By Brett Taylor, Director, Web Browser Experiences within End
User Computing at AWS
Ask any IT professional and they will tell you that timely
software updates are essential for the safety and security of their business
operations. Press them, however, and they will also admit that these updates
are tedious, time-consuming, and thankless. A good analogy is going to the gym.
You expend a great deal of effort with the hope, but not immediate evidence, of
future benefit. And sometimes, the clarion call of the couch, the big screen
TV, and a full slate of football games is just too hard to pass up.
Unfortunately, enterprises face similar headwinds; software updates are
frequently procrastinated. Don't take my word for it. According to a
report from the Cybersecurity & Infrastructure Security Agency:
"In 2022, malicious
cyber actors exploited older software vulnerabilities more frequently than
recently disclosed vulnerabilities and targeted unpatched, internet-facing
systems. Proof of concept (PoC) code was publicly available for many of the
software vulnerabilities or vulnerability chains, likely facilitating
exploitation by a broader range of malicious cyber actors.
Malicious cyber actors
generally have the most success exploiting known vulnerabilities within the first two years of public
disclosure [ed: emphasis added] -the value of such vulnerabilities
gradually decreases as software is patched or upgraded."
Two years! How are known vulnerabilities allowed to persist
for that long? Allow me to repeat myself... because updates are tedious,
time-consuming, and thankless.
Software-as-a-Service
(SaaS) only addresses part of the challenge
There is strong and persistent growth in the adoption and
deployment of SaaS applications (or more generally web-delivered applications)
in favor of thick-client, legacy apps. I've written
on this topic before, but in short, more and more enterprise applications
are web-based and accessed via the browser. And every application that moves to
the web is another one that enterprise IT doesn't have to keep updated on
hundreds or thousands of managed client devices... let the service provider
handle it!
On the flip side, each application that moves to the web
only heightens the pressure to keep the local browser up to date. If critical
work and sensitive or even confidential data is web-delivered, then it is
imperative to have all of the latest security updates in the browser. And when
it comes to browsers, you can count on an unrelenting flood of necessary
security fixes. Through August 2024, the Chrome team has pushed 223
security fixes for Chrome desktop. In fact, every major version update has
included at least one high severity fix.
Unfortunately, during that same August 2024 time period,
16.5% of all desktop browsers worldwide were running an outdated version of
Chrome. Not 16.5% of Chrome users; 16.5% of all browsers! In fact, 74 different outdated versions of
desktop Chrome (versions prior to v126) recorded measurable usage in the month
of August. True, the data does not distinguish between personal and
professional use. However, we know that personal browsing skews to mobile,
while desktop browsing dominates the enterprise. That tendency and the sheer
pervasiveness of outdated desktop browsers suggests a significant security hole
for the enterprise.
Is there a better
way?
Yes, and that is precisely why AWS built Amazon
WorkSpaces Secure Browser. But stepping back for just a moment, it is
important to understand that AWS is architected to be the most flexible and
secure cloud computing environment available today. Our core infrastructure is
built to satisfy the security requirements of financial services, health care,
military, and other high-sensitivity organizations. This fortified
infrastructure is backed by a deep set of cloud security tools, with over 300
security, compliance, and governance services and features, as well as support
for 143 security standards and compliance certifications across the globe. AWS
has always considered security to be priority zero.
Launched at re:Invent 2021, WorkSpaces Secure Browser (WSB)
benefits from AWS's years of thought leadership and commitment to cloud
security. Atop that strong foundation, WSB delivers a protected
environment for access to internal and SaaS web applications, along with low
costs, simple administration, and a growing set of data protection
capabilities. With WorkSpaces Secure Browser, web content is rendered on a
browser running on a hardened, Security-Enhanced Linux instance within a locked down AWS
data center. End users receive only a fully interactive, "pixel-streamed"
representation of web content within their local browser. No actual page data
reaches the local browser, reducing the risk of data exfiltration. And this
virtual barrier between internal servers and local devices prevents the
transmission of device-borne malware to internal servers. Users have single
sign on (SSO) access to company websites, however, enterprises are still in
control of the corporate resources. Company data is never at rest on client devices,
with enterprise browser policy (e.g., control over URLs, certificates, and
extensions) and user settings (e.g., clipboard, file transfer policies, etc.)
enforced throughout the session. WSB also restricts remote users to the
browser, which unlike VPN or client-side container solutions, prevents them
from directly connecting with other internal systems or data repositories.
Administrators can simply and quickly define browser and user settings using
the AWS console, and leverage their existing SAML2.0 identity provider and
networking connections in AWS for users to access company websites, whether
located in AWS, behind the company firewall, or via NAT Gateway to the
Internet. From the console, administrators have a dashboard view of connected
sessions, performance and service monitoring for simple day to day operations,
and granular user access logging.
What does all of that have to do with software updates?
Well, as a managed service, WSB takes updates off of the enterprises' hands. Of
course, the underlying Linux OS of the virtual machine is always kept patched
and secure. But as we discussed above, browser updates are even more
unrelenting. Fortunately, by running the "real" browser in the cloud,
enterprises enjoy the same sort of software update benefits that they have long
enjoyed from SaaS providers. No pushing updates to hundreds, thousands, or millions
of uniquely at-risk end points. Instead, when a new browser version goes
public, WSB customers can rest assured that on the next launch, that new
version and its multiple, high severity security fixes will be the version
rendering their sensitive web content in the cloud. No lag, no pushing
reminders; when there is an update, end users get it automatically without IT
intervention or even those annoying little, "Relaunch to update" reminders.
Breathe a little
easier
There is a large and growing amount of work being done in
the browser today. And increasingly, that work involves sensitive data
like customer PII or internal IP. Don't risk exposing this data to client-side
browser software, on a growing number of devices, that is notoriously out of
date. Just as web-delivered applications make updates virtually transparent to
the enterprise, so can a cloud-delivered browser. I encourage everyone to
consider getting out of the "whack-a-mole" browser update game and put one big
worry to bed.
##
ABOUT THE AUTHOR
A
25 year tech veteran, Brett Taylor has worked in a variety of industries
including manufacturing, field services, telecom/networking, web services, and
consumer electronics. Brett started at Amazon in 2008, spending 13 of his
nearly 16 years in AWS. Brett has participated in a number of new product
initiatives, including Amazon RDS, DynamoDB, the Kindle Fire tablet, Amazon's
"Just Walk Out" technology, and most recently, Amazon WorkSpaces Secure
Browser. The majority of his career has been focused on the web, web services,
and browsers. Brett is currently Director, Web Browser Experiences within End
User Computing at AWS.