After a decade spent trying to make virtualization work for cybersecurity isolation at scale, it is with a heavy heart that I must pronounce virtualization-based isolation cybersecurity dead.
Virtualization-based browser isolation solutions vary, but the issue I have is that they just do not work at scale in a cost-effective way and this is a huge problem when you consider that we need to protect millions of internet users. We need to protect the many and not just a few.
Back in 2009, I was lucky enough to work with NNSA.gov teams working on cybersecurity isolation projects. Those early 'remote browser' isolation projects, what many consider to be the birth of modern browser isolation, evolved into the Safeweb remote browsing model used at Lawrence Livermore National Laboratory (LLNL) to this day. Back then we were learning how to leverage desktop virtualization technology to deliver remote browsers to 5000 federal government users, and despite obvious systemic issues, the model took off like a rocket.
Isolating your user’s browsing activity away from your internal networks by putting a (ahem) WEBGAP between your users and the internet is a fantastically good idea in general, but because most attacks come through your browser, a physical space (or an air-gap) between your networks and the internet is necessary to protect your users and infrastructure. By isolating your user's browsing activity, you isolate the associated risks of them using the internet while shutting down the most common infiltration points on your networks in the process.
Virtualization is an inefficient vehicle for handling the browser compute load at scale.
In early implementations of the RBI model, desktop virtualization technology was used to deliver remote browsers (in the early days, disposable desktops containing browsers). We gave thousands of federal government users a non-persistent virtual desktop upon which they were free to remotely browse the internet. Their local machines were totally locked down and disconnected to the outside internet and this model worked fantastically well and was well-liked by the users.
The users were happy because they were tired of having their internet shut down on them every time there was a breach at the security facility they worked in. We realized back in those early days that you simply cannot shut down the internet and investigate every time a breach is detected. Your users need the internet and they (understandably) freak out when it's not there. So, we gave each user a virtualized remote browser and let them use the internet to their heart’s content, away from the valuable IP on federal government networks.
When we built LLNL's first browser isolation platform, it dawned on me during the deployment that the physical isolation of browsing activity (what we now call browser isolation) was a completely new model and the only other group I knew about who was using the same model at the time were Los Alamos National Laboratory (LANL), but they called it an ‘internet glovebox’ (remember that these people are nuclear scientists).
I remember looking around for competitors at that time and there were none, but after a year or two, they appeared on my radar leveraging different implementations of the same model. I saw a number of different approaches to isolating a user's browsing activity and I found different flaws in each of them.
I found most implementations to be hugely inefficient. This inefficiency becomes obvious the second you start playing them at a vast scale. They leverage virtualization instead of containerization and they leverage a centralized SAN-based architecture, neglecting the obvious cost efficiencies around browser compute isolation that distributed architectures can bring to the table. I think virtualization-based isolation technologies are dead because they are unable to cost-effectively protect large amounts of users at once, failing the market test by default.
Cyber attacks are EVERYONE’s problem. It's a problem that affects millions of normal internet users and while browser isolation protects the privileged few right now, it is still too expensive to protect the many other users who need it.
All those years ago at LLNL, Robin Goldstone, the 'mother of RBI', said something to me that looking back seems almost prophetic. She told me that unless we could get the price down to single-digit dollars per user per month, browser isolation will never be adopted on a mass scale by the mainstream.
She was right.
When we talk about isolating browsers, we are talking about millions of browsers and virtualization-based solutions built around centralized architectures will never get us there–they are just too expensive. I have been isolating browsing activity longer than most, I was present at the birth of the browser isolation cybersecurity space, and I hereby declare virtualization-based RBI platforms legacy.
May they rest in peace, for they have served us well.