Isolating Browser Sessions – In the Cloud and Locally
Browser Isolation Options for Whitelisted Site Access
To isolate browsers so they only allow access to whitelisted sites, organizations can choose from several architectural options. Below are three major strategies, each offering different levels of control, complexity, and integration flexibility.
1. Proofpoint-Based Remote Browser Isolation (RBI)
Description
Proofpoint’s RBI renders web content in a secure cloud environment and sends only sanitized content (e.g., pixels or safe HTML) to the end user. It supports URL whitelisting and read-only modes for risky websites.
Key Features
- Web content is never executed on the local machine.
- Supports whitelisting/blacklisting by domain or category.
- Read-only mode for specific websites.
- Integrates with Proofpoint’s email and threat stack.
Pros
- Prevents browser-based malware and phishing.
- Easy integration with Proofpoint email security.
Cons
- Possible latency or rendering limitations.
- Commercial solution; tied to Proofpoint ecosystem.
2. Isolated Network Segment in the Cloud
Description
This method uses a segmented VPC or subnet (e.g., VDI, jump boxes) where browser traffic is tightly controlled. Egress access is filtered via firewalls or proxies to only permit traffic to whitelisted domains.
Key Features
- Use of VDI tools like Amazon WorkSpaces, Azure Virtual Desktop.
- Outbound firewall or proxy filtering for domain control.
- Ideal for vendor or third-party access isolation.
Pros
- Complete control over OS and browser environment.
- Highly customizable with enterprise policies.
Cons
- High setup and maintenance complexity.
- Requires VDI licensing and secure networking.
3. Zero Trust Architecture with Isolated Browsers
Description
In this approach, user access is based on identity, device posture, and contextual risk. Browser sessions are isolated dynamically when policies detect risk or access to unknown domains.
Key Features
- Identity-aware proxy controls web access.
- Conditional isolation: isolate risky sites only.
- Integrates with EDR, CASB, DLP, and SIEM systems.
Pros
- Adaptive security with contextual decision making.
- Integrated into modern Zero Trust workflows.
Cons
- Requires mature identity and access infrastructure.
- High integration complexity and licensing cost.
Summary Comparison Table
| Feature / Approach | Proofpoint RBI | Cloud Isolated Segment | Zero Trust with Isolation |
|---|---|---|---|
| Isolation Method | Remote rendering in cloud | Network/firewall + VDI | Policy-driven per session/browser |
| Whitelisting Control | Domain or category | Egress firewall/proxy | Per-app, per-user |
| Integration Complexity | Moderate (email stack) | High (infra + VDI) | High (identity + EDR + network) |
| User Experience | Smooth but limited interactivity | Depends on VDI performance | Generally seamless |
| Best for | Phishing/email risk mitigation | Strict environments (e.g., vendors) | Scalable enterprise policies |
| Example Products | Proofpoint RBI | AWS WorkSpaces + Squid proxy | Zscaler, Cloudflare, Island |
Conclusion
- Proofpoint RBI is ideal if phishing/email defense is your primary goal.
- Isolated network segments are best for strict control over high-risk user environments.
- Zero Trust browser isolation is most suitable for mature, identity-aware organizations seeking scalable, context-driven policies.