Learn how browsers can provide advanced security, enhanced efficiency, and greater productivity as critical components in the modern enterprise technology stack.
In the rapidly evolving landscape of enterprise technology, consumer web browsers have become front doors to the enterprise, serving as the critical pathway for corporate data and applications.
This shift from consumer to enterprise technology has created a host of security, privacy, and productivity issues related to browsers.
To gain deeper insights into this transformation, we spoke with Mike Fey, CEO of Island.io, for a focused discussion on the emergent field of enterprise web browsers, an area increasingly critical in business technology strategy.
The discussion highlights three core points:
- Enterprise-Specific Design: Mike Fey elaborates on the development of Island’s enterprise browser, emphasizing its core purpose to serve the unique balance of security, functionality, and user experience needed in business settings.
- Consumer Web Browser Challenges and Limitations: Fey identifies key limitations of traditional web browsers in the enterprise context. He explains how enterprise browsers address these issues by offering advanced security, efficient data management, and business process integration.
- Productivity and Efficiency Opportunities: The enterprise browser is presented not just as a technological innovation, but as a strategic business tool. Fey discusses its role in enhancing productivity, simplifying enterprise operations, and meeting the evolving tech demands of modern businesses.
Mike Fey leads Island as co-founder and CEO, relying on his extensive experience in cyber security, enterprise software and cloud technology. Fey served as president and chief operating officer at Symantec and prior to joining Symantec, he served as president and chief operating officer of Blue Coat, leading all product and go-to-market functions at both organizations. While at Blue Coat, Fey led the company to aggressive growth, resulting in its acquisition by Symantec for $4.7 billion in 2016.
Prior to that, Fey was executive vice president and general manager for enterprise products at McAfee and chief technology officer of Intel Security playing a pivotal role in Intel’s acquisition of McAfee for $7.7 billion in 2010. He co-author of Security Battleground: An Executive Field Manual, providing a playbook for security obligated executives coping with the new realities of cyber security responsibilities to the board.
Michael Krigsman is an industry analyst and publisher of CXOTalk. For three decades, he has advised enterprise technology companies on market messaging and positioning strategy. He has written over 1,000 blogs on leadership and digital transformation and created almost 1,000 video interviews with the world’s top business leaders on these topics. His work has been referenced in the media over 1,000 times and in over 50 books. He has presented and moderated panels at numerous industry events around the world.
Table of Contents
- Understanding the enterprise browser
- Why an enterprise browser is important
- The challenge of browsers and enterprise web security
- Web browsers create enterprise data security and control risks
- Enterprise benefits of the Chromium open-source web browser project
- Why web browsers create enterprise cloud security risks
- The CIO and CISO role in managing the web browser technology stack
- Integrating the web browser into enterprise business processes and applications
- Enterprise AI: ensure security and compliance in the web browser
- The path to IT modernization with cloud computing and an enterprise web browser
- Managing remote and hybrid work to maintain the right security posture
- IT Management, governance, and control with an enterprise web browser
- Managing generative AI risks with an enterprise browser
- Managing data loss prevention (DLP) and data breaches with the enterprise web browser
- How to prepare for quantum computing
- Using an enterprise browser to continuous monitor network security and potential threats
- Zero trust and the enterprise web browser
Michael Krigsman: We're discussing the enterprise browser with Mike Fey, CEO of Island.io.
Mike Fey: Island is a company. We've been around for about 3.5 years now. We were founded to build the world's first enterprise browser.
An enterprise browser, simply put, is something that delivers on the needs of the enterprise for security, the business, and the end user. Taking that real estate and that capability of a browser we all know and love, but really reimagining it for the enterprise.
Michael Krigsman: Why are you building an enterprise browser?
Mike Fey: If you think about how the browser first entered business (not as a consumer, not for your home shopping or entertainment needs), it came in as just kind of part of the operating system to view flat files. It was a minor business value.
As it became more important and also a target for security issues and productivity capabilities, we started having to treat it like a caged animal. That quickly making a browser inside any major corporation is being backhauled to a scrubbing station. That encryption is being broken to see inside of it. Then we finally put it back together and sent it on its way.
The data that comes from that browser, we have to do dumps on the desktop, so we build DOP programs. Then as our critical SaaS applications show up and we can access them anywhere, we bring on MDMs, VPNs, CASBs, and all of this stuff. Then we have to figure out the digital experience, and the list goes on and on.
All of these requirements exist because the browser was a non-collaborative part of our estate. If you reimagine it as an actual collaborative partner in the enterprise, you start to simplify that whole stack. It creates a much better end-user experience. It creates a refined security approach but also an amazing ROI.
That's really what we saw as an opportunity to rethink this browser. It wasn't that the current one wasn't working. It was that it was built for a different purpose; the consumer, not the enterprise user.
Michael Krigsman: Mike, Web browsers have become a kind of front door to the enterprise. What kind of issues does this create?
Mike Fey: If you look at any new product, it is built for the Chromium browser. As such, this is an operating system we don't own, we don't control and don't have any say over it.
That creates all sorts of challenges for the enterprise with how they protect the data. How do they access that information? How do they navigate? How do they get visibility? How do they secure it?
These are all things that challenge most organizations, and the answer has been, "Layer in tech," whether it's tech in the network, tech on the endpoint and, in some cases, they even go the extreme step of taking something like VDI like Citrix and wrappering that experience around it just to create a data barrier. All of these things are at a cost, experience issues and, worse yet, security challenges.
Michael Krigsman: The browser has become a kind of tech stack in and of itself with all of the complexity, the security issues, the things that can go wrong, as you were just describing.
Mike Fey: Yeah, most high-end enterprises wouldn't let you access the Internet directly. They want to control that flow. As they did that, they started layering on different sets of tech. Those different sets of tech, we've tweaked them over the years to handle what the newest challenge is.
We haven't rethought how we access Web properties, SaaS properties, cloud properties in almost 20 years. We just layer on more technology.
They're using a consumer product for business that hasn't been rethought in 20 years. You can imagine the technical debt, complexity, and challenges that have now started to rein on this environment.
Michael Krigsman: When we look at browsers such as Chrome or Microsoft Edge, what are the kinds of risks that come into play?
Mike Fey: To make it do what we want, we end up forcing other tech on it. And that tech shows up in all sorts of agents and processes that run on the devices, making the devices slower and more expensive to manage.
Then it starts also by our policy. Since we can't govern the browser, we come up with rough rules.
Take something as helpful as Grammarly. My writing skills are poor. Grammarly is a huge help to help me write as a professional. But Grammarly reaches out to the cloud and, as such, there are some documents that, if I do that, I'm breaking all sorts of contractual controls on where that data can flow.
What does an organization do? They block Grammarly just holistically because they can't do it in a refined way because it either is allowed to run in the browser or not allowed to run in the browser. It's either allowed to traverse the network or not allowed to traverse the network.
It can't hear that caveat of, "Oh, wait a second. This is Mike sending an email. It's not confidential. We can help him." It doesn't have that dexterity.
As we progress, we end up seeing that stack, that debt shows up in what we're allowed to do, what we're not allowed to do, how we access the environment, what runs to support the environment and, worse yet, the cost of all of that gear. We're talking large chunks of data centers devoted to this.
Michael Krigsman: Again, the browser, as most of us think about it and use it, is a consumer technology, and the needs of the enterprise are just different.
Mike Fey: At one point in time, they were the same. But that divergence has occurred dramatically. And we look to our security teams, our IT teams to solve this.
Unfortunately, even when they solve it, the end user suffers. The cost suffers. The experience, the capabilities, all of these things become a challenge.
Michael Krigsman: How does the Chromium open-source project help address these issues?
Mike Fey: The Chromium open-source project is now the basis for most major browsers. That fundamental statement is what unlocked the opportunity here because we don't have to go to every company and say, "You need to retest all of your apps everywhere you go to make sure it's going to work with a new browser," because we're using the same rendering engine as Chrome, as Edge, and as some of the other major browsers.
That unlocked the ability for people to understand the experience will be familiar. The capability to render and display should be trusted. That project is the stepping stone where we can then go build in all the enterprise features that don't make sense for a consumer browser.
Michael Krigsman: Why hasn't this been done before?
Mike Fey: Until the Chromium open-source project became the basis for the modern browser, if you looked to do something like this, you would have had to build a browser from the ground up. While you could achieve that, the adopting companies would have to retest their entire stack. Everything they do, they would have to wonder, "Is it going to work?"
Years ago, we used to have to pick the right browser to access something. This works in IE. It works in Chrome. It works in Safari but not this one or that one.
We would all use different browsers to get by. The open-source project at Chromium changed all that. We're now running the same rendering engine across all of those.
By taking that open-source project (which really is the common browser as we know it) and then embedding the enterprise features into that, we made sure that everyone could trust it, it would feel consistent, it would look, taste, behave like we always knew, but then achieve the goals of the enterprise. And so, that open-source project really created the environment where this could even be conceived.
Michael Krigsman: Mike, you touched on browser security. Can you elaborate on that very, very, very important point?
Mike Fey: When we think about browser security and an enterprise browser role in that, expand our thinking beyond the traditional malware. We have put in things that help protect against zero days. We've changed the way certain things render and react to make sure that they don't create security vulnerabilities.
What is it they're after when they attack you? They're after the data. They're after the information.
One of the biggest advancements of an enterprise browser is the ability to keep the data in the application. If your customers' data is in Salesforce, you can run a policy that says that data can't leave Salesforce, or that data can stay in Salesforce or these five other applications but nowhere else. Now the value of penetrating that endpoint is reduced because our data didn't dump onto it.
Then we did things like upgrading the way passwords worked, the way the encrypted cache works, and what data is tracked and what we have visibility to. We protected better against malware. We do things to make sure that it's tamper-resistant. We also ensure that your data stays where you want it, and that is a massive upgrade.
The only way people did this before was to take tightly configured machines, place a whole lot of tech on there to watch every port of export, and make sure nothing could get out. Or take the entire end user environment and put it on something like EDI, Citrix or some other type of approach. All of those create an environment that's difficult for workers to thrive, enjoy, and accept.
Michael Krigsman: What is the role of the CIO and the CISO in terms of browser management in a modern enterprise?
Mike Fey: Today, they do manage them. They do so with great complexity.
They force their will on the browser: blocking extensions, blocking traffic flow – things like that.
- If they want to guarantee what sites you go to, they intercept the traffic.
- If they want to make sure you can't lose data, they put more stuff on it.
- If they want to make sure that you can't see something, they put a block in the network.
- If they want the browser to only be able to run in certain extensions, they block everything else.
Today, they fight their way through it using a myriad of tools. But there's no easy, central location to just govern the policy that runs in the browser, how it works, how it behaves, what it looks like, and what it does.
We built that. Today, it sits in the cloud. That management console, when you log into our browser, we'll reach out to it, download the company's policy, and then behave with that policy until there's an update.
Even if you cut the cord on the environment and can't reach it, that policy runs locally, which is why it can run on a plane, in a far-off location, in China, disconnected data center, battlefields, you name it. You don't have to be in full contact with that where most of our other solutions for management and government actually require a direct contact with it full time.
Michael Krigsman: We have the legacy of the consumer browser that we're trying to bend and twist and shape to meet our enterprise security and compliance requirements.
Mike Fey: One hundred percent, and it shows up in so many ways.
It shows up in copy and paste. For a consumer, one copy-and-paste buffer makes all the sense in the world.
If you go to any knowledge worker, and you go into their development tools (if you're a software developer), you've got 20 copy-and-paste buffers. It's this concept of, "It's a more advanced environment, so we unlocked 50 copy-and-paste buffers, and we even let you auto-populate those."
If somebody works in a call center, we might see the name come across the VoIP system, and automatically fill into their copy and paste buffer everything we know about that customer so they quickly can navigate. But then we can track that navigation and automate that for them next time, and literally start to have a relationship where we create a progressive improvement scheme.
Right now, in a consumer browser, we get excited when it fills in our address or our credit card information. Well, if you work in a call center and, every day, every call, you bring up one system to get the name and the social, the whatever, and then you go copy it into another, and you do all that.
The ability to have a dramatic impact on your productivity far exceeds that which we see in a consumer environment, so that's some of the experience that we change amongst the security, amongst the ROI of delivering it. It's also just what do the end users have available to them as tools and how can they be more effective.
Michael Krigsman: You're really describing a tight integration with the existing business processes.
Mike Fey: That is what a collaborative browser is. We're manifesting your business process.
We like to tell people it's not the Island browser; it's your browser. It's going to be your logos, your information.
Take something as simple as you want to upload to a cloud repository. Maybe you want to upload to Bots, and your company blocks you from doing that.
You don't know why. You don't understand what it is. Why didn't I do that?
Maybe you realize, "If I get on the guest network, I can get to that Bots account," and you do that, and you play that game of cat and mouse with your company because that's what we've taught you to do.
If we were to block that, we would say, "Hey, we're a OneDrive shop," and give you the link to take you to where you need to go. Help you complete that mission.
Maybe in a business process, there's some confusion in the application. It asks for some ID number, and it's not clear what that is. You put the wrong ID number in. We can fact-check that and then recommend to you how to change that.
It's that integration with the business that unlocks a lot of value to the business, not just, "Is it secure, does it run, and does it render?" But how can we improve people's experiences over time to make them more efficient and drive more ROI back to the business? That's just a massive difference of an enterprise thought process versus a consumer one.
Michael Krigsman: When you talk about efficiency, you're really describing enterprise productivity gains within the business process.
Mike Fey: One hundred percent. We've always believed there are three archetypes we need to make happy with this thing.
The security team, they need simpler and better security, so we have to deliver that, and we've done that very heavily.
Then the business, there's got to be a massive ROI here for them. They've got to feel good about this. They don't go around changing things for no reason.
But the third and probably most important is we need every end user to feel more productive, more capable, more free. The ability to do more and be more in their company.
When you unlock all three of those, you create the opportunity for modernization. And many of our companies that purchase our software, we're part of a modernization initiative where they're really rethinking how are they going to run that business, how they live up to those security requirements, but do so in a way that creates that new frontier of work.
AI is a great example. When you think about AI and controlling AI, one of the challenges we have is automation is great until it's not.
If I'm a doctor, having something lurking over my shoulder to see if there are bad drug interactions on something I prescribe, I probably welcome it. But if I'm a patient and I found out it was an AI that did the prescription, I don't like that.
What's the answer? Block AI from medicine? No. It's to make sure that where that runs it can decide when and what it can run on.
That's something we can enable in the browser and that we can run a policy on so that we can get the benefits where it makes sense and protect ourselves where it doesn't. It's just one of the many, many use cases where we integrate to the business needs.
Michael Krigsman: Mike, you mentioned IT and infrastructure modernization. What is the pathway from existing solutions such as VDI (virtual desktop interface) to better, more manageable solutions?
Mike Fey: Take a call center running in the Philippines. Maybe you've contracted that out. You would have designed your response to the lowest common denominator.
Maybe you've got one or two apps that are fat apps. They're not Web-based. You have to assume you don't have full control of the device and things can lead, so you end up saying, "Okay. To enable that, I'm going to ship them laptops. Then I'm going to put VDI on it because that'll render my environment but also put a wall around that. And that'll give that fat app there."
Well, then when they go to access newer Web properties, they're going through that lowest common denominator approach, that slower approach, but we're just going to live with that. To unlock that, what we do is say, "Okay, what is the stereotypical approach?" It's SaaS apps. It's internal Web apps. It's cloud apps.
Okay, we're going to give a great experience to those with all the security and control you need on any device. We don't need to ship that laptop. They can use whatever they have today, and we will call the older technology as it's needed and deliver it in a portal fashion.
It's not that some of this older legacy tech isn't required. Of course, it is. But it shouldn't be the basis upon which we build our entire design.
The beautiful thing is when you go about this more modern approach, you end up shrinking racks in data centers. You end up removing licensing costs. You end up making a better experience, more productivity.
The ROI back to modernize is right there. And when you find that you can deliver a self-funded project to a CIO that does all of those things, they're pretty excited to engage.
Michael Krigsman: How do you measure the effectiveness, the ROI of these kinds of solutions?
Mike Fey: You have your hard costs where you're literally turning off licenses, removing racks out of data centers, reducing bandwidth you're spending on, reducing storage costs. Those are usually very substantive and they're easy to see.
The productivity ones – a bank teller running a little bit faster, a call center worker handling a couple of extra calls and hour – things like that are a little harder to calculate, but people do.
In general, the ROI back is so large that we don't see big efforts to calculate exactly what it'll be because we usually cross the threshold in a couple of displacements. If I don't have to have all my users on Citrix, I just paid for this project and three others I couldn't afford. I'm going to make money elsewhere and we're going to save money across all of those.
Some of them, ... can get every item because the ROI is so blatantly obvious with just a couple of key items.
Michael Krigsman: Mike, let's talk about remote work and hybrid work. How does an enterprise value intersect these very significant changes that are happening throughout our workforce?
Mike Fey: Long-term, we're going to be working on any device from anywhere, and we're going to need to do so with a lot more security requirements and compliance requirements because those just keep going up. Right? Where our data can go, how we have to be responsible for data, all that just continues.
When you think about the role of the enterprise browser, we're that enablement technology that says, "Run on any device. I'm going to be tamper-resistant. I'm going to encrypt your keyboard to my browser. I'm going to make sure the data that needs to stay inside of all those tabs stays there.
"Then I'm going to open up the network connection from that tab to the application that we need to have. And I'll make sure your device is in a proper state that we feel safe and secure as an enterprise to use your device. Then I'll govern the network I'm on to make sure that hybrid model (whether you're inside my four walls or outside) that I like the way that looks, that it's efficient, and it's secure."
The only way you can truly enable the future work is to have control over the last mile. And you have to appreciate the last mile is going to be in every form factor we know and be flexible to that.
A future work model that is a governed, locked-down device with no flexibility is obviously not where we're headed. More flexibility is our future. More security challenges, more requirements around data is also our future. Those two colliding together is what makes the need for the enterprise browser very apparent in that hybrid and remote worker model.
Michael Krigsman: The solution here is all around making it easy for the end user but, at the same time, providing the management, the governance, the control that enterprise IT simply requires.
Mike Fey: You're dead on, but also let's say visibility.
If you were to tell me (when I try to access our corporate sites, it's slow from my house), "So, come into the office," well, that's not an answer in many cases now.
I want to be at your house. You've got to make that work.
If I said, "Oh, it's slow on my iPhone," and you said, "Well, don't use your iPhone," but that's all some of these people have now.
With this same approach, I give you full visibility. Where is that end-user experience? How long does it take for them to interact?
But also, where are the repetitive actions? What can I automate? What can I improve upon?
All of that information is about the future of work. It's not just security. It's not just availability. It's not just access. It's about being amazing.
If you think about the consumer browser journey, how amazing has it become over the years of refinement? When we first showed up, it was difficult to find things. Then it got easy. Then we were able to access all this stuff.
All of a sudden, now everything just logs us in and moves us through and knows who we are. It's absolutely wonderful to shop digitally today compared to before.
What improvements for the end user have been made in that same space over that same 20-year period? Nothing. It's our time to have the same dramatic improvements delivered for the enterprise worker.
Something as simple as letting you have your own phone. We have a lot of customers that have two phones: one for work and one for the other. Or they have one phone, but they know that their corporation put MDM on it and has full control over that, can see everything they do on that phone, and that bothers them.
Then all of a sudden, a little flip of what browser you use unleashes that back and gives you back your phone, gives you back your device. You're in full control.
When you go to work, you're in a portal where you work. When you're done, you're done. That simple requirement sounds like the future of work to me, not multiple phones and multiple devices and all sorts of silliness, which is bad for everything from expense to carbon offset.
Michael Krigsman: I have to assume the issues are identical for third-party contractors, which is also a very big issue now because so much of the economy is based around freelancers and the folks doing gigs.
Mike Fey: You're so right. We have companies that come to us where it'll take them three months or more to set up a contractor that works for them for a couple of days. The economics are all upside down now.
People want the ability to engage with top-tier professionals in a gig-based economy, briefly, just in and out. We can't be shipping laptops and reconfiguring other devices.
I'll tell you a contractor relationship that we've had to lean in hard on is doctors. You have doctors that work for hospital systems. None of them are direct employees, and they're going to work for multiple systems, so you can't say, "Here, use our laptop; use our device."
They're not going to run around with seven devices, so you either A) take a risk and just open it up to them or B) bring a technology like this where they can just bounce. That same browser can log in to multiple hospitals with multiple different policies and the doctor stays efficient. They stay in a world they know and they like, and so that contractor relationship is kind of the uber relationship if you think about it.
If you can solve the contractor problem and get confidence in that and make that a great experience and secure, why would you not run all your people that way? Why would you have a difference?
Michael Krigsman: Mike, you just described an extreme example with physicians who are not going to accept complexity when they're working for a variety of different hospital systems, for example.
Mike Fey: They may not work with a particular hospital system if it's made too hard. Those systems want to make it easy. They want to be able to make people want to work with them.
We've got a bunch of customers that are using this in an opposite direction so they can allow things that they used to say no to. They can allow social media. They can allow things that used to scare them in their environment.
Now they can say, "Okay, we're going to let that in, but it's not allowed to write to your drive. And nothing from your drive can get to it."
Having full control over that enterprise browsing experience even fits when we're at work and maybe we're not working or when we're at work and we're trying to utilize some of the newer spaces. How we can control that experience benefits us as persons, benefits our company, but also keeps us more productive. I can't tell you how many people at work today pull out their phone to find out information that they can't get through the work devices.
Michael Krigsman: Mike, everybody is talking about and using generative AI. What are some of the implications of this browser situation when it comes to gen AI?
Mike Fey: We have one organization that has fully adopted AI, and it is automating massive parts of their process. They just want a good audit log. They want to understand where that's occurring, so they're asking for us to give infinite visibility into that so when it does make a mistake, they can understand it better, and they can get better clarity of that.
We have other organizations that want to particularly control where it can and can't run for reasons around legality and health reasons and security reasons and all sorts of other items. They can either wait for every single app in the world to put all those controls in or ask their operating system to do it. The operating system in this case is the browser.
Michael Krigsman: What about issues such as IP protection, IP theft, incorrect data? How does that come into play?
Mike Fey: One of my favorite IP protection items was with a retailer I worked with a long time ago. They had a Monday flyer that would go out and show the sales for the week. And if that flyer leaked, they would see their purchasing of whatever is going to be on sale drop the week before, immensely.
For over a year, they knew it was leaking, but they didn't know where. They couldn't figure out that process because they had no ability to control their data at home. So, they just started blocking all ports and exports and doing all sorts of creative things to figure it out.
They could have gone into the browser and said, "Nobody can cut, copy, paste, or take screenshots of this." Watermark it so that if it did get out, we know exactly where it occurred. Things you can do in an enterprise browser in seconds to shut down that entire IP loss.
We have organizations that can literally take the record button off of Zoom so that that can't be recorded. We can watermark it so you take a screenshot with your phone and if that posts anywhere, we know exactly who did it, when that occurred.
But just as importantly, we help people protect their data in a positive way in the sense that, "I'm a user. How do I manage this data? I wanted to look at this spreadsheet, and it's a dangerous spreadsheet.
"It's my entire company's salary information. How do I make sure that doesn't stay residual on my device? How can I look at it, ensure it goes into cloud storage, make my edits, make sure it can't be copied? How do I as an end user play my role in that?"
That's another part of the process. It's not all people trying to steal. A lot of IP loss is accidental, and we want to help protect against all those different factors.
Michael Krigsman: Mike, when you talk about DLP (data loss prevention), why is the browser an important mechanism for building protections in?
Mike Fey: When you think DLP in cybersecurity terms, these are big projects. They think about looking for certain types of data across all the ways it manifests itself: looking for social security numbers, getting out of your USB drive, your Bluetooth, your email, your Slack session, your chat. There are so many ways. And so, they have to build this very complex wall.
But for your average user, they only interact with that data through an application. So, what the browser can say is, "All our customer data sits in Salesforce. You have no reason to pull it out, so I'm going to make sure you can't." Now I don't need any of those controls in the device because the data can never live there.
The first step an enterprise browser plays is where can data go. Where can it leak to? When it does go out, should we watermark it? Should we tag it? Should we make sure when it comes out that we've set it up in the best way we can to be successful at controlling it?
You'll often see, when it's truly sensitive data, the first step is to keep it where it was meant to be. When you do that, the DLP requirements drop off.
We've had organizations with hundreds of thousands of users realize they don't need to run their traditional DLP program on only 5,000 or 6,000 employees. Today, it runs on the whole lot. But that call center worker literally does come in contact with dangerous data, but it wasn't supposed to leave the app they're interfacing with, so why not just stop it there? That's stuff they couldn't do before.
All of us know how to steal data out of a browser. Take a kid that's seven years old. They know how to cut and copy out of a browser. We always have to assume that anything in the browser could leave it.
Now we have control. We have dexterity in decision-making ability.
Michael Krigsman: Going back to this concept of the browser being the front door to the enterprise, you're really talking about policies and controls that would be very difficult and expensive to implement otherwise.
Mike Fey: Some of the stuff we do just can't be done. Some of it, if it is done, it's very, very expensive and challenging to do.
As we move forward, it actually gets harder. So, the idea of breaking and inspecting network traffic as we take on quantum compute requirements, as we take on next-gen networking, next-gen encryption, these whole designs start to fall apart.
What's beautiful about the enterprise browser is that controls are pre- and post-encryption. So, we can upgrade to whatever security-based requirements we need.
Michael Krigsman: Mike, you said that browsers are pre- and post-encryption. This is an important point. Can you elaborate on that?
Mike Fey: With an enterprise browser, we have encrypted the whole browser so you can't see inside of it with debugging tools, hacker tools, and all that. So, it sits in a wonderful, safe place.
When we interact with that Web property, I don't care what it speaks to get to the browser, what path it went on. If it was using quantum encryption or SSL, it doesn't matter because I'm not breaking the traffic to see inside of it.
When it hits the browser and starts to render is when I enact my control. That's a subtle difference, but what it means is I can be used in any form of future networking and network design, but I can also control how the network works.
I can have a browser on a BYOD device that knows I want to send this type of traffic back to corporate, this type of traffic directly to this website – not the one I type in; the one that it was supposed to go to – in a country I want it to go to.
If I travel to Germany, I connect back to the U.S. Salesforce. If I'm from Germany, I connect back to the German one because that's where my compliance rules live.
If I have to support travelers wandering past, the only way I can do that is to pull it all back central, break the encryption, and force my will on an area that never wanted to have you in the middle of it.
The difference between breaking encryption and enforcing good Web browsing, and breaking encryption and stealing data, is just who does it. Making so no one can obviously ensures better safety.
Michael Krigsman: Mike, you mentioned quantum computing.
Mike Fey: Sure.
Michael Krigsman: It's coming.
Mike Fey: Yes.
Michael Krigsman: What do we need to be thinking about regarding quantum?
Mike Fey: There's this term "quantum ready" that the higher-end companies are worried about. Your banks of the world, for instance, your militaries.
What they're aware of today is traffic that gets recorded, even if encrypted, can be recorded off and later broken into by quantum capabilities. Something that sounds ridiculously hard to hack into can be ridiculously simple with a quantum-level computer.
It's so much faster. It's so much more capable. It can run so many more computations that what used to take days to crack or weeks to crack can now be done in moments. The only thing we can do is either up our hardware that we run on these devices immensely or start to do a lot of weird, midlevel intersection that we don't have in our current designs.
Most people think that when we go to quantum encryption, nothing will go in the middle, in between where it's delivered and where it lands. Getting quantum ready is rethinking your network on how is it going to work when I have to adopt the new standards.
They're coming. I will have to do it. What will happen to the rest of my gear? These traditional firewalls and proxies and BOP systems that try to scan off this data, they're either going to have to be put on some seriously expensive new hardware or rethought entirely.
Michael Krigsman: What is Island doing to ensure that the browser is ready when quantum fully arrives?
Mike Fey: We don't have to care about what encryption levels are used behind us. So, if you want to implement a quantum-level encryption today, it won't change the way we run at all. We give you as much visibility, as much control as we did the day before.
Michael Krigsman: Mike, on CXOTalk, I have spoken with some of the leading cybersecurity experts in the world. A constant message is the bad guys are innovating and evolving. How can the enterprise browser help protect against these changing cybersecurity threats?
Mike Fey: First, let's make sure we reduce the dangerous data proliferation in the world. Where is our customer data? Where is our health data? Where are these things occurring? Let's make sure they only exist in the areas that need to have them – shrinking our risk footprint.
Then let's make the browser fully tamper-resistant. Encrypt the keyboard keystrokes, so anything that happens on the device still can't penetrate that operating system.
Let's also break the alignment. Right now, if I want to learn how to produce a zero-day for one of the major browsers, I just download it and run, and practice.
In our case, each company has a unique policy they run. That policy is different.
That policy can be fundamentally different in wildly amazing ways. They may run a robotic process automation, additional scanning tools, you name it.
If you want to attack that company, you have to attack them. You can't just take a one-size-fits-all zero-day and go wild on them. Giving control back and getting out of this one-size-fits-all painful model we're in is also going to do a lot to make sure these companies raise the expense bar to being attacked, which is the game we all play in.
Michael Krigsman: You're isolating the attack so it simply cannot spread.
Mike Fey: One of our most progressive, influential customers sees BYOD users as a form of segmentation. Why would I take a knowledge worker that's just operating on Office, on Salesforce, on these things and have them on the same network as customer data, as product data, as financial information?
They'd prefer to have their workers in a BYOD model where they just connect to that because what's at risk now. What's at risk is their small little world, whatever they're working on, and then uploading something to the cloud that's dangerous. But we've got a lot of amazing scanners between us and that upload.
They really could create a model of least privileged access that, in the event of a penetration, is a non-event to the company. It's reconfigure a machine. It's delete some data.
It's not a front page grabbing data resolve. It's not ransomware. It's not a loss of customer faith or brand damage.
That segmentation occurring in that least privilege model, most security professionals prefer to have a segment of least privilege model where they can pull it off.
Michael Krigsman: Zero trust is the phrase that we hear everywhere right now.
Mike Fey: The design for it was produced by network admin. We are going to claim we have zero trust of our environment. That's the definition.
What we're going to say is I need to validate who you are, the network path to the location that I expect you to go to, and what you visit and do during that process. It sounds perfect, except the device you're coming from where all of this data will land eventually, "Oh, we don't have a plan for that. We'll just trust that part."
That's the little flaw in the zero-trust model. The end user device that is accessing this is not governed, is not managed. So, we end up saying, "Okay, well, you've got to put protection on that."
"Wait. I thought I wasn't supposed to trust it, so how does protection get me there?"
"All right. We'll put a VDI buffer on it. That's how we'll route protect it."
"Great. Now we're going to impact the end users in a horrible experience."
What the enterprise browser allows us to do is say, "I don't trust that device. I'm going to make sure no data stays resident on this device, and that the end user, when we start, connects exactly where they need to go to enter into this beautiful zero-day trust design of mine."
Zero trust is a phenomenal concept but we seem to forget why we said the word "zero trust." It's to never have trust in what we're doing. So, if you can't tell me where that data that moves through this big pipe, what happens with it at the end, then you have not lived up to a zero trust design.
Michael Krigsman: From your perspective, then the enterprise browser that Island is building fits in a very complementary fashion with a zero-trust environment.
Mike Fey: We've thought about actually calling a zero-trust browser when we were building the company. What held us back from doing that is the zero trust name doesn't give you visibility into all the productivity benefits, the benefits back to the business. It just highlights its role in the security layer.
Thinking of it as a zero-trust browser is not a flawed logic. It just doesn't appreciate the other ways organizations end up using this thing.
Michael Krigsman: Mike, where is all this going?
Mike Fey: I want to be in an environment where we trust a BYOD worker on their machine the same way we do today on a hard and fully built, purchased solely machine by IT. When we do that, now, all of a sudden, we get freedom back, and we get to rethink how a lot of this stuff works.
The future of work for us is not just an Island vision. It is more often than not a collaborative vision coming from our customers on where they want to take their future workforce and what we can do to enable that.
Michael Krigsman: The collaborative environment around the last mile, it's a great way of summing it all up. Mike Fey, CEO of Island.io, thank you so much for taking time to speak with us.
Mike Fey: Thanks for having me.
Published Date: Dec 05, 2023
Author: Michael Krigsman
Episode ID: 816