Last updated on December 10, 2018
By: Rajesh Ranganathan, Product Manager, ManageEngine
When asked to name their critical network endpoints, most IT pros would cite mobile devices, laptops, desktops, and servers. A few might include wearables and other emerging end-user hardware. Browsers, though, probably wouldn’t make the list. After all, they’re applications that run on the endpoints, not endpoints themselves. But given the valuable role browsers play in accessing enterprise applications and information, it’s time to rethink how we classify them and as a result, how we manage and secure them.
Rise of the browser
Mobility and cloud permeate today’s workforce, and those two trends underscore the browser’s significance. The majority of office applications such as Microsoft Office 365, Salesforce CRM applications, the Zoho One business suite runs in the cloud and is accessible via browser, so users can work from anywhere, at any time, using their laptops, smartphones, and other browser-enabled devices.
For many users, the browser has become a primary work tool — if not the primary work tool — for performing their day-to-day activities. And that’s proven to be a boon for IT departments because browsers simplify life for end users and IT admins alike. End users don’t need to install any additional components to access corporate applications or data. In turn, IT admins see fewer application-related trouble tickets.
Evolution into an endpoint
Initially, web browsers were used to access data from a web server — HTML documents and images, maybe some video — and render it in a single page. As companies placed new demands on the web, native browser functionality was supplemented by operating system resources and full-blown software applications like Adobe Flash Player and Java.
Supplementing the browser with these technologies gave end users a better, more consistent experience that included streaming video and access to offline storage. However, it also gave criminals more vulnerabilities to exploit and more ways to attack the enterprise.
HTML5, the latest version of the HTML standard, goes a long way in addressing the security and other functional challenges posed earlier. HTML5 eliminates the need for Flash, Java, and other add-ons, plugins, and third-party software components to interact with the system resources. Now, the browser itself handles everything.
Once Google, Microsoft, Mozilla, and other vendors implemented HTML5 in their browsers, SaaS applications started leveraging HTML5’s platform-neutral functionalities in favour of earlier, platform-specific technologies. In addition to better user experience, HTML5 has fostered an explosion in enterprise-based, rich internet applications
HTML5 has also created a thriving ecosystem of browser extensions that improve the user experience. Thousands of extensions are available for Chrome, Firefox, Edge, and other HTML5 browsers. With extensions, users don’t install full-blown software components on their devices. Instead, extensions install directly in the browser, typically enhancing the browser interface rather than introducing an additional UI. In turn, end users can install and use extensions on their own, without IT support.
Browser endpoint challenges
With browsers at the centre of so much corporate activity, they are now subject to many of the same challenges that face desktops, smartphones, and other hardware-based endpoints.
The first challenge is the concern of leaking sensitive corporate data. For example, many end users wind up using the same browser — on the same computer — for personal and professional purposes. Personal email, banking, and shopping are just a few of the unauthorised applications that can compromise sensitive enterprise data as well as personal information. Typically, such applications aren’t monitored and don’t meet corporate security standards, and data is subject to loss or theft as a result.
Second, the number of surface attacks grows along with some extensions users install in their browsers. Those extensions can read all the data exchanged between the device’s browser and the back-end server. While end users think the extensions are secure, they can leave users and their companies at risk of crypto-jacking, ransomware, phishing, and other malware attacks that target one computer and then spread to other systems in the corporate network.
Finally, most companies are going to manage a hybrid application environment that combines HTML5 and legacy technologies. Not every enterprise application is going to move to the cloud immediately. Rebuilding and redeploying apps takes a lot of time. For many organisations, both types of applications will be used at the same time.
That’s just a fact of corporate life. Take Windows 10, for example. It launched in 2015, and Windows 7 still plays a critical role in the enterprise.
It’s worth pointing out that, when it comes to browsers, “legacy technologies” include HTML4. The majority of the enterprise web applications use HTML4 technology, which hasn’t changed much over the last 15 years. Even though organisations are moving to HTML5, they still have to manage their existing HTML4 applications as well as any add-on or plugin code used to enhance them.
Managing and securing the browser endpoint
To meet the challenges above, IT teams need to handle their browser endpoints with the same professionalism they use to manage other parameters. Organisations need to manage not only their browsers but also the extensions as well as the plugins and add-ons used by older browsers and keep all of those technologies up to date. They need visibility to determine what should be given access to which resources, and what should be restricted.
Teams also need to apply critical browser controls and harden browsers. Some vendors offer enterprise editions of their browsers, which include policy engines that govern the applications and extensions they can use, data security and privacy, and browsing experience. To harden the browsers, IT teams need to set bookmarks, the homepage, trusted websites, tweak configurations to increase privacy and security.
Likewise, the activity of browsers and browser extensions needs to be sandboxed to prevent data from being knowingly or unknowingly leaked to unintended third parties. When the same browser is used to conduct both personal and professional business, the data must be secured and managed to prevent any data leakage. For instance, users should not be able to download work documents from Office 365 and attach them to an email in their personal Gmail account.
Last, the team needs to allow corporate data access from trusted devices and restrict usage of untrusted devices for organisational purposes. When end users use their personal computers and devices to do company business, there’s a good chance their hardware doesn’t meet company security standards. Is the computer protected by a strong password? Is it running antivirus software? Have all the software updates and patches been applied? Bottom line, we need to make sure that corporate data is accessed from approved browsers and trusted devices.
Taking a closer look at the browser and the central position it holds in the enterprise, it’s clear we need to rethink the browser. It’s more than another application. It’s become the hub of corporate collaboration, communication, and business operations. As such, the browser has evolved into an endpoint and now requires heightened management and security applied to its hardware-based counterparts.