The biggest IT threat? That seemingly innocuous web browser
For decades, enterprises have allowed their workers to use whatever free browser they wanted to access the most sensitive files possible. CIOs believed that security software in the environment — such as endpoint security apps or supposedly secure web gateways — would deliver any needed protections.
And until 2020, that view was somewhat valid. But when various pandemic-fueled changes hit the workplace, almost everything changed. But as extreme browser exposure became far more dangerous, the shift was so gradual that almost no one in IT noticed any danger. Those changes included massive numbers of new remote sites; skyrocketing shifts away from on-premises tools and apps to the cloud; and far more SaaS deployments.
The browser issue here actually arises from two distinct problems: virtually no limits on which browser can be used and no protections at the enterprise level that sit atop those browsers.
The first is the most bizarre.
Somehow, IT permits any browser to be used in their sensitive environments. Can you imagine that being permitted for anything else? How many CIOs would tell workers they can use whichever VPN app they want, including free consumer-grade VPNs? Would an enterprise CIO be OK with someone in finance ignoring the corporate license for Excel and instead opting to put sensitive payroll details into a freeware spreadsheet found at a gaming site in China? Or maybe an employee could forego a company-paid Zoom account for discussions of that upcoming acquisition and use a freebie service no one’s ever heard of?
[Related: 10 tips for a secure browsing experience]
IT typically maintains strict controls over all software that touches their privileged areas, but browsers are a security free-for-all?
Let’s delve briefly into the history. When graphical browsers first moved into the enterprise in large numbers (don’t forget that the earliest browsers, such as Cello and Lynx, were pure text) around 1994, the goal was to make it as easy as possible for people to interact with the web. The internet at that point had been around for decades, but the web had only recently become popularized.
The problem is that as environments became exponentially more complex and access to ultra-sensitive data soared, IT didn’t stop to reconsider ancient browser policies.
If IT admins were to choose one specific browser to mandate, controls would become light-years easier. They could even require users to access the latest version from IT, allowing for updates to be strictly maintained. Internal web pages could be designed for that browser, making it far more likely to deliver an identical experience for all users.
I routinely run into secure areas where critical text (such as the “next” button) is offscreen. That means trying three or four browsers until one works. Imagine that problem disappearing simply by mandating one browser for all.
That kind of corporate mandate brings up a few issues:
- Desktop vs. mobile. Some enterprises might need to consider standardizing on one browser for desktop and possibly a different browser for mobile.
- IT political issues. Some of the browsers with major market share are deeply integrated with one vendor’s environments, such as Google Chrome and Microsoft Edge. Depending on how your environments are integrated with different platforms, this could be an issue.
- Compliance. Some of the browser makers are more aggressive at pushing privacy and other data boundaries, especially when generative AI is involved. Standardizing on one of those might lead to corporate compliance issues, especially if you have a substantial presence in Western Europe, Australia or Canada.
- Geography. Beyond the compliance issues, there are language and other regional support issues to consider, especially if you have a major presence in Asia.
That brings us to problem two. Browsers were never designed to be even a little bit secure in the early days — and not much has changed today. That’s why IT needs to insist that something act as a secure layer between your environment and any browser — even your hand-chosen favorite browser.
Because the needs of every enterprise are different, there’s no one-size-fits-all browser security solution. The browser security layer must play well with your existing systems and your particular compliance needs — colored by geography and verticals — are critical factors.
“The browser is the number one app that everyone is using. The browsers of today are much more powerful than the older versions,” said Dor Zvi, CEO of security firm Red Access. “They allow you to run Javascript, login and tokens and render HTML. The browser today is so powerful that it acts almost like an operating system.”
Zvi argues that there is a reason those browser capabilities are so dangerous.
“A lot of the attacks today can now happen entirely within the browser. It is happening inside the frame of the browser, which means it is not on the network side and not on the endpoint side. The browser now holds the cookies and tokens for all of your applications,” he said. “Let’s say someone is trying to steal my Okta two-factor authentication. [The attacker] can run it by solely using the browser privileges and no one will ever know about it.”
Another problem with allowing any browser from around the world to access your systems involves browser extensions. In the same way Apple and Google can’t adequately police their apps to detect and remove malicious ones, browser teams can’t verify the legitimacy of extensions. A malicious browser often has unlimited access to everything the browser can do or see. That’s why standardizing on one browser is important; it allows IT to also rein in browser extensions.
It’s a lot to think about — but preferably not right before bed.