Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly
E-Mail vvv

The Browser Is the New Endpoint

Given the role browsers play in accessing enterprise applications and information, it's time to rethink how we classify, manage, and secure them.

Asked to name their critical network endpoints, most IT pros would cite mobile devices, laptops, desktops, and servers. A few might include wearables and other emerging end-user hardware. Browsers, though, probably wouldn't make the list. After all, they're applications that run on the endpoints, not endpoints themselves. But given the valuable role browsers play in accessing enterprise applications and information, it's time to rethink how we classify them and, as a result, how we manage and secure them.

Evolution into an Endpoint
Initially, web browsers accessed data from a web server — HTML documents and images, maybe some video — and rendered it in a single page. As companies placed new demands on the web, browser functionality was supplemented by operating system resources and full-blown applications like Adobe Flash Player and Java.

The supplemental technologies gave browser users a better, more consistent experience that included streaming video and access to offline storage. However, they also gave criminals more vulnerabilities to exploit and more ways to attack the enterprise.

HTML5, the latest version of the HTML standard, goes a long way in addressing the security and other functional challenges posed earlier. Basically, HTML5 eliminates the need for Flash, Java and other add-ons, plug-ins, and third-party software components. Now, everything is handled by the browser itself.

Once Google, Microsoft, Mozilla, and other vendors implemented HTML5 in their browsers, software-as-a-service applications started leveraging HTML5's platform-neutral functionalities in favor of earlier, platform-specific technologies. In addition to a better user experience, HTML5 has fostered an explosion in enterprise-based, rich Internet applications.

HTML5 has also created a thriving ecosystem of browser extensions that improve the experience of Chrome, Firefox, Edge, and other HTML5 browser users. With extensions, users don't install full-blown software components on their devices. Instead, extensions install directly in the browser, typically enhancing the browser interface rather than introducing an additional user interface. In turn, end users can install and use extensions on their own, without IT support.

Browser Endpoint Challenges
With browsers at the center of so much corporate activity, they are now subject to many of the same challenges that face desktops, smartphones, and other hardware-based endpoints.

The first challenge concerns leaking sensitive corporate data. For example, many end users wind up using the same browser — on the same computer — for personal and professional purposes. Personal email, banking, shopping, and other unauthorized applications can compromise sensitive enterprise data as well as personal information. Typically, such applications aren't monitored and don't meet corporate security standards, and data is subject to loss or theft as a result.

Second, the number of surface attacks grows along with the number of browser extensions installed. Those extensions can read all the data exchanged between the device's browser and the back-end server. While users think the extensions are secure, they can leave users and their companies at risk of cryptojacking, ransomware, and other malware attacks that target one computer and then spread to other systems in the corporate network.

Finally, most companies are going to manage a hybrid application environment that combines HTML5 and legacy technologies. Not every enterprise application is going to move to the cloud immediately. Rebuilding and redeploying apps takes a lot of time. For many organizations, both types of applications will be used at the same time. And many organizations will have to manage legacy HTML4 applications.

Managing and Securing the Browser Endpoint
To meet the challenges above, IT teams need to manage their browser endpoints with the same professionalism they use to manage other endpoints. Teams need to manage not only their browsers but also the extensions as well as the plug-ins and add-ons used by older browsers and keep all of those technologies up to date. They need visibility to determine what should be given access to which resources and what should be restricted.

Teams also need to apply critical browser controls and harden browsers. Some vendors offer enterprise editions of their browsers, which include policy engines that govern the applications and extensions they can use, data security and privacy, and browsing experience. To harden the browsers, IT teams need to set bookmarks, the homepage, and trusted websites as well as tweak configurations to increase privacy and security.

Likewise, the activity of browsers and browser extensions needs to be sandboxed to prevent data being leaked to unintended third parties. When the same browser is used to conduct both personal and professional business, the data must be secured and managed to prevent leakage. For instance, users should not be able to download work documents from Office 365 and attach them to an email in their personal Gmail account.

Last, the team needs to allow corporate data access from trusted devices and restrict usage of untrusted devices for corporate purposes. When end users use their personal computers and devices to do company business, there's a good chance their hardware doesn't meet company security standards. Is the computer protected by a strong password? Is it running antivirus software? Have all the software updates and patches been applied? Bottom line, we need to make sure that corporate data is accessed from approved browsers and from trusted devices.

Given its central position in the enterprise, the browser needs to be rethought. It's more than another application. It's the hub of corporate collaboration, communication, and business operations. As such, the browser has evolved into an endpoint and now requires the heightened management and security applied to its hardware-based counterparts.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Rajesh Ranganathan is a Product Manager at ManageEngine, a division of Zoho Corp. In his 17 years with the company, Rajesh has held key roles on several teams, including the endpoint management and security product teams. When he isn't working, you'll find Rajesh watching a ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
10/31/2018 | 10:09:16 PM
Re: Paradox
It is true that users often see things from the surface since that is the platform that we all engage with regularly. However, if we were to be required to tackle an issue, it should be from the root of the problem. Disruptions that are prevented from the top might still be processing at the base which becomes dangerous.
User Rank: Apprentice
10/28/2018 | 11:57:54 PM
Re: Paradox
it's interesting to think about just how much thought and planning goes into a little application on your computer isn't it! I really wouldn't think so much every time I open up a Chrome or Firefox window that there's so much coding and communication behind it actually! That said, I reckon that we need to slow down and think very carefully about that impact on our lives like you've said and see just how important it is to secure that application properly too!
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
10/23/2018 | 4:15:11 PM
Interesting points, but, alas, a fundamental paradox exists in the enterprise on this subject:

- Secure browsing

- Ban on Tor usage

Pick one.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue