Secure web browsers for the enterprise compared: How to pick the right one

The web browser has long been the security sinkhole of enterprise infrastructure. While email is often cited as the most common entry point, malware often enters via the browser and is more difficult to prevent. Phishing, drive-by attacks, ransomware, SQL injections, man-in-the-middle (MitM), and other exploits all take advantage of the browser’s creaky user interface and huge attack surface, and the gullibility of most end users.

It is this last item — humans — that is the problem, and we need to be protected against ourselves. This is especially true as SaaS applications grow in usage, not to mention that every piece of hardware seems to come with a web server (and therefore a browser) to configure it. These use cases are aided and abetted by the increasing number of work-from-home staffers who depend on more browser-based apps, thanks to the pandemic.

Yes, web browsers have security settings to protect your privacy and to enable you to browse sites more anonymously. This isn’t really a satisfactory solution because these settings will typically result in more user frustration. Turning up security settings will prevent your users from conducting business on many websites, either blocking pop-ups that are needed to navigate some business site, stopping forms from collecting important information, or making your browsing session miserable in some other fashion. 

Brave, DuckDuckGo, RAV Online Security from ReasonLabs, and others have more secure consumer-focused browsers, but these aren’t appropriate for enterprises. They are what I would call “safer” or “more private” browsers. Some vendors have taken the recommendations of the Global Privacy Control to heart and have developed their own browser extensions that help guard your individual privacy. All these browsers are better but still not good enough for business uses.

Instead, a different type of tool is needed to manage an entire browser collection. While some enterprise security products touch on browser security such as secure web gateways, running a browser in a virtual desktop or using a managed endpoint service, they don’t focus on the total browsing experience and can’t stop many of the potential threat vectors. Enter the secure browser, which is available in a variety of configurations that can help IT managers get a better handle on stopping attackers from getting a foothold inside our networks.

We looked at four browsers in a variety of configurations:

• ​​Appaegis Enterprise Web Access Browser
• TalonWork from Talon Cyber Security
• Advanced Browser Security from Perception Point
• Silo from Authentic8

Island has a product but declined to participate. All these products are built on top of Google’s Chromium browser. Because of their ubiquity, secure enterprise browsers have a demanding must-have feature collection if they are going to be given serious consideration.

Tips to evaluate secure web browsers

Before you start an evaluation, you need to understand how these browsers work and how they will be managed. First, they require a robust and granular collection of security controls to be able to work with the widest possible collection of websites and cloud services. This needs to happen from a central management platform that can apply a collection of firewall-like rules and policies across the entire user population. This includes several broad categories:

• Enable MFA at the beginning of any browser session by default.
• Handle isolation controls both with respect to the user’s session and to isolate any application from cross-infection. This means controlling the movement of data between the browser, your particular endpoint and the web application or applications involved.
• Control access to particular web destinations, either to allow or block this access.
• Detect malware to block phishing, man-in-the-browser and other attacks.
• Apply data loss prevention controls, which include browser settings such as ad blocking, URL and domain filtering, blocking printing, cut-and-paste operations, and screen sharing. These controls should also be able to manage your browser extensions in such a way that a user can’t override or circumvent them.
• Enable a variety of logging tools to aid in remediation or reconstruction in case of attacks or data destruction.
• Enable anonymous surfing for times when this is needed, such as protecting travelers when they are in more totalitarian locations.
• Enable a protected and secure file storage space that can be shared among a team of collaborators.

Second, any browser needs to integrate with existing security products such as identity management, cloud applications security posture, single sign-on (SSO), and VPNs. That is a lot of software to work with, to be sure, but enterprises don’t want to reinvent these wheels. For example, Talon integrates with Crowdstrike’s Falcon malware protection and all four tools integrate with various identity providers via SAML or in some cases OAuth.

Next, the browser must come in several different packaging options. First is to support both Windows and MacOS “thick” clients (meaning they typically use a virtual machine to separate it from the rest of your desktop). Note that few of these products offer additional support for Android, iOS, or Linux clients. These browsers need to also have a “thin client” that can run from a managed cloud service and a browser extension that can add some of its security features to what you are running presently on your desktop or mobile device. Our summary chart lists which vendor does which option. No one vendor covers all these situations completely, so you must understand the gaps and what potential harm that could translate into.

While all these products run crafted Chrome versions, they typically employ Linux virtual machines. That could be an issue if you are trying to run web content that isn’t Linux friendly, such as some streaming services. The good news is that the secure browsers are close to parity with a standard desktop browser and running close to the most current Chrome versions, thanks to the results reported by the HTML5test.com site.

The biggest issue to implement these browsers will be staffing and support. This starts with integration into your other security products and onboarding and training your users how to browse the web under the newer and hopefully more secure regime. This will be a significant load on your own internal support resources to handle the various helpline calls from confused or frustrated users when they encounter unexpected results from their browsing experience. We ran into several issues during our tests and had trouble getting timely answers from all four vendors.

Foundry

Finally, there is the price. Expect to pay somewhere around $10/month/user for subscription options, with quantity discounts available. Only one vendor, Appaegis, has complete pricing transparency.

Secure web browsers compared

Enterprise Web Access Browser from Appaegis

Appaegis Enterprise Web Access Browser offers a managed Windows and Mac client that runs an instance of Linux Chrome Dev 101 inside your existing local browser, but in a protected environment. It has a wide collection of polices, access roles, and applications that are configured similar to a firewall. Multi-factor authentication (MFA) is an option but not enabled by default. It also collects logs on user access, applications and other details, and offers secured SSH and RDP from the browser. It has a main dashboard that looks a lot like an SSO tool to launch your protected web applications.

Appaegis

Pricing is public and Appaegis offers free and paid versions, the latter starting at $10/month/user with quantity discounts. There is API integration with Okta and Azure AD identity management services and various key vaults at AWS, Azure, HashiCorp and Keeper. The browser obtained the highest score of any secure browser on the HTML5test site of 526.

Silo from Authentic8

Authentic8 has been in the secure browser business for more than eight years and continues to enhance its product and widen its services offerings. It can provide two-way full isolation and integrate it into your existing workflows and provide a wide collection of security policies that offer fine-grained control over protecting your apps and your data. It has a main dashboard that looks a lot like an SSO tool to launch your protected web applications.

Authentic8

Silo offers two different client downloads: thick client and thin client. Both can be managed centrally and via an API connection, all of which kick off Linux-based sessions running Chrome Dev 101.0.4951.49. The browser received a score of 474 (and the extension got 476) from HTML5Test. While the vendor did not reveal pricing specifics, two plans are available: on a per user or per hourly consumption basis.

Advanced Browser Security from Perception Point

Perception Point acquired Hysolate and has incorporated its features into its Advanced Browser Security product line. The software has an “xray” feature that automatically detonates any attachments in a sandbox running various versions of Microsoft Word to detect potential threats. This happens in near real time — a matter of seconds. The software comes either as a free thick client for Mac and Windows or as a managed browser or extension that is available starting at $5/user/month, with quantity discounts available.

Perception Point

The vendor has constructed an online demo of its dashboard here. The software policy collection isn’t as rich as what is available from Authentic8. It received a score of 474 from HTML5Test, running Chrome 104 on Linux. We had stability problems on our Mac and had to reinstall the software. Its Mac client doesn’t support viewing any protected content, including all Netflix movies.

TalonWork from Talon Cyber Security

TalonWork comes as only a thick client version and includes Windows and Mac. Android and iOS are expected later this year. It has a full managed feature set that includes data loss prevention features, extensive logging, and plenty of policies and rule sets. Like some of the others, you can set up a main login like an SSO tool to launch your apps. It will examine the endpoint posture to ensure that it is running the latest OS version and identify risky browser extensions or restricted URLs that you can specify. The company does not reveal pricing. HTML5Test score was 476, running on a protected MacOS Chrome 105 client.