This blog post is the first in a series exploring the risks associated with web browsers in their function as one of the most—if not the most—important enterprise applications.
How governance got away from us
In the early 2010s, enterprise IT and security teams were just beginning to confront the Consumerization of IT. Even though the concept had been defined over 10 years earlier and had been described by Gartner in 2006 as “the most significant trend affecting IT in the next 10 years”, it took most organizations a long time to acknowledge and then attempt to deal with this emerging trend. The governance challenge, as it existed then, was two dimensional.
The first dimension was finding out which technologies employees were actually using. The services were cloud-based and—for the first time—it was becoming common for employees to have more than one device such as a desktop and a laptop as well as smartphones and tablets (which didn’t rely exclusively on enterprise networks for Internet access and may or may not have been owned by the enterprise). The availability of “freemium” versions or the ability to directly pay for a cloud service meant that individual employees or entire departments could bypass the IT procurement process. The web-based nature of the services meant there was no dependency on IT to install software. IT and security teams completely lost visibility into what non-standard tools might be being used by the broader employee population.
The second dimension was finding a way to implement governance or enforce corporate policies on technologies that had been designed primarily for consumer use. Most of the tools placed a high premium on ease-of-use and collaboration and therefore had very few controls to limit their behavior. Moreover, since they operated in a browser window, there wasn’t much in the way of a client to restrict. To the extent that any of these tools did have controls, those controls were often inaccessible to IT and security teams because they were not the administrators of the services. They had been supplanted by the services’ official subscribers: the end users.
How governance (almost) got its groove back
After the emergence of several new technology categories including the likes of Enterprise Mobility Management (EMM) and Cloud Access Security Brokers (CASB), billions of dollars in spending on the security products in those categories, and the increased maturity of the enterprise features in many SaaS products, it finally started to feel like IT and security had managed to reign things back in. By the late 2010s, the humble web browser seemed like it was one of the last “consumer” apps standing (in the enterprise). But rather than being relegated to niche uses, it had become the most ubiquitous user productivity tool of them all. Even in this predominant role, however, a few issues remained. For one, employees like to choose their own browsers. For another, some web apps had browser compatibility issues. It was not, therefore, always possible for enterprises to standardize on a single browser. Finally, browsers remain—at their core—a consumer application and enterprise functionality is usually an afterthought. While the most popular browsers include some enterprise features (including governance and policy controls), they tend to be rudimentary since enterprises have built up substantial infrastructure around browsers to enforce required and desired behaviors.
Governance without guardrails is just guidance™
Unfortunately, when the COVID-19 pandemic forced virtually all employees (and their browsers) out of the office, the security and governance infrastructure remained on-premises. As a result, IT and security teams once again lost important visibility. Additionally, many companies were unable to directly enforce their policies and employee behavior changed accordingly—usually not for the better. For example, in a survey conducted by Kaspersky early in the pandemic, 51% of respondents admitted to watching more adult content on devices they used for work-related purposes. The reality is that, regardless of whether employees are knowingly or unwittingly in violation, any policy without a corresponding control is just a suggestion. It is also the case that in all but the most restrictive environments, browsers are dual-use tools: they will be used for both professional and personal tasks.
Governance going forward
Despite all these changes, the first two dimensions of the governance challenge remain the same. Organizations still need to maintain visibility and be able to enforce policies without relying on employees to self-police. Given this new landscape, the governance challenge now also has a third dimension: minimize the potential risk from a “corporate” application that is also personal application. Adequately addressing all three dimensions necessarily means that any browser governance solution must embrace the browser the same way that the work itself does. Policy enforcement must happen where the work happens: in the browser, regardless of which browser it is, what type of device it’s running on, or whether the user is an employee or 3rd-party/ contractor. The solution must also enable organizations to tailor the application and enforcement of policies to their specific needs to avoid being overly restrictive and hindering the productivity that browsers enable. The browser-based governance capabilities of Seraphic Web Security enable organizations to strike a balance between empowering employees to work how and where they need to while still protecting enterprise web apps and data.
Seraphic Web Security is a unique enterprise browser security solution that can convert any into an enterprise browser. For more information about the governance capabilities of Seraphic Web Security, please visit our Product page.