Sikov - stock.adobe.com
Your browser is an AI-enabled OS, so secure it like one
With AI capabilities and 87+ browser-based apps per organization, browsers have evolved into OSes that demand enterprise-grade security and management strategies.
From an application perspective, web browsers have become a sort of OS within an OS. With the introduction of agentic AI capabilities within the browser (just look at what Perplexity, Opera and, to some extent, Google and Microsoft are doing), they're becoming more front and center to organizations. This isn't new, of course. Browser-based app usage has been growing for years, and research I conducted a few years ago indicates that the average organization uses 87 browser-based apps.
That's not to discount Windows apps -- that same research project measured the average number of Windows apps at 105 per organization. But it does show that the browser can no longer be treated as one Windows app. It's an extensible operating environment that itself runs dozens of apps. It has hooks into the underlying OS, but for many users, the browser is the operating environment, and the OS is just the runtime needed to deliver the browser.
And that's before we even consider extensions!
Over the years, browsers have opened up APIs that let developers build plugins and extensions to add functionality, automate tasks and connect web apps together. This has evolved into a parallel app ecosystem inside the browser. Each extension can carry its own set of permissions, integrations and data access. Some have full visibility into every page a user visits. Others can read and write clipboard data or interact with credentials. It's powerful, but it's also a messy patchwork of third-party code running alongside your corporate web apps with little central oversight.
What this means for IT and security teams
This has major implications for IT and security teams, and we've chosen to deal with this in many ways over the years. Historically, the way to wrap security around the browser and specific applications was to use desktop virtualization that let the browser run in a remote location on a device that had tightly controlled security. Of course, it's overkill to use a full desktop virtualization platform to deploy web apps, which led to the emergence of bespoke remote browser isolation (RBI) platforms that specialized in delivering, managing and securing browser apps.
RBI tools use similar concepts to desktop and app virtualization. The browser runs on a secure, remote VM, but the browser's UI is remoted to the end user's physical device. Of course, RBI also suffers from the same drawbacks as desktop and app virtualization -- latency issues that appear in screen rendering, more moving parts, etc.
On the other end of the spectrum is the enterprise browser. This is a managed browser built specifically for corporate use (as opposed to a consumer browser, which is what most browsers are today). Where RBI secures by isolation, enterprise browsers are a new browser deployed as a local application, but with centralized management that introduces policies, visibility and control. This has the benefit of running locally and adding a management layer on top of the "OS within an OS," but also adds to the number of apps deployed locally, while also changing the browser that users are accustomed to.
Between the two extremes lie several tools that use existing browsers and focus on browser and extension management, telemetry, UX and other features.
All of the approaches aim to enhance security and management capabilities so that IT can configure and enforce rules like access control, data protection, clipboard, download behaviors and extensions.
A look ahead
With so many apps -- and so many ways to manage and secure them -- the browser has become one of the most dynamic areas of IT. It touches identity, data protection, productivity, and now AI. And as AI moves from being a feature of individual web apps to an embedded, agentic capability within the browser itself, the browser is set to become even more central to how users work, not to mention how organizations must think about governance.
Stay tuned! This is an area I'll be focusing on this year alongside my colleague John Grady, who covers network security and examines browser security through a zero-trust lens. In the coming months, we'll be conducting research into how organizations are approaching browser management and security today -- what's working, what's challenging and how AI might reshape the equation. I can't wait to share what we learn.
Gabe Knuth is the principal analyst covering end-user computing for Omdia.
Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.
