Articles by Daniel Fages

The browser is an integral element in the corporate Cloud strategy. The broad take-up of web technology with standardized languages and protocols has resulted in the browser taking on the role of a universal client for end-user access to web-based and cloud-based resources. Browsers are free, and everyone knows how to use one. Pretty compelling arguments when budgets are tight!

But is using an industry standard browser really a zero-cost proposition for the enterprise? Let’s take a look at some of the issues.

Consumer-driven technology. The browsers we’re all familiar all obey one fundamental design principal: they must be as easy to use as possible for the greatest number of users. They must not hinder the user’s interaction with the web and the sites they want to visit – no matter what content those sites are hosting. In response to the Web 2.0 drive to increased user interactivity with rich internet applications, the browser transparently downloads and executes “helper” applications (Ajax, Flash, Java, ActiveX for example). In other words, the configuration of the browser is unstable and unmanageable. Is this really what you want from a key element of the corporate information infrastructure, the user interface to business critical applications?

Insecure design. Security professionals are increasingly aware that browsers are inherently insecure. The problems are threefold: (i) the browser, like any complex software environment, will always be exposed to bugs and vulnerabilities; (ii) the browser, connected to the internet, is inherently more exposed to external threats than software operating primarily locally on the machine, with local data; (iii) the browser’s self-modifying architecture (via plugins, for example – see above) multiplies the two preceding security risks.

No protection for confidential data. The end user connecting to enterprise Cloud services from home or from a cybercafé using the locally-installed browser is a threat to the enterprise. Business-critical processes and data may be exposed, via the browser, to a PC over which the enterprise has no control. Even if the user is sufficiently security-aware (and technically competent) to clear the browser cache and history at the end of each session – and how many of your users are? – sensitive data may still be stored locally (Flash cookies, to give just one example, without going into spyware and other threats).

If corporate IT management is to take full control of the cloud computing environment, we need to rethink the client-side connection. A new browser architecture is needed, secure by design, protecting corporate IT resources against web-based threats.

For more about the security issues of the browser and the Cloud, take a look at our White Papers.

Yes, Microsoft publishes yet another security alert for Internet Explorer. It allows an attacher access to any file on the system, and all versions of Internet Explorer are vulnerable — though the default configuration in the most recent versions of Windows (Vista, Server 2008, or 7) will block attempts to exploit the vulnerability. This leaves Windows XP deployments at risk; that’s 66% of the market according to NetMarketshare.

Bernard Ourghanlian, Director of Security at Microsoft France, has an interesting (for us) take on the issue. Interviewed by journalists for French web media Clubic, he says “We would love to put Internet Explorer 6.0 behind us, but we simply can’t. For an enterprise, deploying a new navigator is a huge job. As long as Microsoft offers support for Windows XP (up to 2014), Internet Explorer 6.0 will also be supported.”

Putting to one side (for the moment) the fact that this new vulnerability is one more proof point for the session isolation we’ve developped with Virtual Browser, Ourghanlian’s words highlight a further problem with the management of desktop navigators as part of the enterprise infrastructure: deployment, updates, patching… all these tasks represent significant management and support overheads for the enterprise. The centralized architecture of Virtual Browser makes updates, whether to the browser or its plugins, trivial, and means that every user sees the updated browser, instantly.

There’s nothing new under the sun, they say; they could have been talking about browser security issues. There’s clearly a need for a revolution in the browser architecture — run-time environment, deployment, and support tools. That’s what we’re working on and where we’re going with Virtual Browser.

On January 15th the German federal information security agency BSI and the French equivalent CERTA both issued bulletins recommending the use of products other than Microsoft Internet Explorer, following a security alert from Microsoft the previous day.

According to French agency CERTA the vulnerability in IE would allow an attacker to remotely execute code on the user’s PC, to steal data or compromise the system. Some of the world’s largest corporations, including Google, appear to have been victims of attacks.

This is the first time that official national IT security agencies have explicitly warned against the use of a specific product due to vulnerabilities. In this case, though, the vulnerabilities are present in every release of the product back to version 6.0. Some two-thirds of internet users browse with IE, meaning the potential for damage is huge. Many enterprises and government agencies deliver IE 6.0 or 7.0 as part of the standard end-user desktop environment; the risk of a crippling attack on industry and/or government networks called for action.

This time Internet Explorer has been identified as vulnerable. But the reality is that it’s the underlying architecture of industry-standard web browsers that’s at fault. That’s why we’ve taken an entirely new approach with Virtual Browser. The only truly effective way to protect sensitive corporate or government networks is to isolate the browser using virtual machines in a secure, centralized hosting environment. With the session isolation feature of Virtual Browser any attack is contained within the session; should the session be compromised, it’s just a virtual machine and the attack is eliminated when the virtual machine is shut down at the end of the session. Whether it’s Internet Explorer or on of the alternatives running in the Virtual Browser session, users can continue to browse safe in the knowledge that their data – and their employer’s – is fully protected against the exploitation of any browser vulnerability.

Just back from three intense and encouraging days at the Assises de la Sécurité conference in Monaco. It’s the first time commonIT has been to the event, an annual fixture in the French information security calendar now in its ninth year. The number and the quality of the contacts we made was impressive, with a lot of interest in the Virtual Browser solution. As word got around, with CSOs, industry analysts and consultants speaking to each other about commonIT, it was as if we were watching our technology grow from day to day, evolving from “technical innovation” to “enterprise solution” before our eyes. Journalists from leading French industry media including Distributique, 01 informatique,  Journal du Net, Global Security Mag, and virtuanews joined the buzz.

We’re going to have our work cut out following up all the leads — but that was what we went for! A big thank you to DG Consultants for the organisation and management of the event.

Last week we passed a key stage in the development of commonIT, closing our first funding round. The €500k we’ve raised will be invested in accelerating current initiatives, both technical — we expect to announce release 2.0 of Virtual Browser early in 2010 — and in sales and marketing development.

It’s with pleasure, then, that we welcome Rhône-Alpes Création and Expansinvest (Banque Populaire des Alpes) to the table as partners in the commonIT project. They worked quickly and effectively with us allowing us to reach this funding agreement just eight months after founding commonIT, an important factor for us. Personally I’d like to extend a warm thank you to Mathieu Viallard, director of business development at Rhône-Alpes Création, for his efficiency and professionalism in managing the negotiations.

Last week Google finally got around to announcing what we’ve all been expecting since the launch of the Google Chrome browser — the Google Chrome Operating System. No surprise, really, the hints were there in the generous use of operating system terminology (Process Manager, Address Space, Garbage Collector etc) to describe browser features. No surprise either given Google’s historic focus on developing and delivering new services over the web. You’re using GMail for your email and calendar, you use Google Apps for your office applications, you use Picasa to touch-up your photos and you browse the web using Google Chrome; what do you need a full-featured local OS for when you can do everything via the browser? The temptation proved too strong for Google to resist and the result is now here, essentially a Linux kernel with a user interfaced based on the Google Chrome browser.

Google isn’t the first company to develop a solution of this type, and examples such as Good OS or jolicloud are worth taking a look at. The difference, of course, is that when Google has the resources and the clout to really impact the market.

So how does the commonIT team view this? Well, you can tell we’re not surprised. In practice this is one more sign that we’re merely at the beginning of a revolution in IT systems architectures, with the re-centralization of applications and data, accessed via the browser. As far as we’re concerned where there’s change, there are opportunities; but we’ll talk about that some other time

Last week Valérie Pecresse, Minister of Higher Education and Research in the French government, announced the winners of nationwide competition sponsored by her ministry to identify innovative enterprises and technologies. CommonIT figured among the 74 enterprises selected to benefit from government financial aid covering 60% of the costs of their innovation projects.

But while the financial aid is more than welcome, the competition also says a lot about the quality of winners’ business models. The competition is now in its 11th year, and 80% of previous winners were still in business five years after winning, an exceptionally high success rate.

For commonIT, being selected as one of the winners is a reward which recognizes both the technical innovation of the Virtual Browser solution and the quality of the management team. Two criteria essential to the continuing growth and success of commonIT.

When we introduce potential customers to the commonIT Virtual Browser solution, one question keeps coming up: “can’t I do the same thing using TSE or Citrix ?”. From a technical point of view, it’s partially true; but Virtual Browser has important advantages over a home-made TSE/Citrix solution which I’ll discuss in this post. From a cost point of view, there is a huge difference between the two approaches, and I’ll talk about that in a follow-up posting.

Suppose you want to develop your own “Virtual Browser” based on TSE/Citrix; you’ll need to (short version):

• Install Windows Server 2008 (minimum version if you want to have the ‘RemoteApp’ feature that seamlessly integrates the remote window) and possibly Citrix Presentation Server on a server farm
• Configure the TSE/Citrix sessions (with local disk and printer sharing)
• Publish the “web browser” application (IE/Firefox)

You now have what we could call a “Virtual Browser lite” — but there are major differences compared with the commonIT Virtual Browser solution:

• No session isolation: This system won’t allow you to isolate sensitive web applications from others, which is on of the key features of the Virtual Browser solution
• You have to manage web browser security updates yourself, whereas commonIT can manage it for you
• You cannot choose different web browser engines (IE, Firefox, Chrome, …) for different web applications, a feature supported by the commonIT Virtual Browser solution
• If you want your users to print from the web browser, you’ll have to share local printers, which can take a long time during the session set-up; with “Virtual Browser”, you don’t have this problem because the technology used for printing doesn’t need the local printer to be shared
• The web browser published with TSE/Citrix is not the default web browser. This means the user will have to explicitly run this web browser which won’t be fired up when the user clicks on a URL (in their email client for example)
• Thanks to the virtualization technology used, it’s possible to run 3 to 4 more sessions on the same hardware when we compare Virtual Browser to a TSE/Citrix solution

Recently, IBM and Canonical announced a virtual desktop product, based on Linux. Their announcement matches the commonIT market vision, covered by David in his “Back to the dumb terminal” article.

Some may ask “if the desktop is virtualized, why would you want to virtualize the web browser?” The answer is simple: while desktop virtualization has a number of advantages (cost reduction for instance), it doesn’t solve web browser security issues; the threat is simply moved from a physical computer to a virtual environment and as long as the web browser runs in the same environment as other applications and sensitive data, security issues still exist.

That’s why we recommend “double virtualization”: a virtual browser running on a virtualized desktop — at least as long as users are still dependent on non-web applications. And once all applications are webified, Virtual Browser delivers the single secure client for the enterprise information system - there’ll no longer be any need for a full client-side OS.

I met Albino just as we were getting started with Arkoon adventure begun; a mutual friend introduced us to each other. I was quickly convinced that Albino had the capacity to develop Arkoon sales - starting from zero!

Albino Pili :

Albino’s Franco-Italian background has contributed to a succesful multifaceted sales career. A graduate in electrical engineering, Albino has held sales responsabilities in various large European IT services and distribution groups including Allium and InfoPoint. In 1997, he joined the sales team at ECS Group, the European leader in IT equipment leasing, and developed a contract portfolio worth €2.5M. In 2000, Albino joined us at Arkoon to start the sales activity. The strategic partnerships and key agreements he signed early on still contribute significantly to Arkoon’s revenues. Albino also started the European development of Arkoon in october 2004, when he was charged with developing new sales channels in Italy. In 2006, Albino joined Databail, a subsidiary of the C2A group, as sales manager. In early 2008, Albino left Databail to study strategic management (ICG) at Nanterre Paris X university. In the same period, we decided to start the commonIT project.