security

It’s now widely recognized that the browser is one of the leading weaknesses in the enterprise information security environment, increasingly under attack as criminals race to develop exploits for each new vulnerability faster than the browser vendors can patch the problem.

But the problem isn’t limited to the browser itself. The browser hosts mutliple add-ons and helper applications in an extremely complex runtime environment to offer the user seamless access to rich media content (PDF, webex, video streaming and so on). These add-on programs have (naturally) their own vulnerabilities. Adobe and Oracle issue frequent updates for their leading browser add-ons, Adobe Acrobat Reader, Adobe Flash Player, and Java. Recently, Microsoft announced that MMPC (Microsoft Malware Protection Center) had blocked over 6 million Java attacks in a single quarter. The problem for the enterprise is that any one of these updates may render the browser environment incompatible with business-critical applications – and it may be practically impossible to back out of the update. To avoid this situation many enterprises now freeze end-user deployments with a specific, tested Java release or service pack level of Microsoft’s Internet Explorer despite the security risks of not running the latest updates.

The winners, in this situation, are the security software vendors, continuously developing new solutions to install on the end-point platform (antivirus, antispyware, anti-malware…), each one slowing the PC down a little more, and mostly incapable of preventing an attack launched against the latest 0-day vulnerability. One way of resolving the problem would be to deploy a separate machine for each application, on every user’s desktop; isolated and correctly configured, security and performance could be optimized — for a certain cost. Fortunately for the bottom line, there’s the Virtual Browser solution.

On September 30th CommonIT’s Swiss partner Navixia brought together 90 IT managers and consultants for the third Navixia Forum, a half-day conference dedicated to information security solutions.

This year the program included five customer case studies, including a prestigious Geneva-based client of commonIT who shared their experience of a Virtual Browser deployment with the audience. Participants responded enthusiastically to the presentation, covering how Virtual Browser is used to deliver a secure Internet access service. We’ll be bringing you more details shortly.

The Virtual Browser solution offers an excellent alternative to traditional VPN-based technologies for remote access to web-based applications or remote desktop (Citrix/TSE) environments, or even for connection to the office PC. Virtual Browser delivers higher performance and security, and it’s simpler and less costly.

To accelerate the uptake of Virtual Browser as a solution for mobile and remote access, we’ve developed an OEM partnership program for security and mobility solutions vendors. OEM partners will be able to offer Virtual Browser technology under their own brand, with pricing adapted to their business model.

The solution is delivered using the SaaS model, hosted on our own servers or on the OEM partner’s infrastructure, with technical support from commonIT. Our objective is to make Virtual Browser available to the largest possible user population through partnering with software and hardware developers for whom the solution represents an opportunity to add value and generate new revenue streams in a market where demand is strong.

In addition to the recently announced partnership with Hermitage Solutions, we are currently in discussion with three other potential partners in Europe; we hope to see the results early in the new year. For more about the OEM program contact us at oem@commonit.com.

The browser is an integral element in the corporate Cloud strategy. The broad take-up of web technology with standardized languages and protocols has resulted in the browser taking on the role of a universal client for end-user access to web-based and cloud-based resources. Browsers are free, and everyone knows how to use one. Pretty compelling arguments when budgets are tight!

But is using an industry standard browser really a zero-cost proposition for the enterprise? Let’s take a look at some of the issues.

Consumer-driven technology. The browsers we’re all familiar all obey one fundamental design principal: they must be as easy to use as possible for the greatest number of users. They must not hinder the user’s interaction with the web and the sites they want to visit – no matter what content those sites are hosting. In response to the Web 2.0 drive to increased user interactivity with rich internet applications, the browser transparently downloads and executes “helper” applications (Ajax, Flash, Java, ActiveX for example). In other words, the configuration of the browser is unstable and unmanageable. Is this really what you want from a key element of the corporate information infrastructure, the user interface to business critical applications?

Insecure design. Security professionals are increasingly aware that browsers are inherently insecure. The problems are threefold: (i) the browser, like any complex software environment, will always be exposed to bugs and vulnerabilities; (ii) the browser, connected to the internet, is inherently more exposed to external threats than software operating primarily locally on the machine, with local data; (iii) the browser’s self-modifying architecture (via plugins, for example – see above) multiplies the two preceding security risks.

No protection for confidential data. The end user connecting to enterprise Cloud services from home or from a cybercafé using the locally-installed browser is a threat to the enterprise. Business-critical processes and data may be exposed, via the browser, to a PC over which the enterprise has no control. Even if the user is sufficiently security-aware (and technically competent) to clear the browser cache and history at the end of each session – and how many of your users are? – sensitive data may still be stored locally (Flash cookies, to give just one example, without going into spyware and other threats).

If corporate IT management is to take full control of the cloud computing environment, we need to rethink the client-side connection. A new browser architecture is needed, secure by design, protecting corporate IT resources against web-based threats.

For more about the security issues of the browser and the Cloud, take a look at our White Papers.

Microsoft’s staged launch of Windows 7 during the latter half of 2009 has left enterprise system and network admins facing a dilemna. Is now the right time to migrate? And what are the issues?

Given the widely acknowledged lack of enthusiasm for Vista in the corporate network, this means migrating from XP — and the default browser in XP, IE6. For Microsoft, there’s no problem. IE8, integrated with Windows 7, offers “a faster, easier, safer web” (compared, we presume, to IE6 and IE7). The problem in the enterprise is that many applications were (naively) optimised for IE6, and are dependent on certain Microsoft proprietary “enhancements”… which were subsequently dropped in IE7 and IE8 as Microsoft moved to improve compliance with W3C standards.

Will migrating the desktop to Windows 7 mean re-writing enterprise applications to ensure compatibility? Is it cost-effective? Can it even be done? And if we do go through with it, can we be sure we won’t be faced with another costly re-write the next time MS updates IE?

Complicating the situation for today’s CIO even further, compatibility is now about much more than just following Microsoft’s roadmap for Internet Explorer. Your users are chosing Firefox, Safari, or Google Chrome, with terminal devices become more and more diverse — user’s own PCs or laptops from home, mobile users running an unpredictable range of smartphones, netbooks and soon to arrive slate devices. As a system administrator, you no longer have the luxury of dictating the configuration of the end-point device. You’re expected to deliver a service irrespective of user choices of platform and browser. How many IT departments have the means to test and validate corporate web-based applications against multiple browsers running on multiple end-point devices?

Fortunately there’s a secure, cost-effective and future proof answer to the issues,. A solution which allows users running Windows 7 to access IE6 optimised applications and IE8, without the need to go through any sort of context switching or reconfiguration. The solution is Virtual Browser.

Virtual Browser allows you to migrate desktop PCs to Windows 7 while offering IE6 compatibility by virtualising the browser (IE6 — or any other industry standard browser), ensuring ongoing access to IE6-optimised applications, simultaneously with support for the most recent browser releases. In practice a fully optimised browser configuration (browser release, plugins, helper applications such as Flash and Java) is hosted by the Virtual Browser server and launched on demand for each user connection. Multi-browser support made easy — find out more from one of our customers here.

Yes, Microsoft publishes yet another security alert for Internet Explorer. It allows an attacher access to any file on the system, and all versions of Internet Explorer are vulnerable — though the default configuration in the most recent versions of Windows (Vista, Server 2008, or 7) will block attempts to exploit the vulnerability. This leaves Windows XP deployments at risk; that’s 66% of the market according to NetMarketshare.

Bernard Ourghanlian, Director of Security at Microsoft France, has an interesting (for us) take on the issue. Interviewed by journalists for French web media Clubic, he says “We would love to put Internet Explorer 6.0 behind us, but we simply can’t. For an enterprise, deploying a new navigator is a huge job. As long as Microsoft offers support for Windows XP (up to 2014), Internet Explorer 6.0 will also be supported.”

Putting to one side (for the moment) the fact that this new vulnerability is one more proof point for the session isolation we’ve developped with Virtual Browser, Ourghanlian’s words highlight a further problem with the management of desktop navigators as part of the enterprise infrastructure: deployment, updates, patching… all these tasks represent significant management and support overheads for the enterprise. The centralized architecture of Virtual Browser makes updates, whether to the browser or its plugins, trivial, and means that every user sees the updated browser, instantly.

There’s nothing new under the sun, they say; they could have been talking about browser security issues. There’s clearly a need for a revolution in the browser architecture — run-time environment, deployment, and support tools. That’s what we’re working on and where we’re going with Virtual Browser.

On January 15th the German federal information security agency BSI and the French equivalent CERTA both issued bulletins recommending the use of products other than Microsoft Internet Explorer, following a security alert from Microsoft the previous day.

According to French agency CERTA the vulnerability in IE would allow an attacker to remotely execute code on the user’s PC, to steal data or compromise the system. Some of the world’s largest corporations, including Google, appear to have been victims of attacks.

This is the first time that official national IT security agencies have explicitly warned against the use of a specific product due to vulnerabilities. In this case, though, the vulnerabilities are present in every release of the product back to version 6.0. Some two-thirds of internet users browse with IE, meaning the potential for damage is huge. Many enterprises and government agencies deliver IE 6.0 or 7.0 as part of the standard end-user desktop environment; the risk of a crippling attack on industry and/or government networks called for action.

This time Internet Explorer has been identified as vulnerable. But the reality is that it’s the underlying architecture of industry-standard web browsers that’s at fault. That’s why we’ve taken an entirely new approach with Virtual Browser. The only truly effective way to protect sensitive corporate or government networks is to isolate the browser using virtual machines in a secure, centralized hosting environment. With the session isolation feature of Virtual Browser any attack is contained within the session; should the session be compromised, it’s just a virtual machine and the attack is eliminated when the virtual machine is shut down at the end of the session. Whether it’s Internet Explorer or on of the alternatives running in the Virtual Browser session, users can continue to browse safe in the knowledge that their data – and their employer’s – is fully protected against the exploitation of any browser vulnerability.

Malware researchers at McAfee Labs, the research division of McAfee, have just published their annual report “2010 Threat Predictions”. The browser, unsurprisingly, continues to be the principal vector for attacks, according to the report; the news is that social networking sites are fast becoming the main source of threats. One simple example: the popularity of URI shorthands (bit.ly, tinurl.com) to save characters in Twitter makes it easy to get even the most aware user to click on a “poisoned” link which may download malware or launch a cross-site attack.

The McAfee report also discusses the recent growth in exploits taking advantage of vulnerabilities in helper applications and browser plug-ins such as Adobe Acrobat and Flash. And they highlight the risk of HTML 5.0 “blurring and removing the lines between a web application and a desktop application”. The need for the enterprise to isolate different web usages based on security policies will become increasingly urgent in 2010.

The latest release of Virtual Browser introduces several new features (like every new release — with thanks to Mathieu’s team!). One of these new features in particular adds a whole new dimension to the Virtual Browser solution. Virtual Browser now supports delivery of ICA and RDP remote desktop clients, alongside our already familiar browser support (IE, Firefox, Java, Flash, etc). With this release the end-user now has access not just to web-based applications but to any application which can be virtualised, as well as full-featured virtual desktops.

It’s worth taking a few minutes to understand where we’re going with this. Release 1.3 offers a single, secure, platform-independent client delivering installation-free end-user access to any web-based or virtualised application without the need to worry about (i) the configuration of the end-point device; (ii) the compatibility of end-point browser configuration and the target application/server; or (iii) the appropriate network configuration (VPN, etc) to access the remote application. The objective is to position the Virtual Browser solution as the universal client for access to cloud-based services.

The “Cloud” and “Cloud Computing” are still relatively new terms and there are varying definitions of what they comprise. For us, they cover the full set of web-enabled or virtualised applications, hosted in the enterprise (the private cloud) or by third-party service providers (SaaS). What we’re seeing today is enterprises migrating step-by-step to cloud computing models, with the infrastructure becoming decentralised — some of it moving to virtual environments (Citrix and others), some of it onto the Intranet, and some moving to the Internet, taking advantage of Cloud offerings vendors like Google, Salesforce.com and other SaaS providers.

In positioning Virtual Browser as the universal client for cloud access, we’re facilitating enterprise migration to cloud computing by resolving three key management issues:

1. Security: encrypted traffic between the VB client and server, strong authentication, and support for multiple isolated user environments: Internet, Enterprise (internal) applications, on-line (cloud, SaaS) services, on both enterprise (managed) end-points and non-managed end-point devices.
2. Single point of management and maintenance — configuration, updates, patching — of the client environment, on a centralised server environment, clustered for redundancy and scalability.
3. Platform independence and compatibility: No matter what type of device the end-user is using or where they connect from, the application sees the same browser, eliminating compatibility issues and facilitating application development and support.

Navixia, a leading information security integrator in the French-speaking regions of Switzerland, is now a commonIT Gold partner — the first channel partner for the Virtual Browser solution outside France. Claude Krahenbuhl, Managing Director of Navixia, sees clear benefits for Navixia customers in the innovative Virtual Browser solution. And Navixia’s customers have responded enthusiastically.

Navixia offers a flexible, customer-centred approach to information security, enabled by the high level of technical skills and experience of the Swiss company’s founders and employees. For commonIT, we see this as validation that our technology and our business model can reach beyond the purely domestic market, and it marks a first concrete step in fulfilling our international ambitions.