware and other drive-by attacks are neutralized from these threats.

Web browser isolation reduces administrative overhead by adding a layer of cybersecurity that cannot be found with standard web content filtering. Allowing open internet browsing increases security risks and opens the local machine to numerous threats. Users browsing the internet increase the organization’s attack surface, but browser isolation dramatically reduces it.

Web browser isolation prevents:

• Drive-by downloads: Web pages initializing malware downloads cannot load it on the local machine; it’s only downloaded on the remote server’s storage.
• Malvertising: Malicious code injected into advertisements can redirect users to malicious websites or execute malicious JavaScript used for attacks such as cryptojacking.
• Clickjacking: Virtualized browsers block out much of the malicious code served using advertising and third-party sites. Clickjacking happens when a user clicks a component on a web page, thinking it sends data to one page when the user actually clicks a malicious hidden layer of an attacker-controlled website.
• Phishing redirection: Blocking malicious ads stops many phishing redirects served to users browsing a website.
• Adversary-in-the-middle attacks: The remote server loads web pages, so no data transfers between a website and the user’s local machine. After the remote server loads a web page, a stream of content is sent to the user’s local device. Because no data is sent to the user’s device, stealing data using a man-in-the-middle attack is impossible.
• Cookie theft: Attackers can no longer use cross-site scripting (XSS) to steal cookies and session IDs. Cookies are destroyed when the user closes their session, so cookies are unavailable to another user on the device. If the device is stolen, an attacker would not have access to cookies and session IDs.

Remote browser isolation software provides the highest level of security among browser isolation implementations. This enterprise-grade solution executes all browsing activity on secure cloud servers, completely separated from end-user devices and corporate networks.

When using a remote browser isolation tool, all web code and content execute on distant cloud servers. Users only receive a secure stream of the browser interface, ensuring no potentially dangerous web code ever reaches their local device. This approach creates an “air gap” between the Internet and corporate infrastructure.

A comprehensive remote browser isolation platform delivers several critical security functions:

• Neutralizes zero-day threats and drive-by downloads by containing them in disposable cloud environments
• Prevents credential theft by isolating login sessions from endpoint devices
• Blocks malvertising and malicious redirects through complete separation from ad content
• Protects against adversary-in-the-middle attacks by eliminating direct connections to websites

Organizations implementing remote browser isolation solutions gain significant advantages beyond basic security. The technology enables detailed user behavior analytics and reduces administrative overhead by eliminating the need for complex web filtering rules. IT teams can allow more open internet access while maintaining strict security controls.

Deployment Considerations

When evaluating remote browser isolation tools, organizations should assess:

• Streaming performance and user experience impact
• Integration with existing security infrastructure
• Scalability for enterprise-wide deployment
• Data privacy and regulatory compliance capabilities

Remote browser isolation represents the most secure approach to protecting organizations from web-based threats while enabling the productive use of internet resources that modern businesses require.

Proofpoint Threat Protection complements browser isolation strategies by providing comprehensive protection against email-based attacks that often lead to compromised web sessions. The platform stops 99.99% of threats through advanced protection capabilities, combining threat intelligence, static analysis, and Nexus AI models to defend against business email compromise, ransomware, and credential phishing attacks that frequently exploit browser vulnerabilities.

This multi-layered security approach addresses the critical email gateway where many browser-based attacks originate. The platform provides pre-delivery and post-delivery protection through sophisticated behavioral AI analysis, including URL rewriting and contextual warning tags that help users make informed decisions about potentially risky web content.

Proofpoint’s Threat Protection platform creates a robust defense against sophisticated attacks that attempt to exploit browser vulnerabilities while reducing administrative overhead through automated remediation capabilities. To learn more, contact Proofpoint.