Virtualization Technology News and Information
Article
RSS
When updates can't wait, look to the cloud

By Brett Taylor, Director, Web Browser Experiences within End User Computing at AWS

Ask any IT professional and they will tell you that timely software updates are essential for the safety and security of their business operations. Press them, however, and they will also admit that these updates are tedious, time-consuming, and thankless. A good analogy is going to the gym. You expend a great deal of effort with the hope, but not immediate evidence, of future benefit. And sometimes, the clarion call of the couch, the big screen TV, and a full slate of football games is just too hard to pass up. Unfortunately, enterprises face similar headwinds; software updates are frequently procrastinated. Don't take my word for it. According to a report from the Cybersecurity & Infrastructure Security Agency:

"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure [ed: emphasis added] -the value of such vulnerabilities gradually decreases as software is patched or upgraded."

Two years! How are known vulnerabilities allowed to persist for that long? Allow me to repeat myself... because updates are tedious, time-consuming, and thankless.

Software-as-a-Service (SaaS) only addresses part of the challenge

There is strong and persistent growth in the adoption and deployment of SaaS applications (or more generally web-delivered applications) in favor of thick-client, legacy apps. I've written on this topic before, but in short, more and more enterprise applications are web-based and accessed via the browser. And every application that moves to the web is another one that enterprise IT doesn't have to keep updated on hundreds or thousands of managed client devices... let the service provider handle it!

On the flip side, each application that moves to the web only heightens the pressure to keep the local browser up to date. If critical work and sensitive or even confidential data is web-delivered, then it is imperative to have all of the latest security updates in the browser. And when it comes to browsers, you can count on an unrelenting flood of necessary security fixes. Through August 2024, the Chrome team has pushed 223 security fixes for Chrome desktop. In fact, every major version update has included at least one high severity fix.

Unfortunately, during that same August 2024 time period, 16.5% of all desktop browsers worldwide were running an outdated version of Chrome. Not 16.5% of Chrome users; 16.5% of all browsers! In fact, 74 different outdated versions of desktop Chrome (versions prior to v126) recorded measurable usage in the month of August. True, the data does not distinguish between personal and professional use. However, we know that personal browsing skews to mobile, while desktop browsing dominates the enterprise. That tendency and the sheer pervasiveness of outdated desktop browsers suggests a significant security hole for the enterprise.

Is there a better way?

Yes, and that is precisely why AWS built Amazon WorkSpaces Secure Browser. But stepping back for just a moment, it is important to understand that AWS is architected to be the most flexible and secure cloud computing environment available today. Our core infrastructure is built to satisfy the security requirements of financial services, health care, military, and other high-sensitivity organizations. This fortified infrastructure is backed by a deep set of cloud security tools, with over 300 security, compliance, and governance services and features, as well as support for 143 security standards and compliance certifications across the globe. AWS has always considered security to be priority zero.

Launched at re:Invent 2021, WorkSpaces Secure Browser (WSB) benefits from AWS's years of thought leadership and commitment to cloud security. Atop that strong foundation, WSB delivers a protected environment for access to internal and SaaS web applications, along with low costs, simple administration, and a growing set of data protection capabilities. With WorkSpaces Secure Browser, web content is rendered on a browser running on a hardened, Security-Enhanced Linux instance within a locked down AWS data center. End users receive only a fully interactive, "pixel-streamed" representation of web content within their local browser. No actual page data reaches the local browser, reducing the risk of data exfiltration. And this virtual barrier between internal servers and local devices prevents the transmission of device-borne malware to internal servers. Users have single sign on (SSO) access to company websites, however, enterprises are still in control of the corporate resources. Company data is never at rest on client devices, with enterprise browser policy (e.g., control over URLs, certificates, and extensions) and user settings (e.g., clipboard, file transfer policies, etc.) enforced throughout the session. WSB also restricts remote users to the browser, which unlike VPN or client-side container solutions, prevents them from directly connecting with other internal systems or data repositories. Administrators can simply and quickly define browser and user settings using the AWS console, and leverage their existing SAML2.0 identity provider and networking connections in AWS for users to access company websites, whether located in AWS, behind the company firewall, or via NAT Gateway to the Internet. From the console, administrators have a dashboard view of connected sessions, performance and service monitoring for simple day to day operations, and granular user access logging.

What does all of that have to do with software updates? Well, as a managed service, WSB takes updates off of the enterprises' hands. Of course, the underlying Linux OS of the virtual machine is always kept patched and secure. But as we discussed above, browser updates are even more unrelenting. Fortunately, by running the "real" browser in the cloud, enterprises enjoy the same sort of software update benefits that they have long enjoyed from SaaS providers. No pushing updates to hundreds, thousands, or millions of uniquely at-risk end points. Instead, when a new browser version goes public, WSB customers can rest assured that on the next launch, that new version and its multiple, high severity security fixes will be the version rendering their sensitive web content in the cloud. No lag, no pushing reminders; when there is an update, end users get it automatically without IT intervention or even those annoying little, "Relaunch to update" reminders.

Breathe a little easier

There is a large and growing amount of work being done in the browser today. And increasingly, that work involves sensitive data like customer PII or internal IP. Don't risk exposing this data to client-side browser software, on a growing number of devices, that is notoriously out of date. Just as web-delivered applications make updates virtually transparent to the enterprise, so can a cloud-delivered browser. I encourage everyone to consider getting out of the "whack-a-mole" browser update game and put one big worry to bed.

##

ABOUT THE AUTHOR

Brett Taylor 

A 25 year tech veteran, Brett Taylor has worked in a variety of industries including manufacturing, field services, telecom/networking, web services, and consumer electronics. Brett started at Amazon in 2008, spending 13 of his nearly 16 years in AWS. Brett has participated in a number of new product initiatives, including Amazon RDS, DynamoDB, the Kindle Fire tablet, Amazon's "Just Walk Out" technology, and most recently, Amazon WorkSpaces Secure Browser. The majority of his career has been focused on the web, web services, and browsers. Brett is currently Director, Web Browser Experiences within End User Computing at AWS.
Published Wednesday, September 11, 2024 7:32 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<September 2024>
SuMoTuWeThFrSa
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345