In today's digital landscape, enterprises are increasingly embracing web-delivered applications to empower their workforce. However, this shift comes with inherent cybersecurity risks, as the web has become one of the most common attack surfaces for data breaches and malware infiltration. To address these challenges, Amazon has developed Amazon WorkSpaces Secure Browser, a managed service that isolates web content from end-user devices and minimizes the risk of data exfiltration.
In this exclusive Q&A, Rich Burkett, Principal Product Manager for Amazon WorkSpaces Secure Browser, shares insights into the background and key capabilities of this innovative service. He discusses the common use cases, target user personas, and key differentiators that set WorkSpaces Secure Browser apart in the enterprise security landscape.
VMblog: Tell me about Amazon WorkSpaces Secure Browser.
Can you tell us about the background of
the service? How did it get started?
Rich Burkett: My name is Rich Burkett and I'm a Principal Product Manager
for Amazon WorkSpaces Secure Browser. We developed the service to help
customers secure access to private websites, software-as-a-service (SaaS)
applications, and the public internet.
Building WorkSpaces Secure Browser followed the classic
Amazon working backwards process. We conducted one-on-one interviews with
dozens and dozens of customers to really get to the root of their needs and
brainstorm on how we could help. We learned about customers' challenges securing
access to web content, and saw there was frustration with existing solutions
(i.e., they were either overbuilt and high in cost, or not secure enough). They
told us they needed a robust data protection solution, beyond the traditional
(and generally reactive) tools like firewalls, packet inspection, or
authorization/access controls. WorkSpaces Secure Browser was the result, and is
a natural expansion to the Amazon WorkSpaces Family services.
VMblog: What big challenges are customers facing that
you're helping them solve?
Burkett: Customers love the benefits of web-delivered applications.
They are able to select "best of breed" apps for a broad array of user
personas, including HR, finance, sales, creatives, customer support, or any
other specialty. However, these customers know that the web is the most common
cyber-attack surface in the world, putting their data, networks, and end-user
devices at risk of compromise.
With WorkSpaces Secure Browser, companies can mitigate these
risks by hosting the browser in AWS - isolated from client devices. The
actual webpage content remains securely contained within a hardened,
Security-Enhanced Linux virtual machine running in an AWS data center, while
end users see and interact with a pixel-streamed representation of the web page
via their local browser. Since the actual data never leaves AWS, the risk of
data exfiltration is minimized. Similarly, because the virtual machine actually
interacts with web servers, the local device is isolated from Internet-born
threats. And finally, by protecting the local device, customers reduce the risk
of a trusted device introducing malware when it connects to the corporate
network.
Our customers also tell us that while there are countless
sophisticated security products available for the enterprise, setup and ongoing
administration can be a real drag on IT productivity. Implementation is often
measured in months and organizations must dedicate significant resources to
keeping these services patched or updated. Happily, we have heard from these
same customers that they can get a WorkSpaces Secure Browser up and running in
as little as 15 minutes. And because the service is fully managed, they get to
enjoy a "set it and forget it" administrative experience. Maintaining the
underlying operating system, scaling, browser updates, and so on are taken care
of on their behalf, letting IT teams focus on higher value work.
VMblog: What are some common use cases for WorkSpaces
Secure Browser?
Burkett: WorkSpaces Secure Browser is receiving interest from a variety of verticals, including financial, health care, and public sector
agencies that manage sensitive data. These customers are using it for internal
employees, and externally to enable third parties with secure, least privilege
access to their critical data. In addition, enterprises of all types, even
those who don't already otherwise use AWS End User Computing services, are
using WorkSpaces Secure Browser for securing web applications used by customer
care, HR, sales teams, and others. Finally, organizations are using
WorkSpaces Secure Browser to enable safe, isolated browsing of the public
Internet for users on high security networks who are otherwise blocked from
accessing the web.
VMblog: Can you tell me about some user personas that
are a good fit for WorkSpaces Secure Browser?
Burkett: Support agents are the most common persona, whether they are
providing front-line support to customers, or working in the back office.
They are increasingly adopting private browser-based web applications to
perform tasks like reviewing customer account details, verifying information,
and resolving disputes. One of the biggest challenges customers face is
ensuring support agents handle data in a way that meets their compliance
requirements - which leads to challenges with device management. Customers
might not be in a position to deploy software directly to these support agents'
devices if they're provided by an outside consulting firm or employee owned.
With WorkSpaces Secure Browser, they can deploy a consistent and managed
experience, customized for the agents and the web applications they need to
provide support, without compromising on security.
Another common persona is line of business users who need
authorized access to sensitive data without risking data exfiltration. With
WorkSpaces Secure Browser, organizations can enable their employees and
customers to access secure data and analytics environments. This use case cuts
across the enterprise and includes workers like lawyers, researchers, and line
of business users that need to safely access sensitive data in a tightly
controlled environment. Customers can ensure the isolation of sensitive data by
blocking use of clipboard, printer, file transfer, and reduce the risk of data
exfiltration.
For users in areas of the public sector like Law
Enforcement, Department of Defense, or Intelligence, they leverage WorkSpaces
Secure Browser to provide safe browsing on the internet. Their browsing traffic
originates from an AWS NAT gateway IP, instead of an IP that can be associated
with their organization. Risky connections and Interactions on the web are
isolated from both high-security networks and from user devices. At the end of
the session there is no data at rest - the instance is terminated and recycled,
there's no persistent state like cookies, browser history, or browsing data
cached on client devices.
VMblog: What decisions do customers need to make to get
started with WorkSpaces Secure Browser?
Burkett: Before getting started, customers need to ensure all their
content is supported by the most recent version of Chrome on Linux. This isn't
a challenge for most modern SaaS apps, but some legacy websites might have
dependencies that aren't compatible with the Chrome browser.
Since WorkSpaces Secure Browser is cloud-native, customers
can use their existing SAML2.0 identity provider for user management and
authentication. The service allows you to federate directly with your SAML
provider (like Okta or Ping) and define service-provider and identity provider
initiated authentication flows with single sign on (SSO), without managing
users in a new application. You can add the WorkSpaces Secure Browser portal to
your SAML2.0 application dashboard, and an authenticated user can launch a
session with a single click.
Last, you'll need a Virtual Private Cloud (VPC) with 2
private subnets in your desired region that has a connection to your private
web applications and/or the internet. If you're already running your apps in a
VPC, you can re-use the same VPC and have a fully private environment, or you
can route to the internet via a NAT Gateway.
VMblog: How does this solution stand out from
competitors? What are your
differentiators?
Burkett: WorkSpaces Secure Browser benefits from building upon a
20-year AWS legacy of customer-centric obsession with security. Built atop
robust, battle-tested components like Amazon EC2, the service is secure at its
roots. On top of this strong foundation, we deliver a managed experience that
ensures our customers are always utilizing the latest, most-secure versions of
the underlying operating system and browser application. Our research shows
that on any given day, upwards of 20% of browser users are running on a legacy
browser version, despite the fact that major version updates routinely include
multiple security fixes. With WorkSpaces Secure Browser, those risks are eliminated. Finally, we take
a lot of pride in our customer obsession. We meet with customers every single
day and their inputs are absolutely integral to our roadmap planning. We work
to deeply understand their needs, build innovative solutions on their behalf,
and iterate quickly via an active beta program that ensures nothing is lost in
translation.
VMblog: If there's one thing you want our readers to
take away regarding WorkSpaces Secure
Browser, what would it be?
Burkett: WorkSpaces Secure Browser provides a simple and straightforward way to increase the security of sensitive data delivered to users in
private web content. You don't have to be a virtualization or cloud expert.
Customers tell us they can get a proof of concept up and running in under an
hour. You can try it today, at no charge, for up to 30 users for 3 months
by visiting our pricing page and adding the free trial to your account: https://aws.amazon.com/workspaces-family/secure-browser/pricing/
##