Getty Images/iStockphoto
Evaluating secure enterprise browsers vs. security plugins
Malicious actors have long targeted and exploited browser vulnerabilities. The widespread adoption of AI increases the risk, forcing CISOs to reevaluate browser security options.
Whether hosted in-house or in the cloud, the web browser serves as the gateway to most enterprise work, making it a crucial consideration in any enterprise security strategy.
The current AI frenzy puts an even brighter spotlight on browser security. Employees access most AI tools through a browser, making an already tempting target even more inviting. Additionally, AI expands the scope of what users accomplish via browser sessions -- making it even more useful for bad actors to compromise those sessions. And through MCP integrations and the like, AI is also increasing the reach of browser-based tools into the environment, thereby expanding the scope of the potential damage from browser breaches.
Malicious actors have been exploiting browser vulnerabilities for years, a problem that is only becoming more challenging due to the rising use of AI to probe software for vulnerabilities more effectively than ever. It is clear that browser security has never been as threatened as it is now.
In this moment of renewed attention to browser security and the risks of it failing, CISOs face two options for improving browser security: deploying secure enterprise browsers and deploying browser security plugins.
Pros and cons of secure enterprise browsers
A secure enterprise browser is a managed application that is fully under the control of enterprise IT staff. Admins can implement security policies directly and insert controls into the browsing session that would normally be provided by network appliances or cloud services, including URL filtering, application firewalling and data loss prevention tactics.
Security teams can enforce rules for content filtering, prevent the use of unsafe sites and discourage personal browsing through the managed platform. At the same time, a fully managed browser provides rich monitoring of web use.
Advantages of secure enterprise browsers include:
- Consistent and universal enforcement of centrally defined policies.
- Strong isolation models, which deliver stricter separation of processes and sessions, and better protection of platforms from web sessions and of tabs from each other.
- Easier separation of personal browsing from corporate browsing.
- Access to rich data on end-user experience and normal usage patterns, which boosts behavioral threat analysis.
- Reduced need for virtual desktop infrastructure (VDI) because staff BYOD browsing is less of a risk, it is easier to control contractor and third-party access to enterprise systems, and it enables simpler onboarding of staff from acquired companies or after a merger.
- Traction on privileged access management and privilege use.
- A vantage point where teams can examine data for leak potential before end-to-end encryption in an end-to-end tunnel, reducing load on firewall-based, man-in-the-middle style decryption.
- Strict control of extensions, which keeps the browser threat surface as small as possible, although some conventional browsers inside managed desktops and VDI environments can control this.
- Central management of the web UI, which provides more consistency across users within and among departments, such as everyone having the same core bookmarks.
Enterprise-secured browsers have the following disadvantages:
- Cost, which is notable because previously a browser would have been free.
- Requires careful deployment and maintenance, as well as some end-user training.
- Unfamiliarity, which means employees need to learn and adapt to a new UI.
- Some sites might not work with the new browser.
- Some existing workflows might break because the secure platform gets in the way, which could result in interruptions and remediation costs, although the outcome is a more secure process.
- Vendor lock-in is possible because of the high cost of switching.
Pros and cons of browser security plugins
Browser plugins are the standard method of adding function to a browser. Adding a standardized plugin just for security is straightforward. In some cases, IT can enforce the use of an extension and control its configuration centrally. While IT can't exert full control using a plugin, teams can make user browsing significantly more secure through additional phishing protection and URL filtering tools.
Advantages of using security plugins include:
- Users retain their browser and its familiar UI, as long as a version of the desired plugin is available for that browser.
- Quicker, lower-impact, lower-friction deployment.
- Reduced chance that a website won't work with the secured platform.
- Reduced risk of broken processes and workflows.
- Low or no added software cost.
Disadvantages of the plugin approach include:
- Inability to impose the same level of security as with a secure browser.
- Less security visibility than with an enterprise browser.
- A dependence on -- and to an extent working against -- the security model of the underlying browser since consumer browsers are not built to prevent users from adding, disabling or uninstalling plugins.
- Requires monitoring the compatibility of the extension with every update to the browser and dealing with updates that result in incompatibility.
Organizations that can't justify the expense of a proper rollout of a secure browser should focus on adding security extensions to improve browser security as much as possible. Likewise, organizations with a strong emphasis on user control of the user experience can implement extensions to raise the bar on phishing and malware protection.
How CISOs should decide which is right for their organizations
A secure enterprise browser and browser plugins can both improve security, but the right path depends on how a particular organization balances risk and needs with costs and friction.
Deploying a secure browser delivers better protection than an extension. If an organization decides it needs to achieve that level of security, it should find the resources to pay for the transition.
Organizations that want higher levels of security must justify the costs -- in time and dollars -- reduce the risk. If browsers are a major source of vulnerabilities in the organization's threat surface, that is a straightforward justification. Companies pushing agentic AI adoption also have a clear business case.
It is also worth looking at the resources currently devoted to shoring up web security for insecure browsers. For example, CISOs could redirect money spent on appliances and services to funding a browser security upgrade.
If an organization's user experience is already locked down through VDI or desktop as a service, for example, then a secure browser would reduce the need for that other setup without making a huge difference to user experience. But, if the user experience is meant to be highly individualized and user-controlled, an extension might be the only way to improve security without sacrificing that.
And, if the budget is too tight for a secure browser rollout, a push for universal installation of well-configured security extensions makes sense.
John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.