At Island, security is embedded in all we do. That’s why Island is a proud participant in the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge, reinforcing our commitment to making the Enterprise Browser secure, resilient, and trustworthy software that empowers every user on any device.

What is Secure by Design?

CISA’s Secure by Design Pledge calls on software manufacturers to prioritize security at every stage of the development lifecycle. It includes seven goals, each supported by measurable benchmarks for progress. By joining the pledge, Island agrees to provide context and concrete examples that highlight measurable outcomes within a year. Fortunately, our founding principles, coupled with the hundreds of organizations already trusting and advising Island, make many of the Pledge items a current rather than future part of what we do.
‍

How Island is already upholding the Secure by Design Pledge

Ubiquitous Multi-factor Authentication for Island customers

The Island Enterprise Browser enables administrators to embed MFA into every web application and on every user flow, and it enforces strong MFA methods. Island believes in this design principle so strongly that we even allow organizations to inject MFA into applications that don’t offer it, using the Island Enterprise Browser as the policy enforcement point. 

Island helps enterprises enforce the highest standards by attaching MFA to application access, sensitive user interactions, and physical access to idle machines – on both managed and unmanaged devices.

Our MFA capabilities protect the enterprise while empowering the end user by combining the power of MFA everywhere with strong methods, last-mile controls, and enterprise-grade protections.

Enforcing Smarter Password Policy

The first line of defense against credential-based attacks is still the password, and attackers know it. Weak, repeated, or default passwords remain a risk across federal and enterprise environments. 

The Enterprise Browser enables organizations to enforce modern, risk-aware password policies directly at the application layer. Security teams can mandate password changes after a certain time period, prevent reuse of previously compromised credentials, and require compliance with rules that reflect mission-specific threat models. 

Better Password Management

For the modern enterprise, a good password manager is no longer a luxury, but rather an increasingly necessary tool for maintaining authentication best practices.

The Enterprise Browser not only reduces default passwords across the product but also strengthens protections throughout. 

Island’s password manager generates strong, complex passwords and enforces password hygiene, minimizing human error and poor practices. The browser’s password manager also provides centralized password management and securely stores usernames and passwords in one place, replacing tedious manual credential control. 

Reducing Entire Classes of Vulnerability

Island transforms how data is handled, stored, and erased. 

Our approach specifically protects against memory-based attacks and secures data remnants that malware or forensic tools commonly exploit. 

Unlike consumer browsers, which leave passwords, authentication tokens, and session cookies unencrypted in memory, Island automatically encrypts data upon receipt. The Enterprise Browser only decrypts data that is deemed sensitive when it is strictly necessary. 

For the cases when sensitive data might be lingering unintentionally, Island developed a two-pronged solution combining targeted memory deallocation hooks with an automated validation framework.

In the enterprise environment, memory-based attacks can be crippling. Island fundamentally strengthens protections for data storage, turning the browser itself into a secure workspace and reducing the attack surface.

Security Patches

Security patches are only useful if organizations can and do install them quickly. At Island, we make patching invisible to the end user and automatic for the administrator. 

The Enterprise Browser runs a continuous delivery model where updates are streamed to users as they are validated, without disruption or delay. Patches are applied in the background, even on unmanaged devices. 

Common Vulnerabilities and Exposures (CVEs)

To provide the future of work, Island Enterprise Browser needs to be secure and private, but it also has to make work more simpler. The rendering engine and the usability are the primary drivers for using Chromium. That’s why Island has created a fork of Chromium, the open- source web browser project, so that customers can leverage the rendering engine and usability. Island’s closed source on top of the Chromium fork focuses on allowing customers to create and deliver productivity and security policies to Enterprise Browsers. But as a contributing author to Chromium, there comes an opportunity and a responsibility:

Opportunity: Chromium was originally developed by Google in 2008 for the purpose of accelerating web and cloud adoption. But as search and ad revenue remains Google’s primary revenue source, the Chromium source in many ways is a search and ads revenue engine, with more source code focused on consumerism than supporting an enterprise’s mission or business. Island’s opportunity came in creating a more streamlined fork of Chromium, using only about 40 percent of the source code, focusing on enterprise use of web, cloud, and SaaS. By reducing the overall amount of Chromium source code in Island, the Enterprise Browser starts out with less attack and vulnerability surface. 

Responsibility: Island is and will be a highly active contributing author to Chromium. When vulnerabilities and fixes to the Enterprise Browser are found by Island or its customers, Island releases remediation code and fixes back to the Chromium open-source community. 

Island Internal: Island is a contributing author to Chromium, and Island developers provide constant updates and fixes to Chromium's open- source code. 

Evidence of Intrusions

Island aligns with NIST 800-207 Zero Trust (ZT) principles, ‘never trust, always verify’ on a per-connection basis. Because the Enterprise Browser issues the TLS handshake, Island customers have visibility down to the keystroke for critical business or mission activities. The Enterprise Browser acts as a policy execution point (PEP), capturing forensic-grade telemetry that helps organizations with total visibility to determine risk. Island enforces ZT policies for each of the pillars: user, device, network, application, and data, and allows administrators to create automated conditional access policies based on changing real-time conditions.

Administrators have access to detailed logs of user activity, security policy enforcement, and anomaly detection. Because the browser operates independently of the network, even compromised endpoints still yield useful intrusion evidence. This changes how fast and effectively incident response can contain and recover from attacks. 

What’s Next 

As a signatory of the CISA Secure by Design Pledge, we’re securing the Enterprise Browser from the ground up. Security isn’t an add-on at Island. It’s part of the blueprint alongside productivity and a simplified end-user experience. From MFA to eliminating entire classes of vulnerabilities, our goal is to make doing the right thing the default, not the exception.