Browser Isolation: An In-Depth Look

What is Browser Isolation?

Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. In this model, browser sessions are abstracted from the hardware the browser is running on, and the Internet connection being used, ensuring that harmful activities can only affect the isolated browser environment. This model is also known as a virtual browser.

Browser isolation works by providing users with a one-off, non-persistent browsing experience. This can be done in a number of ways, but usually includes virtualization, containerization, or cloud-based application virtualization. The isolated environment is reset or deleted when the user closes the browsing session or the session times out. In addition, malware and malicious traffic are also discarded, so they do not reach the endpoint device or network.

Types of Isolated Browsing

There are two main containment techniques for isolated browsing: local and remote isolation.

Local Isolation

This is the traditional isolation method. It includes running a sandbox or virtual machine on the user’s local computer to isolate its data from dangerous web browsing.

Remote Isolation

Remote browser isolation uses virtualization to create an isolated browser environment on a remote server. The user browses the Internet on the remote virtual environment. The remote server can be located in an organization’s network or hosted in the cloud.

In the remote isolated browser, there are two primary ways to isolate the user’s local device from web content. DOM mirroring is a technique that excludes certain types of web content that is considered dangerous, while displaying other types of web content in their original form—but the browser is not fully isolated.

Another technique is visual streaming, where the browser runs on the remote server and only its visual output is transmitted to the user’s device. This works similarly to virtual desktop infrastructure (VDI) systems. This provides complete isolation between the remote browser and endpoints.

What Threats Does Browser Isolation Defend Against?

Most modern web pages use JavaScript, and attackers can use JavaScript code to perform a variety of malicious activity on user devices. Because browsers execute JavaScript by default on a web page, these malicious scripts run as soon as a user visits the page. The scripts could be planted by malicious site owners, or by others, unbeknownst to the site owners, as in cross site scripting (XSS) attacks.

This can lead to attacks like drive-by downloads, in which the browser downloads files without the user’s consent, “malvertising”, in which malicious code is executed when the user views an ad, and clickjacking, which involves tricking users into clicking links they did not intend to click. XSS can also be used to hijack user sessions and steal credentials.

There are several other browser-based threat vectors, including forced redirects to malicious URLs, and exploiting unpatched browser vulnerabilities.

Almost all these threats can be prevented by using browser isolation, because malicious activity occurs in an isolated or remote environment, not directly on the user’s device. For example, if a malicious script forces a redirection or a drive-by download, this would not affect the user, as the URL or file are executed in an isolated environment.

Browser Isolation: Key Security Features

Here are a few of the key security features browser isolation products offer:

  • Blocking malware—allows users to browse the web without being exposed to malicious downloads or malicious scripts on websites.
  • Phishing protection—when users access email through an isolated browser, they are protected against malware hiding in email attachments or links. This can help prevent a majority of phishing attacks.
  • Credential theft prevention—browser isolation can help prevent theft of private information. Administrators can prevent users from typing sensitive information like passwords or bank account details, except in known, safe locations.
  • Document isolation—many document formats can contain malware. In an isolated browser, users view documents within the isolated environment, meaning that malicious scripts do not affect the local device. After scanning the file for malware, the user can be allowed to download it to their personal device.
  • Blocking unsafe plugins and technologies—if users access websites rendered with legacy technologies like Adobe Flash, or install plugins that have security vulnerabilities, attacks will be shielded from the personal device.
  • Reporting and forensics—with browser isolation, administrators can monitor and audit browsing activity, see when users access unsafe content, and when attacks occur within an isolated browser, determine the root cause.

Components of a Browser Isolation System

An isolated browser system is typically built of the following components.


End users initiate web requests using a client interface, deployed on their local device. A client can be deployed on any desktop, laptop, smartphone or other computing device that has an Internet connection and local web browser.

In local browser isolation, the client coexists with an isolation solution that can run the browser separately from the local environment. In a remote browser solution, the client shows the visual output of the remote browser.

Web Security Service

Determines what traffic and types of content should be allowed for the user. Most browser isolation solutions have built-in web security services that can be configured according to your business needs. For example, you can choose to exclude traffic from certain websites, filter out specific types of content (such as Adobe Flash elements), block downloads in certain circumstances, and display warnings when suspicious behavior occurs.

Threat Isolation Engine

A decision engine that can run specific types of content in an isolated browser, depending on security rules from the web security service. It allows users to work in a regular, non-isolated browser, and switch activity to an isolated browser when needed.

Disposable Container

Containers are independent packages that can run software independently of the surrounding infrastructure. The container is disposable, launched to accommodate one user session, and securely deleted when the user ends their session, to ensure any malware or threats are removed from the local system.

Web Socket

A secure channel for data to flow between the client and the web security service. The web socket is connected to the client, receives instructions from the security service, and applies them to the browser environment in real time.

Hosting Environment

This is the infrastructure that runs the isolated browser. It can be:

  • The local user’s device, running an isolation solution
  • A server managed by your organization on-premises
  • A server running in the cloud
  • A fully managed third party service

The Public Web

The user uses the client to access addresses in the public Internet. However, unlike a regular browsing experience, communication is between public websites and the isolated browser, which may be hosted in a remote location. Some of the data may be blocked or filtered as defined in the web security service. The resulting content is displayed in the client.

The Content

Internet content retrieved by browser isolation systems can be legitimate or malicious. Some solutions display all content as is, as long as it meets basic security requirements. Other solutions add a layer of content filtering, allowing you to block inappropriate content and preventing it from being accessed by the client, even if it bears no direct security risk.

Browser Isolation with Hysolate

Hysolate is more than just a remote virtual browser. Hysolate isolates your entire Operating System, so your team can get their jobs done in a productive, secure way. Within Hysolate users can access not just untrusted websites, but also applications, documents and external peripherals like USBs and printers in a fully isolated “untrusted environment”, without introducing malicious threats to their corporate or sensitive data in the main OS.

Hysolate sits on user endpoints, eliminating UX issues like lag and latency with heavier applications, but it also comes with full admin management from the cloud. That means that admins can deploy Hysolate at scale across their company, including different settings for different teams, and can also wipe a Workspace if it contains malicious activity, or if it is no longer needed.

Request a demo or try out Hysolate Free to learn more about Hysolate’s full OS isolation solution.