Browser isolation solutions execute the online browsing activity of each of your company’s end users in a secure sandbox environment. This means that, if the user opens a malicious webpage or downloads a malicious attachment, any dangerous content is contained within the sandbox environment, where it can’t damage the user’s live system or network.
There are two main types of browser isolation: local (on-premises) and remote. Local browser isolation solutions execute browsing activity in a sandbox that’s hosted locally on the user’s computer. Remote browser isolation solutions execute browsing activity in a remote cloud server that’s completely isolated from the user’s local machine. With both types of browser isolation, the user has a completely normal browsing experience, but their browsing activities take place within the sandbox—so any threats are executed in isolation of their local machine and network.
Because browser isolation vendors focus on sandboxing or containing web threats—rather than blocking access to them and the websites on which they’re hosted—admins don’t have to restrict user access to certain websites or domains that may be malicious, or malicious pages within legitimate domains. This enables security teams to protect their users against web-based malware and phishing, without having to constantly update lists of trusted or known malicious pages. It also increases employee productivity by enabling them to carry out research without the restriction of certain websites being blocked.
In this article, we’ll explore the top local and remote browser isolation solutions designed to protect your organization against web-based threats such as malware and phishing. These solutions offer a range of capabilities, including document isolation, read-only modes and data loss prevention (DLP), reporting, and attack forensics. We’ll give you some background information on the browser isolation vendors and highlight the key features of the solutions themselves, as well as the type of customer that they are most suitable for.
Apozy is a cybersecurity provider that specializes in web security through native browser isolation. Their flagship solution, Airlock, is a browser defense platform that enables organizations to protect their users against web-based malware and phishing attacks. Airlock uses artificial intelligence to determine the risk posed by each website a user visits in real-time, enabling it to efficiently and effectively isolate known and zero-day threats with minimum latency or disruption to the end user’s browsing experience.
Airlock uses visual data and AI to identify malicious links in real-time while users are browsing and sandbox the contents of those links at point of click so that, if a user clicks on anything malicious, that content never reaches their local system. If a user visits a suspicious website, they’re informed of the risk and notified that they can continue to browse, but downloads and links will be disabled. The Airlock platform also offers an ad blocker that filters adverts based on admin-configured filters and auto-categorization to prevent “malvertising”—digital adverts that have been injected with malicious code and are distributed via legitimate advertising networks.
Users praise Apozy Airlock for its powerful feature set and the vendor’s continuous enhancement of the product. The platform deploys quickly—with almost instant deployment for Google Workspace users via an integration with Google Admin console—without having to install extra software or configure firewall policies. Airlock’s focus on ease of use and creating a seamless end user experience makes it an ideal solution for mid-market organizations looking for protection against web threats, without negatively impacting their users’ productivity.
Autentic8 is a web security provider that strives to provide distributed and hybrid workforces with secure, open access to the web while decreasing their susceptibility to web-based threats. Their Silo Web Isolation Platform is trusted globally by organizations across all industries to secure users’ browsing activities, as well as help ensure compliance with industry data protection standards via thorough session monitoring and auditing capabilities.
Silo isolates all web code, regardless of device or network, from the user’s endpoint, protecting the corporate network from data loss at the hands of web-based malware or phishing. As a result, Silo claims that customers have experienced zero data loss events or identity leaks in the last 10 years. From the central management console, admins can enable, restrict, and revoke access to web pages from both managed and unmanaged devices in real time. This effectively provides a kill switch to prevent web access that violates company policy, even mid-session. Active directory syncing enables admins to easily configure role-based, group-level policies and permissions, and all admin activity is captured for auditing and compliance use. User session activity is also recorded for forensic analysis but can be erased via the admin console.
Users praise Silo for the high levels of protection it provides and the ease with which admins can implement security for remote teams as well as on-premises users. However, some users report that Authentic8’s support offering could be better, with delayed response times after emailing with a query. Fully cloud-based, Silo deploys easily without any installations and is accessible via any network or location. We recommend Authentic8’s Silo as a strong solution for any organization looking to protect their remote and on-prem users against web-based threats, and particularly those that need granular configuration options to meet strict compliance requirements.
Cisco is a software provider that specializes in network, cloud, and cybersecurity solutions for the enterprise. Umbrella Remote Browser Isolation (RBI) is Cisco’s remote browser isolation solution, available as an add-on to their Umbrella Secure Internet Gateway (SIG), which also includes a secure web gateway (SWG), firewall, DNS-layer security, a CASB, data loss prevention (DLP), and threat intelligence. Umbrella RBI adds a layer of protection against web-based phishing and zero-day malware by executing all browsing activity in a secure cloud environment isolated from the user’s machine.
Umbrella RBI sandboxes all browsing activity in a secure, remote browser hosted in the cloud, then renders web content and documents to the end user’s machine with very little latency, delivering a safe browsing experience with minimal impact on user performance. The platform also offers malware file scanning and file inspection, and enables users to download the sanitized versions of files locally. From the central management console, admins can enable granular controls for different risk profiles, ensuring that they deliver maximum protection to their most at-risk users.
Users praise Cisco Umbrella for its ease of implementation and the effective protection it offers, without the need for in-depth technical knowledge. Being cloud-based, Umbrella RBI is easy to deploy without changing browser configurations or the need for any additional plug-ins. It’s compatible with all devices, browsers, and operating systems, and scales quickly on-demand. As such, we recommend Cisco’s Umbrella RBI for any-sized organization looking for reliable, scalable remote browser isolation that’s compatible with diverse environments, and can be deployed as part of a wider web security stack.
Citrix is a cybersecurity provider that focuses on enabling secure remote productivity. Their solutions include endpoint management, behavior and performance analytics, and virtual desktops among others, and are trusted by over 100 million users across the globe—including 98% of the Fortune 500. Citrix Secure Browser is their zero-trust solution designed to offer employees with secure access to the internet via any device. The cloud-based virtual browser uses isolation technology to separate browsing activity from the endpoint, sandboxing any malicious web content without interrupting the user’s browsing experience.
When using Citrix Secure Browser, each user’s browsing activity is contained within a secure remote server; no data is transferred between websites and the user’s device. This prevents users from downloading web-based malware. All browsing data is erased after each active session, preventing attackers from accessing historical browsing data. From the management console, admins can create allow lists to restrict user access to certain websites, as well as configure URL filtering to control access to certain categories of website, such as adult content, gambling and social networking sites. Admins can also monitor the activity of active sessions—including username, session ID and client IP, how the user has authenticated, what web app they’re accessing and session duration—in real-time and disconnect sessions if needed.
Citrix Secure Browser is fully cloud-based, making it easy to deploy on any endpoint without any configurations. The solution is available as a standalone product or as part of Citrix Secure Private Access Advanced, which also includes adaptive access controls, multi-factor authentication, and zero trust network access to TCP- and UDP-based apps. We recommend Citrix Secure Browser as a strong solution for any sized organization looking to protect their hybrid and teleworking users against web-based malware and phishing.
Forcepoint is a cybersecurity provider that strives to protect the enterprise network at every layer with the broad range of security products, which includes Secure Email and Web Gateways, firewalls, and behavioral analytics. Available standalone or as part of the wider Forcepoint ONE security platform, Forcepoint RBI is their remote browser isolation solution, which enables businesses to implement zero trust web access through Content Disarm and Reconstruction (CDR) technology.
Forcepoint’s CDR assumes that no file can be trusted; rather than detecting malware, it extracts safe information from documents, verifies it, then reconstructs a new, fully-functional document that’s delivered to the user—completely eliminating file-based risks with near real-time performance. The platform’s smart isolation technology automatically switches between two rendering modes according to the risk of the webpage being rendered; full isolation is applied for high-risk employees (e.g., C-suite) and unknown sites, and targeted isolation is applied to the rest of the population and safe sites. Admins can also assign role-based permissions for clipboard controls, which restrict or permit access to copy-and-paste functions. This can help prevent users from interacting with phishing pages.
Users praise Forcepoint RBI for its real-time threat protection, simplicity of deployment and ongoing management, and the amount it frees up IT resources that may otherwise have ben spent sifting through helpdesk tickets regarding over-blocking. Forcepoint RBI is compatible with Windows and MacOS devices, and supports all HTML5-compatible web browsers, including Chrome, Edge, Firefox, and Safari. It offers integrations via LDAP and SAML with identity providers for user authentication, and SIEM providers for centralized reporting. We recommend Forcepoint RBI as a strong remote browser isolation solution for larger enterprises looking for effective protection against web-based threats, with granular, role-based policy configurations.
iboss is a cloud web security solution that combines SASE, CASB, web filtering, DNS protection, malware defense and browser isolation via one platform. The platform’s browser isolation features protect employees, contractors and third parties when browsing the web from both managed and unmanaged devices, preventing data loss caused by phishing pages and isolating malware threats.
With iboss, all web content is rendered in an isolated browsing session via the iboss Zero Trust Edge; content is streamed to the user’s browser with minimum impact on their browsing experience, but the user’s endpoint never directly accesses the web content, so can’t be infected by web-based malware. Admins can also configure “read only” web access, which limits users’ ability to copy and paste data from the browser and prevents unauthorized downloads to unmanaged devices—limiting data loss via phishing and malware. Finally, iboss enables admins to apply browsing policies for individual users and user groups, so they can set stricter policies for departments or roles more likely to be targeted by cyberattacks.
iboss can be implemented in the iboss public cloud or an organization’s own private cloud. The solution offers 100% API-based integration, with support for MS 365, MS Cloud App Security CASB and Azure, making it easy to deploy and onboard users. Users praise iboss for its intuitive admin console and the powerful protection provided for remote employees, without having to install complex infrastructure. Some users warn of a learning curve that comes with the product but add that the excellent technical support from iboss’ engineers makes up for this. We recommend iboss as a strong solution for mid to large organizations looking for browser isolation as part of an extended web security suite.
Menlo Security is a market-leader in web security, providing a Secure Web Gateway, remote browser isolation, and data loss prevention. They also offer a CASB solution, email isolation, and a cloud firewall. Menlo’s Remote Browser Isolation solution routes all browsing activity through a remote, cloud-based browser, enabling on-prem and remote users to access the entire internet securely without sacrificing their browsing experience.
Menlo’s Remote Browser Isolation uses a secure cloud proxy to render browsing content in a contained cloud environment, ensuring that only safe content is delivered to each end user when browsing and preventing users from interacting with phishing pages or downloading malware. Admins can configure browsing policies by user, user group, file type or website category, which define whether content is displayed in its original form, as read-only, or completely blocked. The solution also offers a pop-up and ad blocker, to mitigate the risk of malvertising.
Menlo’s cloud-first solution is highly scalable and, as such, is able to provide protection to organizations of all sizes. However, most customers range from mid-market to larger enterprises. Users praise Menlo’s Remote Browser Isolation for its threat protection, granular policy configurations and ease of deployment, though some report that web pages can be a little slow to load when in isolation. We recommend Menlo’s solution as a strong isolation tool for mid-sized to large enterprises looking to protect both on-prem and remote users against web threats, and particularly those that require granular policy configuration options.
For a more detailed look at Menlo’s product, read our review Menlo Security: A Comprehensive Deep Dive.
Skyhigh Security is a cloud data protection provider born of Symphony Technology Group’s 2021 acquisition and merger of McAfee Enterprise and FireEye. Their flagship cloud data protection platform unifies application security, a secure web gateway, a CASB, and ZTNA, all in one Secure Service Edge (SSE) that’s managed via a single console. Available as part of this platform, Skyhigh Remote Browser Isolation prevents web-based malware and phishing threats from harming user endpoints by executing all browsing activity in a secure cloud server, isolated from the local network.
Skyhigh Remote Browser Isolation renders a sanitary version of the webpage on the user’s endpoint in a dynamic visual stream that’s responsive to typing, clicking and scrolling—delivering complete security with little impact on the user’s browsing experience. From the management console, admins can define granular user-level permissions relating to file downloads. When users are permitted to download files, Skyhigh scans them first to eliminate threats. Admins can also view reports on users’ browsing activities, which can be used to detect insider threats (users that are regularly trying to access malicious sites) and unproductive employees (users that are visiting social media sites, for example). These reports can also be used for compliance monitoring, and to adjust permissions so that full-time isolation is applied for users that require it (e.g., high-risk users such as C-suite, or SOC staff that may need to visit malicious sites for research).
Skyhigh Remote Browser Isolation is available as part of Skyhigh’s wider SSE solution, with the option for admins to add on full isolation licenses where needed (e.g., for C-suite and SOC staff). We recommend Skyhigh Remote Browser Isolation as a strong solution for larger enterprises looking for browser isolation as part of a wider cloud data protection platform.
ZScaler is a market leader in powerful, scalable web security. Cloud Browser Isolation (formerly Appsulate), is ZScaler’s zero trust web isolation solution, which prevents data loss by isolating users’ endpoints from all web content as they browse, preventing malware and other web threats from coming into contact with the user’s device. The solution offers protection for on-prem locations, mobile devices and remote sites, and both managed and unmanaged devices.
ZScaler effectively creates an air gap between each endpoint and the web, rendering safe content in each user’s browser using pixel streaming technology, which enables users to have a normal browsing experience with minimum latency, while preventing them from interacting with malicious downloads, phishing sites, and malvertising. From the management console, admins can configure policies to restrict uploads, downloads, copy, paste and print actions, to help prevent data loss. Admins can also set up group policies for high-level targets such as company executives or certain departments—such as accounting and HR—that may be at higher risk of being targeted by an attack.
ZScaler Cloud Browser Isolation is a cloud-native solution, requiring no software agent installation. This makes is quick and easy to deploy, as well as highly scalable. The solution also offers universal compatibility with all browsers to provide users with a seamless, “normal” browsing experience. Because of its scalability, we recommend ZScaler Cloud Browser Isolation as a strong solution for any sized organization, and its compatibility with any browser type and location make it suitable for organizations with a large number of remote or hybrid workers, contractors, or third parties accessing their network.
What Is Browser Isolation?
Browser isolation is an approach to web security that isolates or sandboxes online threats instead of blocking access to them, as more traditional web filtering solutions do. Remote browser isolation solutions do this by executing all browsing activity in a remote server that’s isolated from your local environment; local or on-premises browser isolation solutions execute browsing activity in a secure server elsewhere within your organization’s private network.
This means that when a user visits a malicious webpage or clicks to download a malicious file, the malware is executed in that isolated sandbox and cannot affect the user’s device.
When accessing the internet via a browser isolation solution, users should be able to browse as normal and with minimal latency, including using commands such as “copy” and “paste”.
How Do Browser Isolation Solutions Work?
Browser isolation solutions fetch and execute web-based commands in secure, remote servers. These servers can be in the cloud or on-prem—the main point is that they’re completely isolated from your users’ devices. When a user starts a browsing session, their browsing activities are carried out in the isolated server. The browser isolation vendor then renders the session on the user’s device in one of three ways: by streaming the browser, inspecting and rewriting each page and then sending it to the local browser, or sending a vector graphic representation of the final webpage to the user.
One way to think of this is like using an interactive, live screen recording. It gives the user a completely normal, unrestricted browsing experience, whilst protecting them against web-based threats such as malware.
Remote Vs. Local Browser Isolation: Which Should You Choose?
There are positives and negatives to both types of browser isolation—the one you choose really depends on what your priorities are as a business.
Remote browser isolation solutions are cloud-based, so they don’t require you to install any plug-ins, agents, or clients. This makes them highly scalable, and it also means that they’re compatible with all devices and operating systems.
Local browser isolation solutions require you to provide your own isolation servers, which can be expensive, and the isolation must usually occur within your firewall; when using remote browser isolation, it occurs outside your firewall. This means that, with local browser isolation, your internal network may still be at risk even though user devices are protected against malware. Finally, local browser isolation solutions can be difficult to scale across multiple networks, which makes them difficult to implement for companies with multiple offices or remote workers. However, local browser isolation often has less latency than remote browser isolation.
What Are The Benefits Of Browser Isolation?
Local and remote browser isolation solutions both offer three key benefits:
- Reduce web-based threats. Browser isolation solutions greatly reduce the risk of malware from spreading across your network by preventing users from downloading malicious code to their devices. Some browser isolation vendors also offer integrations with email clients, thereby help prevent phishing attacks administered this way. When a user clicks on a malicious link or file in a phishing email, the browser isolation solution displays a safe “read-only” version of the file or page.
- Increase user productivity. Some more traditional web security solutions, such as DNS filters, can cause friction in the browsing experience as they may falsely identify pages as being harmful and restrict user access to them. Browser isolation provides users with a native, unhindered browsing experience; they can visit any page, using any browser, and download any file, without it being flagged as malware and blocked. Users can even use commands such as “copy”, “paste”, and “print”.
- Save admin resources. Browser isolation requires less management after initial set-up than traditional web filters do; they don’t require admins to set up allow/deny lists or investigate alerts that tell them a user has attempted to visit a site that may be unsafe. Some isolation solutions, however, still do offer website classification that enables admins to restrict access from certain types of web page, such as adult content or social media sites.
What Features Should You Look For In A Browser Isolation Solution?
There are a few key features that you should look for when choosing a browser isolation vendor or solution:
- Browser isolation for malware blocking. Your chosen solution should execute browsing sessions in an environment isolated from your end users’ devices—this could be in an on-premises sandbox (local browser isolation) or in a remote cloud server (remote browser isolation). This will ensure any malicious code is “detonated” in the secure sandbox environment and can’t be downloaded onto a user device.
- Email integration for phishing protection. The best browser isolation solutions offer integrations with popular email clients so that, when a user opens a link in an email, that link is opened in the secure sandbox, rather than locally on their device. This means that even if a user were to accidentally click on a phishing link, they wouldn’t download any malicious content.
- Document isolation for protection against malicious files. By opening documents such as PDFs, Microsoft 365, and Google files in an isolated environment (rather than directly to their device from the internet), browser isolation and remote browser isolation solutions protect users against malicious downloads. Admins should, however, be able to allow users to download the original file if they need to once it’s been rendered, tested, and marked as safe.
- “Read-only” modes for protection against credential theft. Your chosen browser isolation solution should enable you to configure “read only” modes for suspicious or unknown web pages. This means that if a user were to visit a phishing page, they wouldn’t be able to enter their credentials into any forms on that page; they’d only be able to view its content without interacting. Some solutions also enable admins to prevent users from uploading files to certain websites.
- Reporting and analytics. Any strong browser isolation solution should provide admins with reports on attacks that the solution has prevented. This will enable admins to identify which users are visiting malicious web pages so they can carry out further investigation or assign security awareness training if needed, as well as identify which threats their business is most commonly facing.