And until 2020, this view was valid to some extent. But as the pandemic brought various changes to the workplace, almost everything changed. This change was so gradual that no one in IT departments noticed the risk, as browser extremes became much more dangerous. These changes include a huge number of new remote sites, a rapid shift from on-premises tools and apps to the cloud, and significantly more SaaS deployments.
The browser problem here stems from two issues: there are virtually no restrictions on which browsers you can use, and there are no enterprise-level protections for those browsers.
The first is the most bizarre problem.
IT departments allow the use of any browser in sensitive environments. This kind of tolerance is difficult to imagine in other areas. How many CIOs will tell their employees they can use any VPN app they want, including free user-grade VPNs? Would a CIO be okay with a finance person ignoring the corporate license for Excel and entering sensitive payroll information into a freeware spreadsheet found on a Chinese gaming site? Or could an employee give up his company-paid Zoom account to discuss an upcoming acquisition and use a free service no one has ever heard of?
IT departments typically maintain tight controls on any software that touches their privileged areas, but do browsers think security is free?
Let’s take a brief look at its history. When graphical browsers were first introduced on a large scale for enterprise use around 1994, the goal was to make it as easy as possible for people to interact with the Web. The Internet has been around for decades, but the Web was just becoming popular at the time.
The problem is that even as environments grow exponentially more complex and access to highly sensitive data proliferates, IT departments have not reconsidered their outdated browser policies.
Control would be much easier if IT managers could select and mandate a specific browser. IT departments can even tightly manage updates by requiring users to access the latest versions. Internal web pages can be designed for that browser, making it much more likely that all users will have the same experience.
I often run into secure areas where important text (e.g. the ‘Next’ button) is not visible off-screen. That means you have to use three or four browsers until one browser works. Imagine if these problems went away if we mandated one browser for all users.
There are several problems with this type of corporate regulation.
- Desktop vs. Mobile. Some companies may need to consider standardizing on one browser for desktop and another browser for mobile.
- IT political issues. Some browsers with significant market share, such as Google Chrome and Microsoft Edge, are tightly integrated into one vendor’s environment. Depending on how your environment integrates with other platforms, this issue may arise.
- Compliance. Some browser vendors are pushing privacy and other data boundaries more aggressively, especially when it comes to generative AI. Standardizing on one of these browsers, especially for companies with a significant presence in Western Europe, Australia or Canada, could lead to corporate compliance issues.
- geography. In addition to compliance issues, you must also consider language and other regional support issues, especially if your main operations are in Asia.
Now let’s move on to the second problem. Browsers weren’t designed with safety in mind when they first started, and that hasn’t changed much now. That’s why IT departments need to insist on something that acts as a security layer between the user experience and all browsers, even the ones users choose.
Since every company’s requirements are different, there is no solution that can be applied uniformly to all browser security solutions. Browser security layers must work well with existing systems, and region- and industry-specific compliance requirements are important factors.
“Browsers are the most used app for everyone,” said Dor Zby, CEO of security specialist Red Access. Today’s browsers are much more powerful than previous versions. It can run JavaScript, logins, tokens, and render HTML. “Today’s browsers are so powerful that they almost act like operating systems.”
Zvi argues that there is a reason why this browser feature is dangerous.
“Many attacks today can occur entirely within the browser. In other words, the attack is occurring inside the browser frame, neither on the network side nor on the endpoint side. The browser now holds cookies and tokens for all applications. Let’s say someone is trying to steal a user’s two-step authentication. “An attacker can run this with just browser privileges and no one will know.”
Another issue that allows any browser in the world to access the system has to do with browser extensions. Just as Apple and Google fail to properly manage their apps to detect and remove malicious apps, browser teams are also unable to verify the legitimacy of extensions. Malicious browsers often have unrestricted access to everything you can do or see in the browser. That’s why it’s important to standardize on one browser, which gives IT departments control over browser extensions.
There is a lot to think about when it comes to current browser-related security policies.
editor@itworld.co.kr
Source: www.itworld.co.kr
