A Need for a Better
Secure Browsing Solution

 
 
Download PDF
 
 

HIGHLIGHTS

 
  • Organizations struggle to enable public Internet browsing without compromising cybersecurity.
  • Typical approaches include trusting a standard browser’s security, or running the browser in the cloud.
  • Both approaches have significant security and user experience limitations.
  • Endpoint Secure Browsing overcomes these limitations by running a hardened browser in isolation on the employee’s client device (PC).
  • HP has pioneered the Endpoint Secure Browsing architecture and provides the best of all worlds: security and strong user experience with reasonable operational overhead.
 
 

Organizations struggle to provide simple and secure Internet browsing for their employees. It’s difficult because people want to use their corporate-owned device to browse internal resources, work related external sites, and an endless number of sites for personal reasons.

 
 

This browsing may lead to malware being installed on the endpoint if a malicious file is downloaded from a website. A further risk is from threat actors leveraging zero-day vulnerabilities in the browser or operating system to execute their attack. So how can organizations support a positive browsing experience, while still protecting their business?

 
 

Typical Solutions Fall Short

 
 
 
 

There are two common architectures used to provide Secure Browsing, but both are deficient to some degree:

 

1. Endpoint-Based Standard Browser with Anti-virus and Proxy

 
 

This is the most common approach: hoping that the native security of the standard browser (e.g. Chrome or Edge) along with anti-virus and often a web proxy will somehow limit risk to an acceptable degree. This approach simply fails to provide the level of risk management needed by most organizations, for several reasons:

 

Browser Zero-Day Exploits

 

Browser zero-days are relatively common. Every quarter multiple Chromium patches are published to address zero-day exploits. These vulnerabilities affect all Chromium browsers, including Edge & Chrome. Simply clicking on a malicious link that leverages a zero-day Chromium exploit is all it takes to fully compromise an endpoint.

 

Malicious Downloads

 

Content downloaded via browsing can be malicious. This is not the browser’s fault and therefore there is nothing Google or Microsoft can do to fix this. Since most breaches occur on devices running anti-virus and proxies, simply relying on these to detect and block a malicious download is not enough.

 

User Actions

 

User behavior often causes challenges, not the browser itself. For example, a user may be tricked into typing their credentials on a phishing website. Another example is data leakage, via the user uploading sensitive content to personal webmail or a social media website. If the organization totally prevents access to such sites, they not only create a poor user experience, but they drive the users to spend less time on their corporate devices and more time on their smartphones.

 

A variant of this approach is to add network segmentation. External browsing can be limited to endpoints that are segmented from corporate assets. This clearly does limit the ability of attacks to compromise devices on the “internal” side of the segmentation, but falls short in several ways:

 

Poor User Experience

 

Users are prohibited from external browsing except on limited devices, a major inconvenience.

 

Costs and Complexity:

 

Segmentation is difficult and expensive to architect, validate, and maintain.

 

Risk

 

Segmentation doesn’t eliminate the zero-day risk, which could still leverage a vulnerability in the browser or operating system.

 
 

2. Cloud-Based Browsing

 
 

It is possible to run the browser from the cloud, not on the endpoint. A service provider will host the execution of the browser as a cloud-based service. Browser instances are created on an as-needed basis. A thin client on the endpoint exchanges keystrokes, mouse movements and display data with the cloud-based browser over the Internet. This makes it more difficult to compromise the endpoint, however cloud-based browsing has multiple issues:

 

High Costs

 

Cloud operating costs, increased bandwidth use, and required staff overhead all can drive costs up.

 

Cloud and Privacy Concerns

 

Many organizations restrict the use of cloud technologies or have user privacy mandates, making this approach impractical.

 

Poor User Experience

 

Moving the browser to the cloud can cause user experience issues due to degraded performance, or the separation of the browser from the rest of the computing environment.

 
 

A Better Approach

 
 
 

Secure Browsing On The Endpoint

 

Endpoint-based Secure Browsing technology enables safe but productive Internet browsing. It consists of two components:

 
 

Hardened Browser

 

A special type of Internet browser is deployed on the endpoint. This browser is hardened specifically to reduce the risk of zero-day attacks that might compromise a standard browser.

 

Micro-virtualization

 

Each instance of the hardened browser is executed in its own isolated virtual instance on the endpoint. This puts a ring around the browser that attackers will struggle to bypass. The virtual space is enforced by dedicated hardware built into all modern business-class CPUs. This makes it much harder for attackers to defeat and increases performance via hardware acceleration.

 

HOW DOES ENDPOINT-BASED SECURE BROWSING WORK?

 

When a user browses a website, a hardened browser instance is created in its own dedicated space. This “double protection” Secure Browsing prevents malware from compromising the endpoint. Downloaded content is also run in an isolated container.

 

This approach allows organizations to safely permit access to higher-risk sites that might otherwise have to be blocked, such as personal email and social media. Content upload and download policies can be created based on content type or URL (website), preventing content transfers unless authorized. An even more secure policy option is to run the Secure Browser in read-only mode, allowing users to view websites while preventing them from downloading or uploading data to or from their PC.

 

Note that the Secure Browsing components are all endpoint-based and not in the cloud. This ensures a consistent user experience and lowers costs by leveraging the investment in the endpoint hardware. It also is compatible with organizational policies that restrict the use of cloud computing or have strict data privacy controls.

 

Secure Browsing is the best of both worlds: users can run the browser and other applications natively on the endpoint for a positive, consistent user experience. Meanwhile the organization enjoys significant risk reduction from one of the most dangerous sources of compromise.

 

Secure Browsing Benefits

 
 
 

HP pioneered Endpoint Secure Browsing. Its Sure Click Enterprise and Wolf Pro Security offerings are purpose-built solutions that support easy deployment of Secure Browsing at scale. They provide the double-protection afforded by browser hardening and CPU-enforced isolation. Both Intel and AMD processors are supported, as well as HP and non-HP PCs. They deliver multiple capabilities and benefits.

 
 
 

Secure, flexible
browsing
experience

 
 

No heavy
investment in new
IT infrastructure

 
 

Robust policy
options to
match employer
and employee
requirements

 
 

Centralized
management
for efficient
operations and
consistent policy
implementation

 
 

Integration with
common security
architectures and
operational models

 
 

Sure Click Enterprise1 provides enterprise-level configuration options and either on-premises or cloudbased management. Wolf Pro Security2 offers a simplified configuration and operational model for smaller organizations. With over 30 billion3 user actions executed without a reported compromise, the product set is proven across industries, geographic regions, and risk management policy profiles.

 

Conclusion

 
 
 

Endpoint Secure Browsing for
Risk Management and Superior
User Experience

 
 

Organizations need to provide flexible, performant browsing for their users, to allow them to do their jobs effectively and enjoy a positive user experience. But they struggle to do so without creating significant risk or incurring higher costs. Secure Browsing based on CPU-enforced isolation solves this challenge. It provides significant reduction in risk from downloaded malicious content or zero-day attacks. Unlike alternative approaches, it maintains strong user experience and performance, and is not cloud-dependent. Therefore, it deserves serious consideration by organizations of all sizes seeking a new approach to the secure browsing experience.

 
 
Download PDF
 

1. HP Sure Click Enterprise is sold separately. Supported attachments include Microsoft Office (Word, Excel, PowerPoint) and PDF files, when Microsoft Office or Adobe Acrobat are installed. For full system requirements, please visit System Requirements for HP Sure Click Enterprise for details.
2. HP Wolf Pro Security is available preloaded on select HP devices, is available as a subscription and in term licenses. Contact your HP sales representative for more details.
3. Assumptions based on HP internal analysis of customer reported insights and installed based through mid-April 2023.