island illustration

The Enterprise Browser Blog

No items found.

No results found

The Enterprise Browser named in 4 different Gartner Hype Cycles

The Enterprise Browser named in 4 different Gartner Hype Cycles

August 7, 2023
Tad Johnson
Read Article

It’s humbling and gratifying for a technology vendor to get named to a Gartner Hype CycleTM. The Enterprise Browser was just named in four. Four different Hype Cycle reports in the span of two weeks. What’s driving this explosion of interest? 

The observations from Gartner are a reflection of the broad value that the Enterprise Browser delivers. A simplified approach to implementing Zero Trust Networking, even unmanaged devices. The rationalization of the Everything-as-a-Service delivery model. Layered protections for Endpoint Security. Improved productivity through a refined approach to Workload and Network Security. Shifting the point of control and governance to the point of maximum impact — the browser — unlocks new workflows, more flexibility, and ultimately more productivity throughout the enterprise. 

Focus on the game and the scoreboard takes care of itself. 

Our mission is to deliver the ideal enterprise work environment. When the call center agent can shave seconds off a task that they repeat hundreds of times each week, that’s progress. When a healthcare provider can quickly access sensitive patient information and spend more time with patients — and less time in front of their computer — that’s progress. When a business can reduce their operational expenses and invest more into their core products and services, that’s progress. These aren’t hypothetical examples; this is how Island, the Enterprise Browser, is delivering real value, right now. When hype is the natural result of delivering real value, then you know the hype is real.

Why now? 

The web browser is not new. It’s a technology that’s been evolving for over 30 years, and it reached ubiquity long ago. The “browser wars” are over and we all benefit from universal standards and cross-platform compatibility. Along the way, browsers and the web applications they powered gained more and more capabilities. In the workplace, it’s now common for most employees to do most of their work within a browser. And recently, the work place moved outside the office and left the traditional managed network behind. Put simply, the browser is the workspace, and the workspace is the browser. 

In this context, the rise of the Enterprise Browser is the logical outcome. Critical applications, data, and work flows through the browser; it follows that enterprise technology leaders would choose the browser that’s built for them. The Enterprise Browser represents a new approach to enabling enterprise workflows with security, application controls, and user productivity at the forefront. To learn more about how the Enterprise Browser creates new opportunities for IT, Security, and the enterprise workforce more broadly, read a recent research report from Gartner about the Future of Enterprise Browsers 1.

1 Gartner, Emerging Tech: Security — The Future of Enterprise Browsers, Dan Ayoub, Evgeny Mirolyubov, Max Taggett, Dave Messett, 14 April 2023

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

Enterprise Browser: Revolutionizing XaaS

Enterprise Browser: Revolutionizing XaaS

July 30, 2023
Tad Johnson
Read Article

In the rapidly evolving world of Everything-as-a-Service (XaaS), security and accessibility take center stage. The Enterprise Browser, a cutting-edge solution by Island, is shaping the future of secure application access. Recognized by the latest Gartner Hype Cycle for XaaS, the Enterprise Browser is designed to offer unparalleled security, even on unmanaged or untrusted devices. This article dives into the transformative role of the Enterprise Browser in the XaaS delivery model, and how it stands apart from traditional solutions.

The most recent Gartner Hype CycleTM for XaaS named Island as a Sample Vendor for Endpoint Access Isolation. The Enterprise Browser offers an elegant approach to secure application access even when the host device is unmanaged or untrusted. The unique last-mile controls and self protecting browser capabilities differentiates Island from legacy solutions like VDI/DaaS or classic VPN. As the research notes, “Trading physical hardware for virtual desktop infrastructure (VDI) and desktop as a service (DaaS) sessions for contractors and partners won’t address the underlying security issues of the local machine — a viable vector for credential and IP theft.”1

As the Everything-as-a-Service (XaaS) trend continues, the browser has an increasingly critical role to play. Enterprise workflows with sensitive business information often take place exclusively through the browser — crossing multiple service providers on the far end. Workers that connect remotely outside the office, or third-party contractors that make up the extended workforce, put a strain on legacy security solutions that were designed for a managed endpoint and managed network environment. 

According to the Hype Cycle research, “Traditional remote access tools like classic VPN can profile a device but can’t actively neutralize local threats. As organizations rethink allowing access to SaaS apps via any browser, from any device, this technology can offer a more secure way to reach these apps. This technology allows organizations to simplify both the standard IT “stack” and its deployment to end users for remote access. This is particularly important as hybrid working remains a day-to-day reality for most organizations.”1

Island pioneered the Enterprise Browser to deliver secure access and offer a productive workspace that works across any deployment model and all device types. By embedding access policies, data protection, and security controls within the Enterprise Browser, Island creates a safe working environment that works on unmanaged endpoints (e.g., BYOD or contractor devices) as well as managed endpoints. Last-mile controls protect sensitive data from moving outside the enterprise environment, and the self protecting browser neutralizes tampering and local malware, such as keystroke loggers. This approach is validated in the Hype Cycle research: “There is a trend of adding a layer of security through enforcing consistent browser configuration and control for any user accessing productivity apps and company data from an unmanaged PC.”1

To support organizations with a mix of on-premise and cloud applications, the Enterprise Browser offers integrated Island Private Access (IPA) to make a secure connection to private applications or networks that aren’t open to the Internet. IT administrators or engineers use the integrated SSH client to securely connect to servers over IPA. Internal web applications that were built for Internet Explorer aren’t left behind either, as Island supports IE Mode for a seamless user experience across both modern and legacy applications. 

The Enterprise Browser represents a new approach to security that puts access controls, data protections, and application visibility at the point of maximum impact: inside the browser. To learn more about how the Enterprise Browser creates new opportunities for IT, Security, and the enterprise workforce more broadly, read a recent research report from Gartner about the Future of Enterprise Browsers 2

1 Source: Gartner, Hype Cycle for Xaas, Jason Donham, Philip Dawson, Chris Silva, Stuart Downes, et al., 20 July 2023 

2 Gartner, Emerging Tech: Security — The Future of Enterprise Browsers, Dan Ayoub, Evgeny Mirolyubov, Max Taggett, Dave Messett, 14 April 2023

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and HYPE CYCLE is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Enterprise Browser Enters Gartner Hype Cycle for ZTNA

Enterprise Browser Enters Gartner Hype Cycle for ZTNA

July 26, 2023
Tad Johnson
Read Article

Two massive shifts forever changed the enterprise workplace: Applications moved off the desktop to the cloud, and workers left the office to work remotely.

Together, these changes pushed IT and Security teams to rethink their strategy for delivering and securing enterprise workflows and data. Along the way, the web browser moved from a supporting tool for accessing information to the central workspace where most users do most of their work. It follows that the Enterprise Browser category is growing in importance as more organizations adopt a browser that’s built for enterprise work and delivers essential security controls and governance. 

The most recent Gartner Hype Cycle(TM) for Zero Trust Networking named Island as an Example Vendor for Enterprise Browsers. In the report, they highlight several of the key drivers for customer adoption, including “providing Day 1 access for new organizations gained through mergers and acquisitions, contractor access management, or as layered security controls on top of fragile critical infrastructure.”1

In the context of a zero trust security framework, the Island Enterprise Browser offers a welcome alternative to infrastructure-heavy legacy security solutions. The browser holds a privileged location within the application workflow: it knows the user’s identity, the posture of the device it’s running on, the network it’s connected to, the geographic location it’s operating in. This creates the foundation for zero trust access policies, even for deployments that challenge legacy security solutions. As the report identifies, “Existing security solutions often struggle to support unmanaged devices. This is an area where enterprise browsers have found early traction in the market, by providing an acceptable level of secure remote access that is able to maintain a mostly familiar end-user experience.”1

Where the Enterprise Browser stands apart is its ability to extend zero trust principles inside an application. With full visibility and control of the specific actions and data, the Enterprise Browser can apply the least-privilege principles within any application. For example, a call center employee could view a customer record in their CRM with certain sensitive fields redacted and be restricted from printing, saving, or exporting that information. Or a contractor could gain access to an internal system in read-only mode for a limited period of time. In these there’s no dependency on the application itself to support role based access policies or redactions, as it’s done within the Enterprise Browser itself. 

The Enterprise Browser represents a new approach to security that puts access controls, data protections, and application visibility at the point of maximum impact: inside the browser. To learn more about how the Enterprise Browser creates new opportunities for IT, Security, and the enterprise workforce more broadly, read a recent research report from Gartner about the Future of Enterprise Browsers 2

1 Source: Gartner, Hype Cycle for Zero Trust Networking, Andrew Lerner, John Watts, Dan Ayoub, et al., 18 July 2023

2 Gartner, Emerging Tech: Security — The Future of Enterprise Browsers, Dan Ayoub, Evgeny Mirolyubov, Max Taggett, Dave Messett, 14 April 2023

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and HYPE CYCLE is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Gartner Hype Cycle Zero Trust
Embracing Generative AI in the workplace

Embracing Generative AI in the workplace

June 14, 2023
Tad Johnson
Read Article

2023 is the year that generative AI reached mainstream awareness. ChatGPT captured the world’s attention and imagination for what’s possible. It’s still the early days, but there’s no question that this technology presents a massive opportunity to boost productivity across a wide range of disciplines. Those organizations that embrace AI and experiment with ways to optimize key workflows will surely see positive returns. Many more vendors will enter the market with AI-enabled products while the hyperscale cloud providers continue to differentiate their platforms through integrated AI tools. We can’t see the future, but it’s clear that generative AI will play a transformative role over the next decade. 

Of course, like all transformative technologies, there are well-founded concerns about governance and safe usage of generative AI tools in the workplace. A well-intentioned employee could inadvertently leak confidential or sensitive information when submitting an AI chat prompt or uploading an image file. This seemingly benign action can create an immediate data loss problem, but also a long-term one when that sensitive information becomes part of the dataset used to generate new responses. Recent news reports indicate this exact scenario played out at Samsung, where employees submitted highly sensitive source code to ChatGPT for debugging. Incidents like these expose two orders of risk: the first is the direct impact of inappropriate information handling and leaking sensitive data. The second, and arguably larger risk, is the opportunity cost to organizations who avoid AI tools entirely out of concern for data security. There’s so much positive potential for generative AI that organizations who close that door now may be left behind in the future. A recent paper published by NBER showed a 14% increase in productivity for call center workers assisted by generative AI — and that’s with today’s relatively immature AI product set. The future is bright for organizations who embrace the potential for AI and implement the necessary controls to use it safely. 

Smart AI Governance

When considering how to implement smart AI governance in the workplace, start with these four categories: 

  1. User Education and Awareness

Data security when using AI tools is grounded in the same policies and practices used when working with third-party agencies or vendors. User education and basic data protections go a long way in reducing the risk of unwanted data leakage. When a user starts interacting with AI tools, it’s a good opportunity to remind them about the information security policies that govern the interaction. 

  1. Protecting AI Inputs 

Adding interactive controls around the AI inputs, or prompts, is a smart way to avoid unwanted information disclosure. Users should get immediate feedback if they attempt to share sensitive data like payment records, social security numbers, or API keys. Some applications, like source code repositories, may be entirely off-limits and restrict any data being shared with an external AI tool. When done right, these controls can prevent inappropriate information leakage without degrading the user experience.  

  1. Inspecting AI Outputs 

Today’s generation of AI tools are always confident in their responses, even if those responses contain factual errors. A New York lawyer discovered how damaging this can be when he submitted a court filing including AI-generated citations — that did not exist in reality. Adding some boundaries around how the AI-generated output is used is a smart approach. This is especially true for AI-generated code, where a developer may be tempted to copy and paste whole blocks of code without careful analysis. 

  1. Measuring Efficacy 

The ultimate goal for AI usage in the workplace is to improve overall efficiency and employee productivity. As organizations develop their AI strategy, it’s smart to consider how to measure the results. This will differ greatly depending on the particular function where AI is being used, but it’s essential to help steer business leaders towards success. 

AI And The Enterprise Browser 

Island, the Enterprise Browser, is the ideal platform to safely use generative AI tools without compromising on data security or leakage. Whether your organization is just getting started with AI and experimenting with different services, or if you’ve identified a preferred AI tech stack and you want to maximize its value, Island offers several key capabilities to benefit IT, Security, and the end-users directly.  

Application visibility offers a full accounting of all the web applications and extensions used throughout the organization. This is useful for identifying users or groups who are early adopters and make good candidates for testing AI tools and policies before widespread adoption.  Visibility extends to application usage, including the ability to audit all interactions with AI tools to analyze user-generated prompts. All analytics data collected by Island can be shared with your SIEM or data aggregation platform of choice. 

Gracefully redirect users to the AI tools your organization prefers, and prevent the use of unsafe alternatives. If a user attempts to use an unwanted AI application or install an unsanctioned AI browser extension, Island can block access and redirect to the sanctioned platform, including the native built-in Island AI Assistant. Browser extensions are fully managed within Island, so you can allow for experimentation, while controlling which applications those extensions can be used with. Or, you can automatically install the preferred extensions while blocking others. Many vendors are offering AI-powered extensions so this is an important area to implement smart governance. 

End-user awareness and education is improved through dynamic in-browser messaging. If a user attempts to paste sensitive data they will see a clear message explaining why the action was prevented and where they can learn more about company data policies. When a user navigates to an AI tool like ChatGPT, they will see a message reminding them about the company's privacy and security policies and the acceptable-use policy for generative AI tools. Showing this type of information in context, at the moment it’s relevant, makes it more effective than alternatives like a company-wide email message. 

Scan AI-generated code output to govern how it’s used. Generative AI tools will often generate code snippets that are functional but include serious flaws that should never make their way into a production environment. Island can scan code blocks when a user attempts to copy and provide immediate feedback. This approach balances the benefit for developers getting code suggestions from AI, while ensuring that they don’t uncritically accept the generated code and paste it into a production codebase. 

Application boundaries provide an intuitive way to keep sensitive data within certain applications, and the corporate tenant of those applications, from being moved or shared to untrusted destinations. As an example, customer support staff can move customer records freely between the corporate tenants of, Slack, and Microsoft365 but they can’t be pasted into the ChatGPT prompt window. This same boundary applies to browser extensions, which can be automatically disabled when accessing critical applications.

Contextual DLP controls offer further granularity to prevent certain types of data, like credit cards or social security numbers, from being shared with an AI tool — regardless of where they originated. If these data types are detected, the user sees a clear message explaining why their action was blocked and a reminder about using sensitive data with AI tools. This control mechanism allows for use of AI tools while preventing sensitive data getting added to a prompt. Island offers a built-in DLP engine and can integrate with external providers to leverage existing rules and classifications.   

Flexible deployment options for AI tools optimized the user experience. With Island, AI web applications can be deployed as browser extensions, added as a link to the homepage, or brought out of the browser and deployed as a standalone app on the desktop. Regardless of which deployment method users prefer, all the data controls, governance, and auditing visibility are the same. For organizations that choose to standardize on a particular AI vendor, users can see a gentle reminder or a redirect to the appropriate corporate standard AI resources when they attempt to access other AI tools — or they can be blocked entirely. And for users who are new to generative AI tools, Island offers the ideal onramp with a built-in AI Assistant that’s immediately available in a side panel within the browser. Across all deployment models, Island gives you unmatched visibility, audit logging, and metrics to refine policies and measure efficacy. 

Looking Ahead 

We don’t know exactly what the long term impact of widespread generative AI usage will be — the full potential of disruptive technologies are only understood in hindsight. It’s a safe prediction to say that AI will massively transform the way we work, and bring a dramatic increase in productivity. The risks to data security are real, but they’re overshadowed by the opportunity cost to organizations that avoid AI entirely. Across industries, the organizations that harness the power of AI for productivity and efficiency gains will see competitive advantage. The generative AI category is in the early stages, and there will surely be missteps and surprises along the way to full maturity. At this moment, there’s tremendous value in instrumenting the tools, policies, practices to safely navigate the coming AI revolution. This includes user awareness, application visibility, and governance for AI inputs and outputs.  

Island, the Enterprise Browser, is the ideal platform to safely use generative AI in the workplace. Island delivers the complete visibility, governance, and DLP controls that IT and Security teams need, along with a frictionless end-user experience that guides and informs users in using AI tools safely and efficiently. With Island, organizations can embrace innovation while safeguarding sensitive data. 

WWLW Ep. 23: The Case of the Viable BYOD Program

WWLW Ep. 23: The Case of the Viable BYOD Program

May 25, 2023
Davie Park
Read Article

What we know  

Davie is working with a customer who needs to balance strong security controls with a user-friendly mobile BYOD program. This customer wants to protect sensitive data, apply DLP rules, and ensure that enterprise applications are available to their employees. Other solutions they explored forced too many trade-offs: either requiring too much intrusion into the employee’s personal device, or creating a cumbersome interface that isn’t optimized for a mobile device screen.

What we learned

A common approach for mobile BYOD programs is to use a mobile device management (MDM) solution. The challenge with this approach is that it requires a device enrollment workflow that’s unfamiliar to users and requires that employees allow management of their personal device — including the ability to wipe their device, inspect the installed apps, or route all network traffic through a proxy. For privacy-conscious employees, this is often a bridge too far.

The other approach this customer explored as desktop virtualization. Many VDI platforms offer a mobile interface, but the user experience is generally poor. Rendering virtualized applications on a tablet-sized screen may work for some use cases, but doing that on a phone is a stretch.

When this customer met with Davie and saw Island, the Enterprise Browser, they immediately saw the potential for their BYOD program.

What happened next

With the Enterprise Browser available on both iOS and Android app stores, every employee can easily install the app with the same familiar workflow they’re accustomed to. Once launched, they authenticate with their enterprise identity and can access all the apps provisioned to them. When they’re done with their work tasks, they simply switch apps to their consumer browser of choice. Unlike an MDM solution, Island doesn’t require any device-level configurations so their personal devices remain personal. When an employee leaves the organization, they simply delete the Island app and there’s nothing left behind on their device.

Our commitment to the environment

Our commitment to the environment

May 12, 2023
Jennifer Park
Read Article

Island has been fortunate in so many respects, especially at this early stage of our life as a company. To us, that good fortune isn’t just a positive outcome of our past efforts, but a responsibility for the future. To take some of that success, and turn it outwards by improving the communities and the world around us. 

In that light, we’ve made certain commitments regarding our carbon footprint.

We’re still a small organization - so our impact at this stage may not be gigantic. But we feel every step in the right direction is an important one. It’s a way for us to use whatever resources we have to better the world around us - no matter how big or small.

Our first initiative is to commit to making our products carbon neutral. To do that, we are partnering with a carbon offset provider as well as contributing to key emission-reduction projects. 

And we’re happy to be able to say that this is our second year in a row we’ve offset our carbon emissions!

Here are the initiatives we are participating in to make these offsets possible:

  • Home on the Range – This project protects native grasslands across the Great Plains. By protecting this land from conversion to agriculture, millions of tonnes of CO2 are stored in the grass and the soil.

  • Where the Buffalo Roam – The Southern Plains Land Trust purchases land for prairie wildlife. So far, it has protected over 56,000 acres in the preserve network, providing urgently needed refuge to a wide variety of native grassland animals and plants. Piece by piece, it is restoring the American Serengeti.

  • Seeing the Forest for the Trees -- This small community-based Improved Forestry Management project encourages residents to preserve and grow the biomass in their standing forests despite multiple opportunities to cut trees for profit or for increased grazing opportunities.

But it goes further than our product itself. Island also offsets the heavy footprint coming from the hardware and compute-intensive products and services we displace such as desktop virtualization and traffic backhauling technologies. A difference that amounts to something quite significant. This is good for Island, good for businesses everywhere, and great for society as a whole. 

This small but significant step is exciting - but it’s just the starting point. From here, we’ll actively seek other ways we can make things better for the people and the world around us.

WWLW Ep. 22: The Case of The Credit Card Masking

WWLW Ep. 22: The Case of The Credit Card Masking

May 10, 2023
Tim Deese
Read Article

What we know

Tim is working with a retailer based in the Pacific Northwest. One of their challenges is related to handling customer credit card data when they need to process refunds. The legacy payment platform they’re using requires an employee to scroll through a list of transactions to find the charge that needs to be refunded — showing too much information in the process. Rewriting that application wasn’t an option, so they turned to Island to see how we could help mask the credit cards within the web interface.

What we learned

This is a common challenge that Island, the Enterprise Browser, is perfectly positioned to solve. Many organizations have web applications that disclose more information than necessary to a user: credit card numbers, email addresses, or social security numbers, as a few examples. With Island, it’s easy to add a data masking rule that hides the sensitive information from view, with the option to reveal one record at a time as needed. Because it’s applying this masking locally in the browser, there’s no dependency on the backend systems and no code changes required — especially helpful for legacy applications that are difficult or impossible to modify.

What happened next

Tim helped this customer create a policy that obfuscates credit card numbers while leaving the last four digits visible for easy identification. The store managers now have a much improved workflow that allows them to find and issue refunds quickly without displaying every credit card number on the screen. This had been a thorny problem that their other security tools simply couldn’t resolve, until they found the Enterprise Browser. Along the way, Tim helped address several other challenges relating to safe browsing and content filtering and even found a way to open internet access for employees during their break time, while limiting distractions within the store. This is another great example of using the Enterprise Browser to improve the end-user experience while safeguarding sensitive business data.

WWLW Ep. 21: The Case of Employee Privacy on Shared Devices

WWLW Ep. 21: The Case of Employee Privacy on Shared Devices

May 3, 2023
Matt Pour
Read Article

What we know

Matt is working with a retail-based service provider with over a thousand locations who raised a concern around employee privacy. Their service technicians use shared computers as part of their workflow and accidental disclosure of personal & sensitive information is an issue. Complicating the matter, this organization is required to adhere to various state and federal privacy laws in each region they do business in.

What we learned

This organization’s Privacy Officer shared a concern with Matt that their employees were using shared computers to access their pay statements and tax documents and leaving them on the desktop where another employee could easily find them. Obviously this was not ideal. Fortunately, Matt was able to work with them to implement policies within the Island Enterprise Browser to proactively warn employees when they were accessing sensitive information on the shared computer and automatically delete the records once they were done.

What happened next

This customer experience is a perfect example of how Island, The Enterprise Browser, offers real value that goes beyond IT and Security. The Privacy Officer and their legal department were pleased to discover that Island could solve a challenging issue for their staff, and the employees at this organization benefit from Island’s ease of use while protecting their personal data from accidental disclosure.

WWLW Ep. 20: The Case of Saying “Yes”

WWLW Ep. 20: The Case of Saying “Yes”

April 26, 2023
Dean Carey
Read Article

What we know  

Dean is working with a large financial services company who found Island as the ideal solution for several of their data security and access controls. Along the way, they uncovered an opportunity to change the way they approach the use of personal apps like Gmail.

What we learned

As a financial company, their employees routinely handle sensitive customer and financial information and they operate under strict financial regulations. Previously, their policy around personal apps was simple: not allowed on company devices. This simplified data controls, but it created some frustrations for users who wanted to take a few minutes in their day to send a personal email. Users would need to switch between devices or wait until they left the office. With Island, they were able to take a new approach and say “yes” to users who desired the convenience of a quick personal email while at work.

What happened next

By implementing the Enterprise Browser, this company now has all the data controls and visibility they require to create a firm boundary around sensitive information and ensure that nothing leaks out the side door into a personal email thread. This new posture is very popular with their user community and it’s helped accelerate their rollout of Island. Now, users get both a valuable workplace for conducting all their work tasks and a safe, secure way to access personal apps. And importantly, they use the built-in Island privacy indicators to clearly show their users that personal information is not being tracked when they’re engaging with personal apps. The company can say “yes” while strengthening their security posture.

WWLW Ep. 19: The Case of the Claims Adjusters

WWLW Ep. 19: The Case of the Claims Adjusters

April 19, 2023
Derek Carver
Read Article

What we know  

Derek is working with an insurance company based in the U.S. with a large staff who work remotely and travel on-site to document and evaluate their customer insurance claims. The onboarding process for these remote staff was starting to cause friction and unwanted delays. Their previous model was to ship a full computer workstation to the employee’s home and then walk through the setup process over the phone. With a varying degree of technical savviness, it resulted in hours of help desk agent time and frustration for the employee — not to mention a significant upfront cost for the hardware and shipping.

What we learned

Derek worked with this customer to design a model where employees could use their existing computer and install the Enterprise Browser to access all the applications and resources they need. Compared to the task of setting up a full workstation, the process of installing Island is a snap. The demand on their help desk dropped significantly, and the hardware and shipping costs went to zero. Another benefit to using Island is the integrated Island Private Access solution that replaces their legacy VPN solution. Now their employees get fast access to every web application they need, with Island securely routing traffic for internal apps and sending public Internet traffic directly through their home broadband connection. VPN congestion was a problem during busy times of the year, and Island completely eliminates that bottleneck.

What happened next

Another big improvement for the claims adjusters who travel on-site to their customer’s location is the Island Mobile app. Previously, adjusters would visit the site, take photos and notes, then return to their home office to input all the information. With Island Mobile, they can access their claims applications directly from a smartphone or tablet over a cellular network. This reduces the time between to begin the claims process and eliminates the extra step for adjusters. With Island, this insurance company is streamlining their entire claims adjustment process and delighting their employees with a fast, efficient workflow.

WWLW Ep. 18: The Case of the Graceful M&A Onboarding

WWLW Ep. 18: The Case of the Graceful M&A Onboarding

April 12, 2023
Brian Borthwell
Read Article

What we know  

Brian is working with a customer who recently acquired another company and working through the project of merging their systems and onboarding their staff. One of the big challenges with M&A activity is the scale of the onboarding process — unlike regular employee hiring that is gradual over time, they need to simultaneously onboard thousands of employees all at the same time.

What we learned

This organization considered a few different approaches: shipping out new laptops or deploying a VPN client to quickly grant access to their internal systems. Brian was already engaged on a project with a different group to explore using the Enterprise Browser. When they learned about Island Private Access, the integrated ZTNA solution for private network access, they realized this was the perfect solution for solving the M&A onboarding challenge.

What happened next

The configuration of the Enterprise Browser with Island Private Access was quick and easy, and when they deployed Island to the staff at the acquired company, they loved it. Compared to alternatives like VPN or VDI, the Enterprise Browser is fast, intuitive, and easy to use. Employees got immediate access to all the applications and resources they needed to be productive, on day one. The CISO of the acquiring company was pleased with the visibility and device posture controls that Island offers — without requiring any additional agents like MDM or EPP on the device. This M&A onboarding project was a complete success, and accelerated the adoption of the Enterprise Browser across the whole company.

WWLW Ep. 17: The Case of Securing Unmanaged Devices

WWLW Ep. 17: The Case of Securing Unmanaged Devices

March 29, 2023
Adrian Cunningham
Read Article

What we know  

Adrian is working with a company who’s working on an innovative approach to transportation. This company is focused heavily on research and development, with extremely valuable intellectual property (IP) that they need to secure.

What we learned

Like many organizations, this company has a mix of full-time employees and contract workers. As such, they can’t always count on having full device management in place for all their worker’s devices. When they found Island, the ability to deploy the Enterprise Browser on any device — managed or unmanaged — and establish controls around their data, it was a perfect fit for their needs. Leveraging Island’s dynamic device posture assessment, this company built policies that treat managed devices differently than unmanaged. For example, if a user on an unmanaged device launches the Slack app, they’re gracefully redirected to the Slack interface within the Enterprise Browser. On a managed device, they can use the standalone Slack app.

What happened next

While working with Adrian and building policies, this company identified a handful of internal applications that aren’t exposed to the Internet. When they learned about Island Private Access, they were delighted to discover how fast and easy it was to configure and enable remote access without a traditional VPN client. A project that they assumed would take hours was completed in minutes.

A new solution to the age-old challenge of web filtering

A new solution to the age-old challenge of web filtering

March 28, 2023
Scott Montgomery
Read Article

Sometimes changing one thing changes everything.
This may sound pithy, but there’s a healthy dose of truth to it. Just ask any of the social media companies who had to completely reimagine their products to adapt to the smartphone era. (Yes, we had social media before the smartphone!) For that matter, ask Canon or Nikon how their DSLR business changed when smartphones put software-enhanced digital cameras in the pocket of billions of people.

The five most popular cameras by users in the Flickr photo-sharing community are all iPhones.

The web security industry is no different. To understand the opportunity of the moment, let’s first look back at where we started: 

First the earth cooled. Then the dinosaurs came. Then people determined that the Internet was a bit dangerous. 

What followed was a period of problem identification, solution, lawsuits, and legislation. Advocates of web filtering were concerned particularly about public libraries, which was where many people, school-age children included, had their only access to the internet. Was filtering limiting free speech? Was the ability to filter pornography from libraries to protect children a Constitutional issue? Lawsuits did ensue, and ultimately Congress stepped in, passing the landmark 2000 Children’s Internet Protection Act, or CIPA. At the time, the dominant browsers were Navigator from Netscape, and Microsoft’s Internet Explorer. Both were designed for consumers to access the bold new landscape of the World Wide Web. 

Around the same time, the market for personal web filtering formed with companies like NetNanny and CyberPatrol running locally on a user’s computer, trying to sort out whether the user was browsing to pornography or how to conduct a breast self-examination – with sometimes underwhelming results. Companies too weighed in as employees often used the higher bandwidth at work to look at content they couldn’t see as easily at home. Vendors for this side of the market included Websense and Secure Computing, selling URL filtering often bundled with caching tools or firewalls. 

In each case, the filtering technology continued to evolve and added tools like categorization, reputation, dynamic DNS searching, geo-location, and a host of additional features to try and keep up. As time marched on, both consumers and enterprise organizations began to insist upon encryption of browser-borne traffic, leading to the standardization of the use of SSL and ultimately TLS. The use cases that began with ecommerce purchases quickly evolved to begin encrypting PII and PHI in transit. Eventually web sites standardized on HTTPS as a best practice.

Web filtering had to catch up too, adding ‘break and inspect’ techniques – what amounts to an  ‘authorized’ man-in-the-middle attack on encrypted web traffic. This allows the filter to determine whether the outbound request was acceptable by policy from the URL filtering standpoint and whether the reply data had malware or unacceptable content in it. As organizational data started to have a dollar value outside of the organization to cybercriminals and state-sponsored adversaries, it became necessary to break and inspect to determine whether valuable data was being inadvertently or maliciously leaked. A variety of network and cloud-based data loss prevention (DLP) suites were attached or involved to the practice of web filtering. 

Eventually, users and companies began to want to utilize software-as-a-service, storage, and a variety of other tools that were hosted in the cloud, requiring even more new categories for filtering and protections. Billions and billions of dollars are spent each year on increasingly complex host, network, and cloud security controls. Why?

Because the browser is still designed for consumers, on a personal device, connecting from a home network. None of these complex security operations are performed where they should be — the browser — where the encryption handshake between client and server occurs.

What tool should know whether or not the requested URL agrees with organizational policy? The browser.

What tool should determine if the reply data has malware or other harmful content? The browser.

What tool should identify whether an uploaded file is a violation of company policy because of the destination, data contents, or other characteristics? The browser.

What tool spans across all of the devices a user might have or want to use whether a laptop, tablet, or smartphone? The browser.

And yet, what consumer browser allows policies to be centrally managed to create and enforce these protections without spending millions of dollars on other tools that literally require a technique that we would otherwise classify as a malicious man-in-the-middle attack? None.

Which browser should you consider as part of your modern toolset to increase productivity, improve user experience, and reduce complexity without sacrificing security controls? 

Island. The Enterprise Browser. Sometimes changing one thing changes everything.

Web filtering, Enterprise Browser
WWLW Ep. 16: The Case of the Safe Browsing Platform

WWLW Ep. 16: The Case of the Safe Browsing Platform

March 22, 2023
Elad Leizerin
Read Article

What we know  

Elad is working with an insurance company who wants to ensure their employees have a safe browsing environment. All organizations have a desire to protect their users from the myriad of threats that are troublingly common on the web today. For an insurance company — managing financial transactions and sensitive customer records — it’s imperative.

What we learned

When this customer connected with Elad and learned about Island, the Enterprise Browser, they immediately saw a solution to this challenge. The Enterprise Browser is a unique approach to safe browsing, by embedding critical security features within a familiar web browsing experience. This allows for more advanced controls to secure cookies and govern the browser extensions layer for sensitive company applications. The Enterprise Browser also offers browser isolation to defeat threats that exploit modern web technologies like the just-in-time (JIT) compiler. To ensure that their security posture is always up-to-date, Island also offers an automatic patching system that keeps the Enterprise Browser updated without relying on any third-party management tools.

What happened next

With Island, this customer offers their employees a safe and secure browsing experience without any disruption to their workflows. Every aspect of the browsing experience — from web content to downloads to extensions — is governed and secured in accordance with company policy.

Make the web browser an active player in getting work done

Make the web browser an active player in getting work done

March 21, 2023
Tad Johnson
Read Article

The browser is the most-used application for the vast majority of workers. Over decades of innovation, web applications and SaaS business models have flourished. It’s not just possible, but increasingly common, for employees at all levels to complete their daily tasks entirely within a browser.

Even so, the web browser itself is not dramatically different today than it was ten years ago. Sure, it’s faster and capable of rendering increasingly sophisticated web applications. It offers some conveniences like filling in your contact information on a web form or remembering your passwords. It can efficiently stream high-res video and audio. What’s missing is the parallel track of innovation to make the web browser as productive a business tool as the suite of SaaS tools that we use every day.

This is the missing gap that motivated Island to create the Enterprise Browser.

Now, employees around the world start their workday with a browser that is intentionally designed to help them be productive. It starts with a company-branded launch page that is tailored with all the tools they need — personalized based on their particular role, location, or group. Since it’s integrated with their workplace identity using single sign-on, every tool and application is immediately accessible. This is especially valuable for onboarding new employees who can get to work immediately, without the need to build a personal collection of bookmarks. For organizations completing a merger or acquisitions, the ability to instantly enable access to groups of employees is particularly useful. The same benefit extends to the IT teams who are introducing a new SaaS tool or replacing a legacy app. With a single configuration change, the new tool is immediately available to everyone who needs it.

Many workers will find a need to use multiple devices throughout a typical week. Shift workers in health care or manufacturing, for example, or the office-based employee who periodically logs in from their home computer to complete a task. With the Enterprise Browser, everything you need to get work done follows you to each device and synchronizes using the Island Cloud. Administrators can configure the sync experience to fit the business needs, and define how user sessions are handled. This capability can save the day when a laptop is lost or left behind, allowing an employee to regain productivity with a replacement in minutes.

Frontline employees like sales reps, customer support, or call center agents can speed up common tasks using the smart clipboard manager that’s integrated into the Enterprise Browser. Common responses for customer queries are automatically loaded into the smart clipboard to make chat or email responses quick and efficient. And since these smart clips are managed through the Island Management Console, managers can make updates that are instantly cascaded to each employee so everyone is always sharing the right information. In addition to Smart Clips, the Island clipboard remembers the last 50 elements that are copied to eliminate the need to “pogo-stick” between pages when transferring several pieces of information. These timesaving conveniences quickly add up for anyone who touches dozens or hundreds of records in a day.

A side-effect of the rapid innovation in web technologies is that many organizations end up with one or more legacy applications that are critical for some important function yet impractical to update and maintain. CIOs are left with two choices: either implement a costly migration project or live with the legacy app and all its shortcomings. The Enterprise Browser includes robotic process automation (RPA) that can modify the user interface of any web app to add multi-factor authentication, hide obsolete fields, or disable certain actions. These modifications can be applied for select users, groups, or across the board to fit the business need. And it’s not limited to legacy apps, as the same RPA technology applies to any web app, such as a SaaS app that would normally be impossible to modify directly. By tailoring apps to fit the exact business workflow, user productivity goes up and human errors go down.

Offering these productivity enhancements to your employees is a great first step at creating the ideal employee working environment. To take it further, Island recently introduced a Digital Employee Experience dashboard with granular metrics around application usage and performance. With this expansive dataset, IT administrators can identify issues with certain networks, devices, or applications and take remediation action — without waiting for users to complain. By simply deploying the Island Enterprise Browser within your organization, you can make a meaningful difference with the day-to-day employee experience while collecting all the metrics to help you make informed, proactive decisions.

The Island Enterprise Browser makes a familiar, frictionless workspace that’s the ideal employee experience for getting work done.

WWLW Ep. 15: The Case of The Safer, Smoother VDI & DaaS Experience

WWLW Ep. 15: The Case of The Safer, Smoother VDI & DaaS Experience

March 8, 2023
Jason Trunk
Read Article

What we know  

Jason is working with a global financial institution with a large VDI deployment. Virtual Desktop Infrastructure (VDI) and Desktop as a Service (DaaS) rapidly grew in popularity as more workers left the traditional office environment. The IT team likes the control and manageability of virtual desktops, but have also discovered that the end-user experience can be dreadful, particularly for their global employees on limited bandwidth connections. When this customer learned about Island, they saw an opportunity to improve the virtual desktop experience across the board.

What we learned

This customer had two different challenges with their virtual desktop environment:

First, they found that many of their users logged on to the virtual desktop every day and primarily used just one application: the web browser! The added round-trip network path for every web request meant their browsing experience was degraded. It’s also a significant expense to the company, paying for the bandwidth, VDI or DaaS platforms, plus the administrative staff to manage it.

The other challenge was around data security and application access. Employees need secure access to protected applications that handle financial and customer data. Their VDI environment was configured to connect to their private network, but they wanted more granularity and easier auditing of user activity. Ideally, their employees would only connect to their private network when interacting with protected applications, rather than the always-on connection within the virtual desktop.

What happened next

Jason helped this customer to deploy Island, the Enterprise Browser to satisfy both requirements. For the users whose work is primarily through SaaS and web applications, Island offers a faster and more efficient connection path. They can launch the Enterprise Browser from their desktop directly, without the added overhead of virtualization. Island protects all their browsing activity and grants access to all their web applications, even those on the protected network via Island Private Access.

Island was also installed as an application within the virtual desktop environment. Now the users who require non-web applications can use those within their virtual desktop and launch the Enterprise Browser for web access. The Security team gains valuable logging and analytics about all web activity and can ensure a safe browsing experience for all of their users.

Internet Explorer End of Life is Here

Internet Explorer End of Life is Here

March 8, 2023
Tad Johnson
Read Article

Microsoft’s Internet Explorer (IE) debuted three decades ago and introduced millions of users to the (then) relatively new wonders of the world wide web. IE was so wildly successful in the 1990s and early 2000s that it was commonplace to write web applications based on its proprietary rendering engine. Twenty years later, many of those web applications are still in use — but Internet Explorer has reached its end of life. IT Leaders are faced with the challenge of navigating the transition to modern web applications without disrupting the business or leaving users exposed with unsupported, deprecated technology. Island stands ready to help.

The transition away from IE is a long time coming and Microsoft has gone to heroic lengths to minimize the impact to their customers. In 2015, Microsoft launched Edge, the successor to IE, and recommended that customers begin planning their migrations. In 2019, Microsoft Chief of Security Chris Jackson recommended that customers stop using IE as their default browser. In 2020, Edge adopted the Chromium engine, greatly improving compatibility with virtually all modern web applications that are built and optimized for Chromium. Last year the IE desktop application ended support for most versions of Windows and this year all remaining IE applications will be disabled with an update for Windows 10. The end of the IE era is here.

Today, web applications play a critical role in virtually every enterprise. The evolution of SaaS and web technology makes the web browser a mission-critical application. What started as a mostly passive browsing experience in the 1990s is now an activation application platform with nearly limitless potential. This insight is what inspired Island to create the Enterprise Browser: a web browser that’s built for today’s enterprise workflows, and includes the security, productivity, and IT management tools that businesses need.

To assist customers in making the transition away from Internet Explorer, Island offers IE Legacy Mode, based on the same technology used in Edge (Microsoft is committed to including legacy mode through at least 2029). To support the widest possible range of applications, Island Legacy Mode can be configured for IE5 through IE11, along with supporting legacy dependencies like ActiveX or Silverlight. But Island goes much further than simple compatibility. Choosing the Enterprise Browser gives you complete control and visibility to every web application and browsing activity — without making any changes to the underlying web or SaaS apps you’re using. The Enterprise Browser is secure by design, insulating users and critical application data from whole categories of web-based threats or malicious attackers. It can create secure network connections to legacy apps served from behind your firewall, without a VPN client. It’s also smart: you can build in business logic to modify the behavior of web applications without ever touching a line of code. Island’s integrated robotic process automation (RPA) can add multi-factor authentication, remove a deprecated button, mask sensitive data, and more. And importantly, the Enterprise Browser is backed by a dedicated team of web technology experts who can help guide you through the IE transition and build a future-proof web application strategy.

Internet Explorer is going away. Legacy applications must be addressed. This is the ideal moment to take a fresh look at the web browser and discover how the Enterprise Browser delivers a dramatic, positive impact on every layer of cybersecurity and all other functions of IT, all while improving the end user experience. When you’re ready, let's talk.

Island named one of the most innovative companies of the year

Island named one of the most innovative companies of the year

March 6, 2023
Ari Yablok
Read Article

Island was just named one of the most innovative companies of 2023 by Fast Company. It’s a real honor to be recognized for the breakthrough tech we’re creating and delivering to our customers. A moment we’re incredibly proud of and want to share with the world.

But I was working on a million different things when we found out and I didn’t have time to write a whole blog article about it.

So I didn’t. I had Island GPT Assistant do it for me.

It was my first time using Island GPT Assistant inside my regular workflow to accomplish a task I’d normally do on my own. And I must say – it did a pretty good job.

Here’s the article it wrote for me about how innovative Island is, so I can continue… innovating. Congrats Island!

It's official: Island, The Enterprise Browser, was just named one of the most innovative companies of 2023 by Fast Company, and we couldn't be more proud.

The list recognizes companies that have launched groundbreaking ideas that have the potential to revolutionize their respective industries. Each year, Fast Company editors and writers select the most remarkable businesses across 36 categories, including health, finance, government and artificial intelligence.

We at Island have worked hard to create a browser that helps businesses remain secure while providing their employees with the necessary tools they need to excel in the modern workplace. Now, to see that effort - and our groundbreaking browser - receive national recognition, is beyond validating.

But how did Island gain this recognition? What exactly makes Island innovative?

Is it the fact that it’s so different from all other security and IT solutions on the market?

Or the many capabilities it makes possible for organizations?

Or how excited both security administrators and end-users are about using it?

Or the game-changing impact it’s having on enterprise work?

We’d like to think the answer is all of the above.

But don’t take our word for it. Our customers themselves can tell you everything you need to know about Island’s innovative strength.

“It really is a game changer.” – Frank Gulotti, Head of IT Infrastructure, Bloomreach

“It just checked so many boxes of what we were missing.” – Tim Ringley, VP and CISO, The Bank of Marion

We can do things we didn’t think we could do” - Bob Schuetter, CISO, Ashland

“It’s just such a different approach.” – Brandon Shafer, Director of IT, Mattress Firm

“My mind went wandering in a million different directions.” – Emily Heath, Former CTSO, Docusign. Former CISO, United Airlines

“It’s going to change the industry.” – Gai Hanochi, VP Business Technologies, Fiverr

Island The Enterprise Browser has earned its place as one of the most innovative companies of 2023 based on its commitment to providing secure and productive web browsing experiences to businesses and their employees. We are honored to have received this recognition and will continue to strive to exceed the expectations of our amazing customers.

WWLW Ep. 14: The Case of the Exposed Gift Card Codes

WWLW Ep. 14: The Case of the Exposed Gift Card Codes

March 1, 2023
Paul Murgatroyd
Read Article

What we know  

Paul is working with a global eGift Card Retailer who’s faced with a unique challenge around their customer service reps. When assisting customers with purchasing or redeeming gift cards, the customer service team naturally has to handle personal & financial data, as well as gift card codes themselves. Those codes, which customers may share with customer service reps, can be redeemed by anyone, so it’s in their best interest to tightly control the visibility of these codes.

What we learned

All customer service interactions are done through a SaaS platform and handled by a distributed support team. The customer learned about Island and was intrigued by the ability to protect and conceal data like gift card codes when working in the Enterprise Browser. As this company grows their operations, they also need the flexibility to quickly expand the customer service team and onboard new staff. Island offers the ideal platform to provision new users and protect the sensitive data that they work with every day.

What happened next

While each code is unique, they follow a consistent pattern so it’s easy to identify when a code is included in a support request ticket. Paul helped this customer configure Island’s Robotic Process Automation (RPA) capability to detect and mask gift card codes — wherever they appear within the Enterprise Browser. Importantly, this capability is done entirely within the browser and does not require any changes to the underlying SaaS applications. They allow for certain users (like the escalations team) the option to un-mask codes when required. These events are logged and easily audited through the Island Management Console. The combination of effortless onboarding, automatic data protections, and dynamic policy controls made Island the ideal choice.

Introducing Island GPT Assistant

Introducing Island GPT Assistant

January 26, 2023
Dan Amiga
Read Article

Since it was announced several weeks ago, ChatGPT has captured the imaginations of nearly everyone using the internet.

Island’s mission is to make work extremely efficient, completely secure and profoundly simple. Which got us thinking. What if ChatGPT was built into the browser to dramatically change things at work? It’s already shown its effectiveness when given one-off tasks. But what if it was readily available from within the browser itself – helping us out with our daily work?

Today, we’re raising the curtain on the industry’s first integration of ChatGPT into a browser, with Island GPT Assistant for the Island Enterprise Browser. The Island Enterprise Browser gives organizations  complete control, visibility, and governance over everything that happens in the browser, while users get the smooth, Chromium-based browsing experience they know and love.

Island GPT Assistant is the industry’s first integration of ChatGPT’s technology into a browser, and goes beyond simply placing generative AI inside the browser – it provides deep contextual awareness, so you receive prompts that are informed by your behavior and relevant to what you’re working on, as you work on it.

If you’re not familiar – ChatGPT is the generative AI chat assistant launched by OpenAI in November, 2022. Since then, it’s become a global cultural phenomenon for its advanced ability to actually “talk” to us humans, responding to our detailed queries with complex, thoughtful, human-like answers. It’s the latest in conversational intelligence technology, and in the short period since its debut, millions of people across all walks of life have experimented with it to draft term papers, write poetry, compose music, do research and lots more.

We designed The Enterprise Browser to dramatically simplify everything that goes into securing and enabling work. For organizations, this means unprecedented control, visibility, and governance over all work activity from within the browser itself. But what could it mean for end users? Making everyday tasks simpler using generative AI seemed like a perfect fit.  

We’re only starting to understand all the possibilities, but one thing is clear - workflows everywhere are about to get a lot simpler. How exactly? Let’s take a look.

The ultimate assistant

What might a work day look like with the Island GPT Assistant by your side?

Imagine getting a lengthy email from a colleague. It’s filled with specific info you need to relay to your manager in a clear and simple way.

But instead of searching the whole message for the important parts yourself, you right click, and ask Island GPT Assistant to summarize it for you. Then you ask for a bullet point list of the main points that you can easily send over to your boss.

See it in action here:

But it goes much further.

  • Software developers can ask Island GPT to check their newly written code for bugs, right on the page.
  • Salespeople can find the perfect title for their cold outreach email as they’re writing it.
  • Customer service agents can keep customers happy by quickly generating responses to their  questions.
  • Marketers can research their competitors as they prepare their upcoming campaign.
  • Product managers can find user-friendly names for products and features they’re building.

What’s ahead

And this is just the beginning. We’re developing some more advanced features that will redefine what’s possible with AI at work. In the future, Island GPT Assistant can learn your organization’s documentation, giving your internal teams, external contractors, partners and BPOs alike the ability to research and understand every aspect of the product or service they are working on. It can learn the ways your people work and make suggestions for more productive workflows. It might be the ultimate assistant helping to optimize your own work. And it can also be the ultimate onboarding tool - providing a hyper-personalized, comprehensive experience for every new employee or contractor.

And on the admin side of things, organizations will be able to control how their end users interact with Island GPT Assistant, choosing which groups have access, and fine-tuning the experience down to the department or use case.

To us, Island GPT Assistant is a testament to what’s possible when you reimagine the browser for the enterprise. It’s an environment that is not just fundamentally secure for organizations, but one that can continuously provide ways for users to work better, faster, and simpler.

And yes, this article was written with the help of The Island GPT Assistant :).

Author, Dan Amiga

Co-founder and CTO

From Newcomer to Innovator in 90 days: The Island Onboarding Experience

From Newcomer to Innovator in 90 days: The Island Onboarding Experience

December 13, 2022
Adi Reis
Alon Biran
Read Article

When your goal is to reach a very specific target that’s very far away, trajectory is everything. The slightest turn and you may miss the mark entirely.

This is why we at Island have been obsessed with onboarding since day zero. Set the precise trajectory for each engineer, and they’ll be perfectly positioned to build amazing things for months and years to come. But what does that onboarding experience look like? And how do we build an easily scalable process for the huge amount of talent showing up? And what if these aren’t entry-level developers, but first-class engineers, team leaders, superstars, ex-founders, top engineers in their former company? What kind of process will prepare them to work at the highest level as soon as possible?

This made our challenge especially difficult.

The most talented people are usually already happy where they are. Companies invest in retaining them, both by compensating them well, and challenging them to do meaningful work. We needed to convince them to take a big step out of their comfort zones and enter the unknown. And even after they do make the move to a new company, it can be months before they learn the new role, product, and team, and begin making the impact they were used to making in their previous role.

This pushed us to think up the ideal onboarding plan.

One that will help new team members get comfortable with new tech, a new codebase, and new team dynamics. One that empowers all types of engineers to learn and develop at their own pace, inside their specific domain, and within their own areas of interest. And most importantly - one that continuously offers opportunities to do cutting-edge, innovative work.

I was so impressed by how early the company started investing in training. All onboarding materials were perfectly organized. I’m 90 days in, and the challenges are only getting bigger and more exciting - and I don't see it slowing down any time soon.

- Adi K., Software Tech Lead

And like our development cycle, we’re continuously investing in our onboarding. Testing it. Adjusting it. Doing frequent retrospectives on it. So we know it continues to serve our people and our business in the best way possible.

But enough talking - let’s dive into it. Here is the experience our engineers encounter in the first 90 days at Island.

First, meet your buddy

Before you start, we assign you a “buddy”. Your buddy is your go-to mentor. The one who will help you in the coming months with everything you need, from learning the company culture and mission, to all the technical stuff like product architecture and code reviews, as well as the day-to-day activities like lunch, operations and administration.

Your buddy will also introduce you to some new groups of fellow engineers to expand your personal and professional network beyond the friends you already have inside the company.

A few days before you start, your new group lead will reach out to tell you who your chosen buddy is, how your first days and weeks will look, and some of the basics like when to show up on day one. He/she will also tell you a bit about which “Island”  (a.k.a team) you’re joining. This is to help the newcomer feel welcome, get acquainted with things before walking through the door, and know how excited we are for them to join.

Day One

You’re finally here! We’ve been waiting for you! So what does your first day look like?

You’ll arrive a little bit early to meet a few people in the dining area to get those first few awkward introductions out of the way. And of course, coffee and breakfast :).

Your workspace will already be set up with your new computer and some swag waiting at your desk.

You’ll start the day getting to know your direct manager. Your manager will talk a little bit about how the business is doing, where we are as a company,  what your Island will focus on, and some other general points. He/she will also discuss your goals, targets and milestones as an Islander.  You’ll also have your first daily stand-up meeting with your island. There, you’ll get to meet all of your new teammates.

Next comes your first meeting with your buddy. He/she will share your onboarding plan and show you our detailed onboarding guide. He/she will also advise you on what to focus on based on your previous skills and experience.

I'm not just learning what to code. I'm understanding how we present the product to potential customers, how we respond to their needs, and what our role is as engineers in getting a customer to choose us.

- Eran A., Software Engineer

Remember - take your time. Ask even the most basic questions. Learn about the areas of your work you’re not yet familiar with. Don’t hop on the train until you’re ready - because once you do, the train won’t stop moving. Fast. So enjoy the peace and quiet while you can :)

In addition to that, you will also meet our Engineering & Product leadership. They'll share some aspects of Island that are core to what we do – like our agile methodology, end-to-end ownership, and putting the customer first as well as where we are from a business perspective and what our high level company goals are.

Week One - The Organization & Business

Your first week will include many face-to-face introductions, where you’ll learn about Island’s different departments and stakeholders (product, design, HR, engineering and many many more!) , you’ll also watch some great recorded presentations on business goals, product introduction, the Island brand and company architecture.

You’ll start reading up on our technology, get familiar with our development process and learn about our tech stack.

You like headphones? Perfect - you’ll be spending most of this week wearing them ;).

Day 30 - Technical Deep Dive

By now, you’ve gotten your hands dirty, learned the technology stack, and had an exercise or two reviewed by your buddy and some fellow engineers.

You completed a few automation tasks, know your way around the architecture, and can run the product end to end.

You even did some field-impacting tasks from a backlog of small tasks we always have.

Congratulations – you’ve officially completed your first milestone as an Islander. (There’s a beer in the fridge with your name on it - go celebrate :)

I'm three months in and already completing tasks like everyone else on my team. And yet, I'm still learning and developing each day as if I just started.
- Noa D., Software Engineer

Day 90 - Crossing The Entire Stack

Now, it’s time to become an expert. After completing the initial milestones of your onboarding, we know what your sweet spot is and where you can strengthen your knowledge and skills in order to become an Island engineer.  

Your manager will now assign tasks from different areas across the architecture to ensure that you get real comfortable with the product’s entire technology stack. The ultimate goal? To give you a deep understanding of our coding standards, how to write code for each component, what the right CI and automation is for each, how to deploy gradually and safely, and how to monitor and track all your deployments and features. Soon, you’ll be ready to do your first demo in front of the entire team (that’s a big deal around here), where you’ll explain how you built your feature, why you made it that way, and its business impact on the company as a whole.

You will also gain visibility into the different deployments and customer engagements so that you know what’s going on with our customers. At Island, we keep our customer engagements very visible to everyone and promote engaging with the field, keeping the engineering team very close to our go-to-market team and the product itself. We believe this will give engineers a broader perspective on the development process and on customers' needs. And ultimately, it will lead to better products and greater innovation.

From Engineer to Company Builder

Ok - so you’ve seen it all. How we plan, build, and ship products at the highest possible standard. What’s next? Time to explore. With an enormous platform and architecture, we rely on our engineers to actively seek out new business cases, investigate new technologies, and innovate on our product continuously. And by doing so, your job never stays the same. You and the environment around you will constantly evolve, expand, and accelerate. New challenges will arise, and with them, new opportunities will emerge. And in a short while, you’ll find yourself leading an entire Island of your own (more on our ‘Islands of Innovation’ model here). Building standalone products, competing against large companies’ core business, onboarding new engineers of your own, and overseeing all aspects of your team’s success.

It’ll be like operating your own startup within a startup.

If you’re an ambitious engineer, you’re an entrepreneur at heart. And here, you’re purposely positioned to naturally evolve into one. Which means the ‘ceiling’ that engineers often hit at startups - when work begins to feel stale, routine, unsatisfying - that doesn’t exist at Island. By design.

So roll up your sleeves. Hop on the train. And start building something special.

WWLW Ep. 13: The Case of Helping the Help Center

WWLW Ep. 13: The Case of Helping the Help Center

December 7, 2022
Elad Leizerin
Read Article

What we know

Elad is working with a customer who provides a global B2C platform with millions of customers. They manage several distributed help centers around the world to support all constituents on the platform. The help center staff will naturally interact with PII, financial, and other sensitive company data during the course of their work. They need a platform that meets their security needs and offers the speed and dexterity their staff require.

What we learned

The help center staff need to use a variety of applications throughout their workday. Some are SaaS apps, others are internal applications hosted in a private network. Elad and the Island team helped this customer to configure Island Private Access to create a secure zero trust connection to their private applications. The end-users were delighted by the speed and simplicity of the Island browser. Every application they need is available on their customized home screen, and the Island Private Access connection is completely transparent.  

What happened next

By deploying Island, the Enterprise Browser for their help centers, this customer found their staff were more efficient and productive. This led to a faster response time for customers, improved employee satisfaction, and ultimately improved the company’s bottom line. The security requirements were easily achieved without any user hinderance, and the Island Private Access solution made private application access effortless.

WWLW Ep. 12: The Case of the Clean Desk Policy

WWLW Ep. 12: The Case of the Clean Desk Policy

November 16, 2022
Adam Thompson
Read Article

What we know

Adam is working with a customer in the Business Process Outsourcing (BPO) industry who wanted to explore a new endpoint technology strategy. They have a large, distributed workforce who need to efficiently pivot between customer accounts. Most of their work involves sensitive business records so robust information security is essential. They weren’t happy with the traditional options like desktop virtualization so they sought out Island for a new approach.

What we learned

This customer reported the same thing that we hear from many customers with distributed workforce: the user experience for desktop virtualization can be really painful. When you combine long distance backhauls to the VDI infrastructure and highly variable local bandwidth, desktop virtualization slows to a crawl. If you’ve ever been on the phone with a customer support representative who asked you to wait while their system responded, you’ve likely been at the receiving end of a poor virtualization experience.

What happened next

Rolling out Island, the Enterprise Browser, immediately improved the user experience for BPO staff. Now they access web applications directly with the browser running on their local machine, with no added lag for virtualization. Beyond that, this organization found Island offered the ideal platform to communicate and enforce their “clean desktop policy” for all employees. Island offers the last-mile controls to define data boundaries within critical applications, along with user-facing messaging and advanced logging. All together, this solution is helping this BPO to deliver exceptional customer service and create a great working environment for their employees.

Meet the security and IT executives who are rethinking enterprise work

Meet the security and IT executives who are rethinking enterprise work

November 10, 2022
Ari Yablok
Read Article

Some ideas are so powerfully simple, they aren’t embraced at first. They need some time to sink in.

Consider the story of the Universal Product Code, a.k.a the UPC – That small black and white rectangle, scanned billions of times a day for nearly every product transaction worldwide. When the barcode was first introduced in the early 1970s, businesses struggled to envision themselves adopting it in their stores. True, the existing manual checkout process was complex, labor-intensive, and full of errors. But an automated system seemed too… different. Too good to be true. And to the industry that would come to rely on it most — supermarkets — the technology was nearly overlooked.

Then, some customers started using it. All kinds of customers. And all at once, the massive potential of the barcode became obvious. Mass-merchandisers like Kmart began using them to automate their checkout process. Automotive and railroad companies like GM scanned them to track car parts and identify train locations. Even the U.S. government used them to standardize vendor transactions. Suddenly, that little box wasn’t just about buying groceries. It was about revolutionizing entire industries.

It took some time, but we all know what happened next. Supermarkets, along with nearly every product-driven industry on earth, adopted the barcode as a foundation of their business. All they needed were those initial customers to tell their story. To help them see it.

The Enterprise Browser began as a powerfully simple idea. We already use a browser for work. What if we built the core IT, security, and productivity needs of the enterprise right into it? What could something like that do for the enterprise?

We thought we had the answers. But like the barcode, there was some hesitation at first around a browser becoming the foundation of an organization’s IT and security infrastructure.

“What does a browser have to do with security?”

“Why do I need another browser?”

“You’re asking me to pay for a browser?”

Yet, also like the barcode, it was our customers who ultimately made The Enterprise Browser’s potential obvious. Once it was in their hands, they understood just how impactful it can be. Not just on their particular business, but on entire industries.

“It just checked off so many boxes of what we were trying to accomplish.”

“It’s amazing the control and visibility you get in an instant.”

“It’s as simple as installing a browser.”

“How is it that nobody thought of this before?”

It took some time, but it sunk in. And the idea of an enterprise browser is now taking off faster than we ever imagined. We’ve heard story after story of the impact this powerfully simple idea is having on all kinds of organizations – from banks to retailers to chemical manufacturers.  How it’s keeping data completely secure, yet making work more enjoyable for end users. How deploying it is as simple as installing a browser. How tracking down security incidents takes minutes instead of hours. How this one change has the potential to change everything.

We invite you to experience these customer stories for yourself. Maybe one will speak directly to you and your needs. Maybe you’ll find The Enterprise Browser checks off some or all of your boxes. And maybe a new story or two of your own will emerge – just don’t forget to take some time to let it sink in.

WWLW Ep. 11: The case of browser consolidation

WWLW Ep. 11: The case of browser consolidation

November 9, 2022
Davie Park
Read Article

What we know

Davie is working with a government agency who wanted to simplify their application stack and reduce the complexity of security patching. Like most organizations, the bulk of their workforce used a web browser as their primary productivity tool. Over time, the organization ended up supporting several browsers, each with their own patch frequency and update method. It was time for a change.

What we learned

This agency wanted to simplify their operations and ensure that every employee had a fully patched browser to use for their work. They knew some of their legacy applications would be a challenge, as they relied on the discontinued Internet Explorer browser. Thankfully, Davie and the Island team offered a solution.

What happened next

Island, the Enterprise Browser, is now the default browser for all employees. With one browser to support and automatic patching, their IT operations are simplified. Legacy apps that require Internet Explorer make use of the integrated IE Legacy mode within Island, so users never have to switch browsers. Because Island is built on the Chromium foundation, it’s fully compatible with their existing web applications and the user experience is flawless. Now this agency can focus their efforts on their public service mission and not worry about supporting and patching browsers.

WWLW Ep. 10: The case of the automated onboarding

WWLW Ep. 10: The case of the automated onboarding

November 2, 2022
Matt Smith
Read Article

What we know

Matt is working with one of Europe’s largest insurance companies. This organization has a challenge with onboarding and offboarding insurance agents. As is common in the industry, agents may join and leave the firm within the span of months. This degree of turnover makes onboarding efficiency critical. Add to that the sensitive nature of the customer and financial records that agents work with every day and the challenge is compounded.  

What we learned

This organization had tried several solutions to their onboarding challenge, including physically shipping laptops all around the continent or using a virtualized desktop solution. Everything they had tried came with a serious drawback — it was too slow, too expensive, or both. This pushed the team to expand their search further and connect with Matt and the Island team. From the first meeting with a hands-on demo, they knew that the Enterprise Browser was the right solution.

What happened next

Using Island, the Enterprise Browser, allowed the firm to reimagine their agent onboarding process. Now, instead of configuring and shipping laptops or going through a complex virtual desktop setup, new agents simply download Island on whatever computer they prefer to use and login with their credentials. They can immediately access all the applications they need to complete their work. All the sensitive customer and financial data is protected within the Enterprise Browser and can’t leak out. When an agent leaves, the offboarding process is done in seconds by deactivating their account. The agents like the new process, the IT support team massively improved their efficiency, and the Security team knows that all sensitive data is protected.

Do you really know what’s going on inside your SaaS apps?

Do you really know what’s going on inside your SaaS apps?

November 1, 2022
Tad Johnson
Read Article

The trends in modern workplace technology have made visibility more challenging than ever before. With work shifting to the browser via SaaS and web apps, organizations struggle to see what’s actually happening in their own workplace. Like cheap concert tickets, there’s always some sort of obstruction getting in the way, making the crystal clear picture impossible to see.

Island’s Enterprise Browser is the backstage pass organizations have been waiting for. It delivers a whole new level of visibility with high-fidelity logging for web applications. By using a browser built for the enterprise, customers gain an unobstructed view of all applications, devices, and users in their natural environment. Security events are immediately visible, making incident response and investigation a matter of minutes instead of hours or days.

Why the browser?

The browser holds a unique position in the tech stack: it’s the natural point of termination for encryption; it’s the application that users interact with most; it sees and knows all actions taking place within a given web application. In essence, the browser is the operating system for web applications. But until now, organizations have not had visibility into this critical layer.

Giving you that insight is at the core of what the Enterprise Browser delivers organizations. It solves a growing pain point for companies managing the combination of SaaS applications and distributed hybrid workforce. Network-based tools lose visibility when users and applications move off the corporate network. Endpoint protection agents lack the dexterity to capture what’s happening inside SaaS applications. When employees work from home and connect to SaaS applications, the browser becomes the critical point for instrumenting activity logging.

Getting started with Island is remarkably easy. Island can be installed on any type of device, desktop or mobile, managed or unmanaged, even BYOD. The Enterprise Browser is built on Chromium, same as Chrome and Edge, so web application compatibility is 100% and the user experience is immediately familiar.

Visibility that’s crucial for both IT and Security

IT and Security teams depend on visibility across the enterprise. IT teams need to understand which applications are actually being used, shedding light on the “shadow IT” problem. Security teams need to understand where critical data travels as well as the context of how it gets there. Incident response teams must identify the depth and breadth of the impact of a malicious action — fast. Yet many of the trends in workplace technology make visibility into all this incredibly challenging: modern encryption standards, distributed hybrid workplaces, and SaaS evolution to name a few. Legacy solutions like network monitoring or endpoint agents are unlikely to give the degree of visibility you need.

Consider the challenge of encrypted network traffic. As outlined above, we should embrace strong encryption and avoid unnecessary encryption tampering. Yet, we’re often forced to do so just to gain visibility into end user behavior.

Instead of attempting to break and inspect encrypted traffic, the Enterprise Browser provides a point of inspection before that traffic is encrypted in the first place. This means that the browser can report rich details about the web activity, paired with contextual details like the user identity and device details. All of this information is collected by the Island Management Console, where it can be viewed directly or sent to the SIEM platform of your choice.

By instrumenting the browser for visibility, the Enterprise Browser is remarkably flexible, easily accommodating every permutation of device type, network topology, and user location. The experience for a freelance employee working on a personal laptop from their home office is no different than an employee working in the office on a fully managed desktop. And for the IT Operations staff, onboarding and enabling employees, contractors, and other third parties is dramatically simplified. Regardless of how a user connects, the Enterprise Browser offers full visibility and activity logging for all web-based activity.

Transparency that’s crucial to end users

The visibility goes both ways, with privacy indicators displayed within the browser itself. This helps to mitigate concerns about user privacy by making it clear to users when sensitive activity is logged and when casual browsing is not. To take it one step further, a BYOD user can simply close the Enterprise Browser and use their consumer browser for personal use. This deployment model makes a simple segmentation strategy to keep work and personal browsing distinct.

Fine tuned visibility - log what matters

Island offers a high degree of granularity when it comes to choosing what browser activity to log. Because the browser has full context of the user, device, and destination or app, administrators can define very precise policies to capture only what’s important. For example, a user with elevated privileges for AWS Console will have their activity within AWS closely monitored — including individual screenshots with click-location indicators to show exactly what actions they did inside the console. That same user might later browse AWS documentation, where the page URL is logged but no screenshots are necessary. Finally, if that user visits their personal banking website, their browsing activity is fully anonymized. With this granularity, the Security and IT staff get the rich detail they need, without needlessly collecting non-important activity.

A new chapter for enterprise visibility

As work moves to web applications and SaaS providers, the web browser is the logical headquarters for security controls, access management, and visibility. Island, the Enterprise Browser, is built to solve the visibility challenges presented by modern web applications and a dynamic, hybrid workforce. Finally, that crystal clear picture is right before our eyes.

Learn more at

WWLW Ep. 9: The case of visibility for BPO staff

WWLW Ep. 9: The case of visibility for BPO staff

October 26, 2022
Glenn Medina
Read Article

What we know

Glenn is working with a fast-growing FinTech company that offers app-based retail banking and payment services. This company works with several business process outsourcing (BPO) companies to fulfill various aspects of customer service and support functions. By its nature, this means that employees of the BPOs need access to customer records and other operational systems. With sensitive information crossing organizational lines, robust security and full visibility is critical.

What we learned

Before working with Glenn, this organization was using virtual desktop environments to extend access. As is often the case, the virtualization setup gave end-users a sub par experience and it didn’t do much to solve their visibility challenge.

What happened next

With Island, this company was able to rethink how they work with BPOs and extend access to the BPO employees. Instead of a complex virtualization platform that inherently adds latency to the user, the Enterprise Browser offers secure access and frictionless performance. Now the financial organization has the visibility they need, along with robust security controls to safely offer access to critical information.

WWLW Ep. 8: The case of the simple security stack

WWLW Ep. 8: The case of the simple security stack

October 19, 2022
Will Reischmann
Read Article

What we know

Will is working with a tech-forward insurance company that’s bringing fresh ideas to an established industry. As a startup company, they’re building out the core systems that they need to run the business and preparing to scale as they grow. Information security is critical, as they’re handling sensitive information including PII and financial records. 

What we learned 

This organization chose Okta as their identity provider and needed to find tools for data security and compliance controls. As they worked with Will and learned more about the Island Enterprise Browser, they discovered that they could check off a number of boxes with just those two products. And with built-in integration for Island + Okta, proving out the solution was a snap. 

What happened next 

With Island, the company found a solution that could solve their security concerns while providing a refreshingly simple user experience. Now they’re well equipped to grow as a business, onboard new employees, and take on more customers. We expect to see many more companies embrace the simplicity of a cloud-first approach and use Island to secure and govern access. 

WWLW Ep. 7: The case of the happy call center users

WWLW Ep. 7: The case of the happy call center users

October 12, 2022
Dean Carey
Read Article

What we know

Dean Carey is working with a customer in the financial asset management industry. Information security is critical to safeguard their assets and customer data, and this company is very thoughtful about how security tools can impact their end-users.

What we learned 

When Dean showed them the Island Enterprise Browser, they saw a natural fit for implementing strong security controls in a way that enhances the user experience, rather than adding friction. Their first area of focus was building a home screen experience for their users with all the apps and resources at the ready and displayed with familiar branding. From there, they configured a number of browser extensions to automatically load without user intervention. When they showed it to the teams responsible for their call center, the reaction was immediately positive. 

What happened next 

The call center employees picked up on the convenience and productivity gains right away and gladly switched to the Island Enterprise Browser. This was a huge win for the security team, as they could deliver end-user benefits alongside their security controls. Word traveled quickly within the company, and now more departments are rolling out the Enterprise Browser with enhancements that align to their specific business workflows. 

WWLW Ep. 6: The case of the unmanageable privileged access

WWLW Ep. 6: The case of the unmanageable privileged access

October 5, 2022
Jason Trunk
Read Article

What we know 

Jason Trunk is working with a global airline who wants to solve an IT operations challenge. They have about 1,200 IT staff who need occasional access to the administration credentials for critical IT systems. As an airline, 24𝗑7 operations are mission critical so they have robust governance rules to prevent any accidental or malicious misuse. 

What we learned 

The airline was using a privileged access management platform called CyberArk to store and retrieve credentials. Good governance of these credentials is essential and IT staff need to retrieve the right credentials as part of their operations workflow. Working with Jason, they made the Island Enterprise Browser the only way to access CyberArk and improve both usability and governance for IT operations. 

What happened next 

First, they improved the user experience by selectively hiding or showing the credentials within CyberArk based on the particular user’s role or group. Now, when an IT operator logs in through Island they see a condensed list of only the credentials they need. Next, the airline improved IT operations governance by enforcing business rules within the browser. For example, when IT staff login to the Azure portal and create a virtual server, they are only allowed to choose the options that fit the airline’s IT policies. They also have increased visibility for all IT operations so an auditor can easily trace a change through the full cycle.

WWLW Ep. 5: The case of the 45-day onboarding delay

WWLW Ep. 5: The case of the 45-day onboarding delay

September 28, 2022
Matt Pour
Read Article

What we know

Matt Pour is working with a global eCommerce platform company with employees and contractors around the world. One of their big challenges that was especially painful in the last few years is onboarding contractors. With tight supply chains on laptops and logistics challenges for global shipping, this company found that it took an average of 45 days to equip a new contractor with the tools they needed to be productive. 

What we learned

The IT team took a fresh look at this challenge and searched for a new way to solve the problem. The vast majority of software their contractors used was SaaS, so there was nothing to install on the laptop. They needed access controls and visibility, so they couldn’t just throw the doors open and use unmanaged devices. Instead, they found the ideal solution with the Island Enterprise Browser: a contractor can download and install the browser on their own laptop and it gives the IT team all the visibility and access controls they desire. 

What happened next 

Working with Matt, this company rolled out the Island solution in a matter of days. The proof point was how they could shrink the contractor onboarding process. The task of getting a contractor onboard and productive shrank from 45 days to under an hour. That kind of time savings makes a meaningful impact on overall productivity and will help fuel continued innovation and success for this eCommerce leader. 

A Closer Look at MFA in the Browser

A Closer Look at MFA in the Browser

September 22, 2022
Ohad Edri
Ron Dalal
Read Article

Multi-factor authentication is — thankfully — a normal part of our digital experience. Whether at work, connecting with your bank, or logging in to social media, we’re used to the extra step of entering a short code or acknowledging a push notification during login.

Attackers are on the hunt

In recent years, attackers have grown an arsenal of capabilities — varying from sophisticated to straight-forward — to bypass the security MFA provides. Examples from recent incidents that included MFA bypasses are the SolarWinds breach, which was carried out by Russian state-actors the NOBELIUM APT; the Nvidia and Microsoft breaches, who are believed to be carried out by LAPSUS$ cybercrime gang, and most recently the Uber incident, by a currently unknown attacker. All of these incidents have a common thread: these organizations used MFA but their attackers found a way to bypass it.

What are we going to cover in this article?

The Island Enterprise Browser enables administrators to embed MFA authentication into every web application and on every user flow at will, and enforces strong MFA methods. We will cover the different types of MFA methods, the challenges of using them within enterprise applications, and how the Island Browser brings it all together. 

A one time challenge, or no challenge at all

MFA adoption is dependent on application developers, and security teams often have to find creative ways to enforce MFA consistently. This gap becomes even more apparent in legacy applications that are no longer maintained, or that were developed with technologies that make incorporating MFA difficult or impossible. Thus, many critical applications that we use do not, or cannot, adhere to the security standards we all wish to see. 

Implementing MFA eventually sums up to better security at the stage of authentication to the application. Once an attacker has already obtained an authenticated session (through session hijacking, for example), they can do anything they wish in the application. In fact, relying on authenticated sessions is one of the most common ways attackers bypass MFA altogether.  

With the ability to embed MFA everywhere, Island allows administrators to build a secured workflow for their users within any application, and protect the most sensitive actions they perform within the browser. For example, with Island, an administrator can choose to prompt for MFA when the user decides to edit a sensitive financial file, or add an MFA prompt to a legacy application that doesn’t support MFA natively. 

The MFA method you choose does matter

Rolling out MFA in the organization is not a silver bullet — security teams must be conscious of which MFA methods they use and weigh the risks of each. In the following sections, we will review some of the most common MFA methods and the risks associated with them.  

SMS-based MFA

One of the most common MFA methods is SMS-based MFA. Once a user enters their password, a temporary code is sent to the user by SMS, which they input in order to complete the authentication. But according to research from CISA, Microsoft, Okta, and others, it’s also one of the weakest. 

SMS-based MFA hinges on the ownership of the phone number tied to the account, and not on ownership of the mobile device itself. Except for phishing and malware, SIM swapping is one of the most common attack vectors on SMS-based MFA — an attack in which the attackers take over the victim’s phone number. 

One common method of executing such an attack is using social engineering to impersonate their victim, claim to have lost their device, and convince the mobile carrier to move the number to a new device. In a recent example, an attacker pleaded guilty to stealing some $50 million USD in Bitcoin from a wallet after a successful SIM swapping attack, which allowed him to gain access to the victim’s email and then their cryptocoin wallet. 

Time-based One-Time-Password (TOTP)

Another common MFA method is time-based one-time password, or TOTP. In TOTP, a shared-secret is set up between an application (usually on a mobile phone) and a web application, usually by scanning a seed provided in a QR-code. After the shared secret is created, the application generates short-lived codes derived from the secret and the creation time of the secret, making the generation of new codes by a malicious actor extremely difficult. 

TOTP is a strong MFA method, but it is not bulletproof. A phishing website that simulates the authentication process with the destination website can intercept the password TOTP code. This allows an attacker to create an authenticated session with the real website on behalf of their victim. Alternatively, malware on the device can steal the TOTP shared secret, and generate a valid code on demand.

Recently, a sophisticated campaign targeted organizations by creating phishing websites mimicking their SSO authentication pages, and intercepting the victims TOTP codes to create valid sessions.

App based push notification

Push-notification based MFA gives a great user experience: a user simply has to click a notification from an MFA app to approve an MFA challenge. Since the challenge is given and completed in a trusted application on one of the user's devices, app-based push notification is considered one of the strongest MFA methods.

However, most applications do not require the user to prove they are physically present near the device used to access the account (by asking the user to input a code shown on the screen, for example). Attackers can flood users with push notifications until a user approves it out of habit. Also, a malware can steal the push notification client key or read the notifications directly. Such attacks allowed both sophisticated state-sponsored APTs as well as cybercrime gangs to bypass MFA of users from very large enterprises. 

FIDO2 and WebAuthn

In recent years, using biometric authentication (such as fingerprint and facial recognition) for web applications has been on the rise, with steady adoptions on physical devices and operating systems from vendors such as Apple and Microsoft. Biometric authentication is just one type of authentication that has been made possible by the FIDO2 (Fast Identity Online) project, and the WebAuthn standard. WebAuthn allows the use of a private key stored in a device — a laptop, a mobile phone, or a security key, that upholds certain hardware and software security standards — to authenticate to a web application while verifying its identity. 

WebAuthn-based MFA is considered the safest MFA method these days, as it relies on a private-public authentication mechanism and has a verification of the destination website during the authentication process. This can prevent most phishing scenarios, like those described above. If possible, always use a WebAuthn based authentication. 

Browser attacks

Besides directly attempting to bypass MFA, an attacker can aim for getting the end result of such bypass directly: a valid session token or cookies of the victim. There are some possible ways to achieve that and they all revolve around attacking the browser. Some examples: 

Stealing cookies from the endpoint 

An attacker who has access to the endpoint, or the browser, can (assuming they have user privileges) retrieve the cookies stored in all common browsers — both Chromium based (such as Chrome and Edge) and others (such as Firefox). The cookies are stored encrypted on the endpoint. However, since the encryption mechanisms are known and the keys are accessible to the user, malware can also access the cookies and decrypt them.  

In a recent example, the LAPSUS$ cybercrime gang has claimed to have breached EA by buying an active session token of an employee to the company’s Slack. This token was most likely obtained from malware installed on an employee’s devices from which they used to login to the corporate Slack.

Stealing cookie via MITM

SSL is almost ubiquitous in the modern world and keeps our online activities both secure and private. However, Man-in-the-Middle (MITM) attacks are still a possibility. For example, malware installed on the endpoint can add the attacker’s trusted certificate, allowing them to decrypt SSL traffic. By achieving visibility to the unencrypted traffic between the victim and the service, attackers can steal all of the tokens and cookies sent in it.

Island makes MFA ubiquitous

The Island Enterprise Browser empowers organizations by allowing them to use MFA everywhere. Some of the most common scenarios include:

  1. Application access: Attach MFA to access any application, modern or legacy, and enforce the highest standard of security. 
  2. User interaction: Attach MFA to any type of user interaction that is deemed sensitive, such as clicking on production-sensitive flow in a web application, downloading a file, or sending a form. 
  3. Physical access: Island can protect against physical access of an idle machine by obscuring the window and requiring MFA to resume work — even on an unmanaged device. 

In addition to making MFA another tool in the administrators tool shed, Island also protects against endpoint and network attacks, like the ones mentioned above. This is done through various methods of local and cloud-based encryption of sensitive browsing data and network integrity checks and verifications. By combining the power of MFA everywhere with strong MFA methods, last-mile controls and enterprise-grade protections, Island protects the enterprise, while empowering the end user.

WWLW Ep. 4: The case of the legal docs in 3rd party deal rooms

WWLW Ep. 4: The case of the legal docs in 3rd party deal rooms

September 21, 2022
Dennis Pike
Read Article

What we know

Dennis Pike is working with a large American law firm to improve their document management and information security practices. Whenever the firm is engaged in a legal matter with a client, they use a digital “deal room” to collect and share documents between the legal staff. The information in these documents is often highly sensitive so access control and confidentiality are critical.

What we learned

One of the unique challenges for this law firm is managing documents across multiple deal rooms or file share services. It’s common for a client to use their own file storage service in addition to the law firm deal room. It’s essential to make sure documents are correctly stored between the two sources and that the right people have access. Using the Island Enterprise Brower helps the firm achieve both, without adding any unnecessary burden on their staff.

What happened next

Working with Dennis, the law firm deployed the Enterprise Browser and require its use when staff are using an external client deal room. The additional visibility and access controls gives their risk & compliance team confidence in how deal room documents are managed. It’s also opened the door for employees to have more flexibility with the productivity tools they use at work. The Enterprise Browser gave the law firm the confidence to “say yes” to a wide range of web apps that help their legal staff increase productivity.

WWLW Ep. 3: The case of the poor content moderation experience

WWLW Ep. 3: The case of the poor content moderation experience

September 14, 2022
Tad Johnson
Read Article

What we know

Brian Borthwell is working with a company that offers customer support services for some of the world’s largest brands. This company has employees all over the world who fulfill critical roles like content moderation on forums, social media engagement, and customer support. This type of work requires interacting with sensitive customer and company data, so information security is critical to their business. 

What we learned 

One of the unique challenges they wanted to solve was replacing a legacy virtualized desktop platform. They used a non-persistent VDI so employees could log-in during their shift, complete their daily task list, then clear all data after their shift. This was a clumsy experience for employees, who would need to spend the first few minutes of each shift logging in and configuring their workspace. It was especially painful for employees on a slower connection. 

What happened next 

Working with Brian, they implemented the Island Enterprise Browser as the secure workspace for employees. Daily work assignments are stored and accessed through Island Secure Storage and data is deleted after each shift. Making the change from VDI to Island was a big improvement for employee user experience and boosted productivity by eliminating virtualization friction. It also cleared the path to decommission the old VDI platform to reduce costs and simplify their IT operations. 

The case of the mysterious call center activity

The case of the mysterious call center activity

September 7, 2022
Tad Johnson
Read Article

What we know

Jason Trunk is working with a FinTech Lending company who wants to improve their call center operations. They have several call centers around the world to serve customers on loan origination and servicing and they use for all their customer service operations. In the business of financial lending, a simple human error could be very costly both for the company and their customers, so it’s critical to track exactly what each employee is doing to catch errors and audit their operations.

What we learned

Previously, this customer was using a combination of several tools to secure access and provide visibility. One of these tools was Salesforce Shield, an add-on module for that offers granular logging but adds 30% to their subscription costs. They also required employees to login to Salesforce via a VPN, which degraded the user experience for some employees outside the U.S.

What happened next

Working with Jason, they configured the Island Enterprise Browser as the default browser for all call center employees. This gave them dramatically improved visibility to all activities through the browser, including They were also able to retire the VPN solution, as Island offered a secure and trusted platform to connect through. With this change, the day-to-day user experience for call center employees improved and the company got better visibility and a simpler technology stack.

Why Dmitri Alperovitch chose to partner with Island

Why Dmitri Alperovitch chose to partner with Island

September 1, 2022
Bradon Rogers
Read Article

There’s no playbook for building a whole new category.

It’s not because nobody knows how to do it. It’s because arguably the most important step of category creation is not in your control.


Gaining the recognition and endorsement from the voices that matter most in your industry sends your market an unmistakable message – that a true innovation has arrived and the game has officially changed. 

This is why we are so grateful to have Dmitri Alperovitch not just support Island’s mission, but to personally join us as an investor in that mission to help us continue making it a reality. 

Dmitri Alperovitch is one of the most accomplished experts in the world of cyber security. 

Formerly the Vice president of threat research at McAfee, Dmitri is perhaps best known for having co-founded and served as CTO of Crowdstrike. 

Today, Dmitri focuses his time and energy on his three passions – The future of cybersecurity, the teams building it and his philanthropic work.

As he considers cybersecurity investments, Dmitri says there’s just not a lot out there that wows him these days. As an industry, cybersecurity is about as saturated as possible in both innovation and the funding behind it. So something truly new is hard to find. 

And that’s why Dmitri’s belief in Island feels significant. It signals that we’ve arrived at something truly groundbreaking. 

When it comes to his second passion, the people, Dmitri saw in Island an executive team with a history of success he was quite familiar with. With many of Island’s leaders having worked closely with him in the past, it wasn’t difficult for Dmitri to envision Island bringing this new technology and category to life. 

Yet, what was maybe most meaningful of all was hearing our story come from Dmitri’s mouth.

How CISOs want more security but fewer security tools and agents. 

How the solutions we’ve relied on until now have become the very targets of attack that put companies at greater risk.

How no one considered enabling the browser to do more than just browse.

How The Enterprise Browser isn’t just about security. It’s about efficiency and productivity – areas that appeal to CIOs just as much as CISOs. 

How so very simple the whole thing is.

When one of the industry’s most accomplished and respected leaders shares our vision, believes in our mission, and invests in our future - that’s some of the best validation any new category can get. 

Introducing ‘What We learned Wednesdays’

Introducing ‘What We learned Wednesdays’

August 31, 2022
Tad Johnson
Read Article

They say you can only grow once you know that you don’t know.  

When you start something entirely new, there are always a fair amount of unknowns. Lessons you only learn once you’re already out there marketing, selling, and delivering for customers.  

For us, our “something new” wasn’t just a product. It was a whole new approach. A category that never existed. 

Which meant what we didn’t know was a whole lot. So we spent a lot of time listening. listening. 

We pitched what our product can do for organizations and then listened to what customers needed for their organization. And then we built something that (we hoped) would be transformative for them. 

We showcased features, and then learned what additional features mattered to them most. Some of those became new features we added later that week, or in some cases, that day. 

We listed relevant use cases, then found out there were four more we never even thought of. And optimized for those as well. 

And this kept happening week after week. Call after call. Until we realized, this wasn’t just about our product. These were valuable lessons for our industry. Anyone can learn from these conversations, to understand what security teams, end users, organizations as a whole are struggling with, and how we can help. 

And from that, “What we learned Wednesdays” was born. A weekly video series where our sales professionals share unique customer stories and what we learned from them. Each conversation consists of three parts:

  1. What we know: The specific situation or challenge our customer faced
  2. What we learned: The need our customer had and what it would take to solve it
  3. What happened next: Have we addressed the challenge, and the impact it had on the customer

To start things off, here is our first video in the series: The case of the HITRUST Certification - a set of important risk management and compliance requirements that are critical to customers in the healthcare market.

The Case of the HITRUST Certification

What we know 

Eugene Kim is working with a health care customer who needed to set up a secure environment to access patient records. They considered the virtual desktop approach, but found the cost and complexity was too high. Instead, this customer chose the Island Enterprise Browser as the secure access point for all apps and resources. This solved their challenge for onboarding new employees and didn’t add any of the complexity of desktop virtualization. 

What we learned

One of the requirements this customer brought to Eugene was the ability to support HITRUST certification. Working with extremely sensitive patient records is central to clinician workflows and protecting those records is critical. In practice, this means adding tight controls over how patient records can be accessed and where they are stored. 

What happened next

Working with Eugene, they configured the Enterprise Browser to freeze a user session after a period of inactivity. Once the clinician re-authenticates with their secure credentials, they can pick up exactly where they left off. If a user is inactive for a longer period, the session ends and the browser clears all open tabs and browsing data. To prevent any data leakage, they also enabled several controls to prevent patient data from leaving the browser. In this way, they can treat the browser itself as the managed endpoint regardless of which device it’s running on. Island provides all the security controls they require with a much simpler deployment model. 

The Best Enterprise Security Solution of the year is… a browser?

The Best Enterprise Security Solution of the year is… a browser?

August 22, 2022
Ellen Roeckl
Read Article

So it’s official. The Enterprise Browser was named The Best Enterprise Security Solution by SC Magazine. 

And while this is certainly a time for us to take it all in, celebrate the win, and be proud of our accomplishment - this is more importantly a time to reflect on how we got here.

Think about it for a moment - the best enterprise security solution of 2022 is a browser.

A browser. 

Imagine telling your industry peers five years ago that, in 2022, a browser will be the most important security solution for the enterprise. Imagine saying that even nine months ago!

And yet, here we are.

In some ways, it’s pretty shocking, and yet, if you dig a bit deeper (like we did), this outcome seems kind of inevitable.

The world of work was slowly moving to the web. SaaS was gaining momentum fast. Companies started moving critical apps to the cloud. Then moving their entire organization to the cloud. Then companies were being born in the cloud.

And then COVID happened. Work was no longer just in an office, on the corporate network, using company devices. It was everywhere.

Suddenly the browser wasn’t just another work application. It was the center of our digital workspace. It became, quite literally, the most important application in the enterprise.

And yet, the browser, where pretty much all work took place, wasn’t even designed for work. No way to secure sensitive data. Now way to govern access. No way to control or even see what’s happening in there. 

Which forced organizations to do some pretty uncomfortable things just to work safely on a browser that was never meant for work.

Things like

  • Breaking the encryption meant to secure our data, in order to inspect traffic
  • Shipping pre-configured laptops to contractors, just to give them access to SaaS apps
  • Virtualizing your desktop just to use the browser that’s… already on your desktop
  • Adding proxies, gateways, and VPNs everywhere we try to get work done
  • Blocking personal email or messaging apps at work

All this led two industry veterans, Mike Fey and Dan Amiga, to arrive at a entirely new thought:

What if the browser was designed for the enterprise?

What if everything the enterprise needed to work safely was built into the browser, instead of on top of it?

And like that, The Enterprise Browser was born.

The ideal workplace, where everything the enterprise needs is built right in, and everything else is out of the way.

Organizations now control, see, and govern everything happening in the browser. While users get the smooth browsing experience they know and love. Everyone wins.

It was the answer to the high cost, huge complexity, and heavy resources that have gone into securing the enterprise until now.

And the answer to the frustrating, disappointing, and underwhelming end user experience of working with tools that seemed to just get in the way.

It’s everything the enterprise needs, and everything the user wants.

And it’s just.. a browser. 

And that explains why today, The Enterprise Browser is the Best Enterprise Security Solution of 2022.

Guest Blog: Island Redefines Security Delivering the Enterprise Browser

Guest Blog: Island Redefines Security Delivering the Enterprise Browser

July 27, 2022
Alon Weinberg
Read Article

Several years ago, Island Co-founders Michael Fey and Dan Amiga had an epiphany.

What if enterprise organizations had complete control over the browser environment? They knew the traditional web browser was the most widely deployed application by enterprise organizations; yet the browser wasn’t built for the enterprise, it was built for the consumer market.

This commonly used software application is incapable of offering the high-level security, visibility and privacy enterprise users needed.

If it could be modified for the enterprise, they knew it could change everything. With this belief, the founders began developing an enterprise browser that would simplify the security stack, give the enterprise complete policy control and deliver a more efficient, safer and productive browsing environment.

In February 2022, their vision became reality when the enterprise browser emerged from stealth mode to take control of the last mile – from the network to the end device - and redefine the end-user experience.

With the Island Enterprise Browser launch, enterprise organizations no longer need Secure Sockets Layers (SSL) or costly virtual desktop infrastructure (VDI) for data loss prevention.

While the thought of contractors accessing Software-as-a-Service (SaaS) applications from home once made CISOs think twice, with Island’s Enterprise Browser they can now greenlight personal email, collaborative platforms and Bring Your Own Devices (BYOD) while quickly ramping up contractors as needed.

Perfect Timing for the First Enterprise Browser

After nearly two years of product development, the Island browser emerged at a time when most major browsers were standardizing to the Chromium open-source project. Leveraging the open-source project, Island’s co-founders seized an opportunity to create a custom browsing experience for enterprise organizations without having to build their own rendering engine. Building on Chromium also meant creating an entirely familiar experience for end users, reducing friction in deployments.

“We could stand on the shoulders of those giants and make sure all of our energy went into making the browser the best enterprise resource possible by upgrading the security posture, improving integrations, giving them complete policy control and providing infinite last mile control,” said Michael Fey, co-founder and CEO, Island.

At the same time, enterprise organizations were shifting to a remote workplace where contractors, call center staff, and BYOD workers needed access to internal web and SaaS applications like Salesforce and Workday.

Island’s enterprise browser allows these organizations to seal the SaaS environment, secure last-mile control and achieve total data loss prevention (DLP). By simplifying the security stack and working with, not against, existing systems, the browser is able to support web filtering, web isolation and Zero Trust network access with a cost-effective solution.

“When call centers move remote, they find themselves going to a SaaS application over a virtual infrastructure to a backhaul location to get out to the SaaS application,” says Fey. “We bring common sense to that architecture and let those users go directly to the SaaS application while still providing the security controls.”

A pricey venture requiring a massive number of engineers, Island’s browser also carried the good fortune of launching within a favorable fundraising environment, with Insight Partners, Stripes and Sequoia Capital providing more than $200 million in capital to bring the founders’ vision to light.

Protecting the SaaS Environment with Built-in – not Bolt-on – Security

Unlike bolt-on security tools, Island’s enterprise browser provides deep control at the operating system level with security that’s built by design.

While not a replacement but more of an augmentation to the enterprise customer’s existing approach, the enterprise browser circumvents massive change management, allowing enterprises to quickly ramp up call centers and contractors on personal devices.

Users can decide what the browser does and doesn’t do – like cut, copy, paste; take a screenshot; tag traffic; redact data; and change what information flows under enterprise control and governance.

Although Island’s enterprise browser provides remote browser isolation, web filtering and mobile device management (MDM), the browser most often works alongside existing systems to simplify the architecture, reduce expense and provide total endpoint protection.

“This allows us to connect to any of those designs and complete that last mile that’s been missing. So often in the Zero Trust architecture, people would get to the last mile and realize the data on the endpoint was still a massive point of risk, so they went with a heavy, overburdened architecture like a desktop as a service. The enterprise browser allows us to rethink the last mile and ensure it collaborates with all the platforms,” says Fey.

How Island Built its A-Team

Island has built an impressive roster of leadership and engineering talent with a “nexus of experience” approach beginning with Fey, the former president of Symantec, and Amiga, the founder of Fireglass, an RBI solution that works with Chromium browsers.

“In the world of cybersecurity, where the bulk of people spend their entire careers selling and building something that is just the next generation of something else – the next endpoint, the next gateway, the new firewall – this was an opportunity for those people to take all that skill and expertise and do something fundamentally new and different. We’ve excited people’s imaginations,” says Fey.

The co-founders also learned early on that they would need to remove the friction of adoption if they were going to realize the ultimate vision of delivering the first enterprise browser.

“I think too often people fall in love with their big vision and don’t fully appreciate the challenges they will encounter on the path between the vision and the reality,” says Fey. “You have to address the journey from day one because your investors are going to go to those places and ask you the hard questions, and the difference between an investment they’re excited about and one they just think is interesting is having great answers and proof points to solve those problems.”

Fey advises other startup founders to first identify the obstacles that may be standing in the way of their go-to-market plan. “What is uncharacteristically difficult about your plan? Whether it’s adoption, the business model or the tech, make sure your early days of investment are about tackling that,” he says.

As Island drives toward more integrations, Fey expects the company to expand beyond cybersecurity by helping IT better understand performance and the end user process with greater visibility.

Island’s founders believe every enterprise organization will be running on an enterprise browser one day. “That level of control at the last mile is essential to delivering things like Zero Trust, secure edge and BYOD,” says Fey.

If the vision holds true, the enterprise browser will soon become a core part of the IT toolset as users seek a safer, more secure and productive end solution.

The True Power of AWS Tags: How to Use ABAC at Scale

The True Power of AWS Tags: How to Use ABAC at Scale

July 27, 2022
Itamar Bareket
Read Article

One of the biggest challenges nearly all engineering organizations face is scaling up without slowing down productivity or compromising on security standards. One area where we at Island encountered this challenge is in controlling access and permissions to AWS without compromising on speed and developer autonomy.

While AWS IAM is packed with features, including support for ABAC (attribute-based access-control), It is often very hard to control who can tag what at scale. In this blog post, we’ll dive into the deep waters of AWS IAM, face its problems and learn how to leverage IAM policies to make ABAC scalable.

This journey walks through parts of a talk I gave at fwd:cloudsec 2022 called "The Power of AWS Tags". I encourage you to watch it here

A journey for developer autonomy

You might be familiar with RBAC (role-based access-control), where access is granted for specific roles on specific resources, which typically requires an administrator to handle permission requests from R&D teams and adjust their roles accordingly. In many organizations - this is a slow process.

On the other hand, if permissions are managed with ABAC (attribute-based access-control), it is easier for the administrator to create rules to match resources by the attributes set on both resource and actor. That way permissions would be granted dynamically, lowering the number of requests from R&D teams and giving teams more autonomy and control over the resources they own.

For example, here is a rule an admin may configure: “users of team: infra can read data from DynamoDB tables tagged with owner: infra.”

This IAM policy would look like this:

Where it gets more complex

What if a bad actor from the infra team had access to modify the tags of his own user or role, or even modify the tags of other DynamoDB tables? Privilege escalation is pretty easy.

In order to mitigate this, we’ll need to protect our owner tag. Let’s write statement like this:

Now, imagine you manage 30 of those tags. Adding a protection statement for each kind of tag sounds pretty cumbersome, and with IAM policies contain as many as 6144 characters, it’s probably a good idea to propose a solution that will allow scaling ABAC with more ease. 

Reaching separation of concerns

Looking at the previous policy we came up with, it is easy to distinguish each statement as its own role:

  • The first statement is responsible for the access-control logic itself - these kinds of data plane statements are to be distributed so it can be attached to different users, roles or groups or the whole organization, according to the business needs.
  • The second statement is responsible for the tagging integrity, the control plane, and we want it to be as generic and centralized. This policy will be attached as an SCP to all accounts in the organization.

Modeling privileged tags

Think of a UNIX filesystem. If I’m granted permissions to my home directory at `/home/itamar` I can write anything under that path, since this is my grant area.

Translating this into IAM, we’ll assign each user/role with a grant path of their own that will define their tagging grant area: if a role’s grant path points to “ctl/v1/admin” then users assuming this role can tag anything under that path, like “ctl/v1/admin/owner” (but not “ctl/v1/bagels”).

Setting the grant path

In our UNIX filesystem we’d have a special file, in which every entry will be a username and its grant area, and no one would have write access to it (unless they’re using sudo). Like this:

Yet in IAM, we don’t have the equivalent of a centralized file, so each principal will hold its own grant path in a tag key (which itself, is a control tag under a meta subtree) that no one can create, delete or modify (unless they use “sudo”, we’ll get to that..). In that case, the tag value will be a pointer to the grant area.

Introducing Control Tags

Control Tags are a privileged set of tags. Any tag that starts with `ctl/` is a Control Tag.

Let’s see the IAM statements behind this control plane:

Let’s break this down:

  • We do not allow principals that don’t have grant path configured to tag any control tag.
  • We do not allow principals to tag outside of their grant area, or other allowed set of tags, such as “environment”, or “info/*”

Revisiting our first example

It’s THAT simple

This way, only admins can designate principals with team affiliation and only team members can designate resource affiliation with the team.

Recipe: How to Use Control Tags

  1. Define the meta grant_path tag key, and set grant paths for your principals.
  2. Attach the Control Plane as an SCP to your AWS account.
  3. Define data-plane policies and attach them to your roles/accounts/resources.


Managing grant paths for users

Say you want to introduce a new team to this scheme, change paths or add a broader grant area for some users.

There are two main options to manage grant paths for your users:

  • Using 2PA, 2PA is a concept we created to implement the two-person rule in the cloud. Learn more about it in our fwd:cloudsec lecture!
  • Temporarily exempt yourself from the Control Plane SCP. Just add another Condition to assert your user/role can tag under the meta grant path.

To sum up, Control Tags are a great way to manage tagging permissions and enable some developer autonomy in your organization. Check out my entire presentation to learn more tricks Control Tags have up their sleeves

Zero Trust in Practice

Zero Trust in Practice

July 20, 2022
Tad Johnson
Read Article

The zero trust security model builds on decades of hard-learned lessons. The era of a secure network perimeter is long past, so we should never implicitly trust a connection based on its network location alone. With the ubiquity of federated identity providers, we can positively identify the identity behind every request. We can evaluate the posture of the device a request originates from to protect to further protect against stolen credentials being misused. And with modern networking technologies, we can start from zero and build up these layers of trust before allowing the network connection, then continuously re-evaluate trust with every request.

As a security philosophy, zero trust offers a path to resolving many categories of vulnerabilities. Credential theft is much less effective when we require multiple factors for authentication and evaluate the device posture before granting access. Internet-based attacks can’t succeed if there is no routable path between a private app and the outside network. Even if malware is already resident on a device, lateral movement to infect other devices is made exponentially more difficult.

Making it Real

Bringing zero trust out of the realm of theory and putting it into practice means investing in security tools. An identity provider, some network infrastructure, and typically some combination of endpoint agents. Curiously, there’s one application at the center of almost every zero trust workflow that’s been ignored by most security vendors: the web browser.

When an enterprise invests in security tooling to put zero trust in practice, it doesn’t make sense to leave a basic consumer-oriented web browser at the center. Island built The Enterprise Browser to change that.

The Enterprise Browser is the on-ramp for a practical zero trust security implementation. It integrates with identity providers for user authentication and identification of all web activity. It continuously evaluates device security posture, without requiring any additional agents. It can make secure connections to private apps and resources over any network, while keeping those private apps completely dark to unauthorized access. It can apply last-mile controls to protect data from inappropriate use or accidental leakage – something that is virtually impossible for a legacy network-based security tool to achieve. And all web activity within the browser can be logged and shared with a SIEM or analytics platform to gain unmatched visibility and inform security governance and incident response.

And because all of this is built around a Chromium-based web browser, the end-user experience is frictionless and familiar. There are no extra agents to deploy, no training to teach users how to connect. Simply by introducing a new web browser, you can take a practical step at leveling up your security practice and embracing the zero trust paradigm.

The Human Element

A collaborative partnership with end-users is key to any successful security strategy.

At baseline, any new security tool or technique shouldn’t burden users or disrupt their general productivity. Thankfully, modern security practices are generally transparent to users or follow familiar patterns that become second nature. Clear communication with users in the form of status indicators, notifications, or error messages (with instructions on what to do next) goes a long way in ensuring lasting success.

The Enterprise Browser offers a unique approach to end-user engagement. The browser itself is tuned to be fast and a tailored enterprise app chooser makes every app and resource immediately available. There are no added burdens for end-user adoption, and no extra steps that could hinder user productivity. User messaging can be customized to match corporate brand voice, and users get clear and immediate feedback when they encounter a security policy. It’s tempting to overlook user experience or take it for granted when designing a security strategy. The Enterprise Browser makes it easy for end-users to adopt it as their default browser, and it gives Security teams the tools they need to clearly communicate their security policies.

Changing One Thing  

The concepts and technologies that form a zero trust security model are not a secret, nor are they proprietary to any one security vendor. Today’s challenge is largely one of optimization and operations – how do we implement a security strategy that decreases risk without disrupting end-users or business operations?

This challenge is what motivated creating The Enterprise Browser. It’s a unique approach, where the web browser itself plays an active role in the security strategy. Sometimes changing one thing changes everything.

The Last Mile of Zero Trust

The Last Mile of Zero Trust

July 20, 2022
Tad Johnson
Read Article

“Zero Trust” is everywhere in the cybersecurity world. While it’s fair to say that the term is a bit over-used by over-zealous marketers, the security paradigm it describes is real. Broad categories of security exploits can be significantly reduced – if not eliminated – by implementing a zero trust security model that continuously validates user identity, device posture, and resource access. One area that’s often overlooked in zero trust implementations is the last mile: extending the principle of least privilege all the way to end-users of information systems.

What is the last mile of zero trust?

To understand the last mile of zero trust, let’s first review the first mile. A user wants to access a protected resource, such as a customer record stored in their SaaS CRM platform. The user’s identity is verified against the enterprise identity provider (IdP), the security posture of her laptop is validated to conform with enterprise standards, and her access privileges for the CRM platform are verified. Once this level of trust is established, a secure connection is established between her laptop and the CRM platform and the customer record is displayed. In an ideal scenario, everything just mentioned happens in milliseconds and is transparent to the user.

At this point in our scenario, a customer record is displayed on screen. Now let’s consider the last mile: what can the user do with that data?

  • Is she allowed to print the page, creating a new physical copy that is more or less untraceable?
  • Is she allowed to take a screenshot of the window, creating a digital copy that’s disconnected from the CRM platform?
  • Is she allowed to copy notes from the most recent customer support case and paste it in an email? What if she tries to paste those notes in her personal email account?
  • Is she allowed to view the customer’s credit card number that was attached in a note regarding a recent billing inquiry?
  • When she joins a Zoom meeting and shares her desktop, will that customer record be displayed to everyone in the meeting?

This deeper level of granularity in data protection is critically important – but it’s left largely unaddressed by legacy ZTNA vendors. The principle of least privilege is a foundational tenant of zero trust: a user should be given only those privileges necessary to complete their job. Returning to the example above, her job requires access to customer records from the SaaS CRM platform; her job does not require her to make new copies (printed or digital), move customer data to a personal email, or share customer records to a Zoom meeting. Most of the time, she doesn’t need to view credit card data, but there are some exceptions when she needs that information to resolve a customer issue.

An ideal last-mile security policy would look like this:

  • When she is viewing customer records, the function to print or take screenshots is disabled (and she sees a clear message explaining why if she attempts that function).
  • If credit card numbers are stored in case notes, they are redacted from view. The InfoSec team set an optional rule to allow a user to toggle visibility (and when toggled, that action is logged).
  • When copying data from a customer record, she can paste it within the CRM platform, or within trusted enterprise apps, but she is not allowed to paste that data to a personal email or untrusted apps.
  • If she joins a Zoom meeting and shares her desktop, the window with customer records is hidden, but other non-sensitive windows can be shared.
  • All the controls above are granularly enforced to apply only to sensitive content like customer records, so she remains fully productive at work.
  • Every interaction with the CRM platform is logged to a centralized analytics platform to support fast incident response and investigation.

This vision for embracing zero trust principles for end-to-end security of modern web apps and data inspired the development of Island, The Enterprise Browser. It’s the browser that’s designed for the enterprise that makes work fluid, frictionless, and fundamentally secure. Instead of layering security tools on top of a consumer-focused browser, Island applies security controls within the browser itself. It’s the perfect on-ramp for putting zero trust principles into practice, both at the network layer and at the last mile. Because it’s built around Chromium technology, users enjoy the fast, familiar experience they expect. It’s work as it was meant to be, where security is native to all users, applications, and the data between them.

Why it’s time to rethink your VDI or DaaS

Why it’s time to rethink your VDI or DaaS

June 27, 2022
Tad Johnson
Read Article

Cut out cost and complexity and dramatically improve user experience by replacing your VDI or DaaS strategy with an Enterprise Browser

The promise of desktop virtualization is hard to argue: your employees can work from (just about) any device, anywhere in the world while you keep your sensitive apps and data secure and centrally managed. VDI was a decent solution at a time when most organizations managed their own data centers, Windows apps were the norm, and working with rich content (such as video) wasn’t a requirement. Today, most apps are delivered through a web browser and hosted by SaaS providers. Users often connect from home networks outside the reach of enterprise controls. A growing remote workforce pushed many organizations to rethink how they secure and monitor access to critical apps. As an established technology, VDI or DaaS was a natural choice at the time. 

But as your help desk tickets will confirm, virtualization in any form comes with a huge burden on both operations staff and the end-users they support. Performance issues, network congestion, and complex provisioning weigh against the benefits of virtualization. Add to that the high costs of hosting, licensing, and operating a robust VDI or DaaS environment and the costs start to outweigh the benefits.

There’s a modern alternative to DaaS that you should consider: The Enterprise Browser. 

The Enterprise Browser takes a new approach to securing critical apps and data. Instead of adding layers of virtualization–disrupting the user’s experience and adding cost and complexity–security and access controls are built-in to the browser. Users authenticate with their corporate credentials, last-mile controls stop data leakage, browser hardening protects against malware, and full activity logs are sent to your SIEM. This approach gives InfoSec teams a level of control and visibility that goes way beyond VDI or DaaS, and end-users enjoy unrivaled performance.

Provisioning a new user with The Enterprise Browser is much simpler for IT Operations teams: install the browser. That’s it. End-users can even download and install it themselves on devices IT doesn’t own or manage. And it’s available for Windows, macOS, and Linux so everyone gets to enjoy full native-app performance. Once deployed, IT’s job is done: no performance tuning, resource monitoring, or cost modeling required. 

The end-users who are working with SaaS apps every day see a noticeable improvement. The Enterprise Browser is built on Chromium, so web performance is as good as it gets. Since there’s no virtualization overhead, there’s no lag or visual artifacts. Users get their work done, in a browser they’re already familiar with. 

The Enterprise Browser won’t replace all virtualization: if you’re connecting to systems for high-end CPU or GPU workflows, VDI is the right play. But if your primary goal is to secure access to web apps and data, across a remote or distributed workforce, The Enterprise Browser is a far better choice. Get a demo

VDI / DaaS cost and complexity Security controls End-user performance
Three Pitfalls of BYOD and One New Answer

Three Pitfalls of BYOD and One New Answer

June 27, 2022
Tad Johnson
Read Article

There are still many advantages to centralized purchasing and provisioning, both financial and operational. On the other hand, every business needs the ability to extend access to a personal device in some cases: employee onboarding, business continuity, or contract workers, for example. Some employees want the option and convenience of accessing business apps using their home computer. Balancing the competing concerns of information security, IT operations, and user privacy is no small task—as is evident from the mixed results of BYOD in practice.

BYOD initiatives often stumble when they hit one or more of these three pitfalls: 

  1. Un-Managed Devices
    The most common barrier to any BYOD program is the very real concern of unmanaged devices connecting to critical applications housing sensitive data. Putting sensitive data on devices where you have no visibility or management is a huge risk. The natural solution is to install an endpoint management agent, which solves one problem but creates another.

  2. User Rejection
    Ask the average user to install an endpoint management agent on their personal device and you’ll be met with some (well deserved) skepticism. What data can the agent see? Are my personal email, documents, and photos visible? Is all my personal web browsing being logged? Concerns over user privacy are real and users shouldn’t have to trade their privacy for BYOD flexibility. Instead, we can deploy a virtualized desktop and manage that layer. Problems #1 and #2 are solved, but at what cost?

  3. IT Operational Cost
    Desktop Virtualization seems appealing for allowing users to leverage their own devices, because it answers some of the security questions without intruding on user privacy. But that technology comes with a steep price tag, both in licensing cost and operations staff to manage it. For remote users on less-than-ideal networks, the user experience of DaaS can be painful. Now you’re adding extra help desk calls on top of an already costly solution. What if we could get all the benefits of a managed, secure, and isolated platform without the high costs of VDI or DaaS? 

Now we can solve all three with Island, The Enterprise Browser. 

First, the Enterprise Browser eliminates the need for a system-level endpoint agent on a personal device. By enforcing security and management policies in the browser itself, all critical web apps and data are secure. Last-mile controls keep data in the browser, stopping data leakage and keeping business and personal data separate. Users keep their personal privacy and you get the security controls you need. No endpoint management agent required. 

Next, the Enterprise Browser eliminates the need for DaaS or legacy VDI. On top of the security controls mentioned above, the Enterprise Browser protects against web-based browser exploits, phishing scams, man-in-the-middle attacks, malware, and more. Instead of adding multiple security agents, or virtualizing the desktop and all its apps, The Enterprise Browser addresses the root cause of web vulnerabilities: the web browser itself. You get more granular control and visibility than with VDI or DaaS, without the cost and complexity. 

Last, the Enterprise Browser is already familiar to users. It’s based on Chromium, the same as Chrome, Edge, and other modern web browsers. The user interface is the same and every web app functions exactly as expected. And unlike DaaS, it’s running locally on their computer, so performance is excellent. 

The Island Enterprise Browser is a unique approach that resolves several common problems that hold back BYOD. To learn more about how Island can deliver a better BYOD experience, contact us. 

BYOD / BYOPC User Privacy vs. UEM Security Visibility DaaS/VDI alternative
Supporting Legacy Web Apps in the Modern Era

Supporting Legacy Web Apps in the Modern Era

June 22, 2022
Tad Johnson
Read Article

2022 marks the end of the Internet Explorer era, with Microsoft ending all support for IE11. While it’s no surprise that modern browsers like Chrome, Edge, and Safari have replaced the legacy Internet Explorer, there are still many organizations who rely on legacy web apps developed years ago and seldom updated. These legacy tools are often critical to some business process and difficult to replace (hence why they’re still in use today). 

1. Add Multi-Factor Authentication (MFA)

Many legacy web apps were built before MFA was a common practice. Refactoring the login and authentication flow to support MFA is a daunting task for old, brittle code. So, while it’s a universal best practice to use a second factor during authentication, it may be impractical if not impossible.

The Enterprise Browser can change that: the browser integrates with your enterprise Identity Provider so every user is identified and authenticated with as many factors as you like. You can go further and require a one-time code on when a user navigates to a web app–giving you the security benefits of multi-factor authentication without touching the legacy source code.

2. Access shared credentials without disclosing passwords

Another challenge for legacy apps is managing shared credentials. In an ideal world, every user would use their own credentials to authenticate; in practice it’s not uncommon for legacy systems to rely on a shared administrator account. When common credentials are shared among several users, you lose visibility and control over user access. And revoking credentials for a user when they leave the organization can be inconvenient (or worse, left undone).

The Enterprise Brower can help: you can store shared credentials securely and make them available to specific users or groups. When the user reaches a login page, the browser will offer to auto-fill the credentials. Unlike using a shared password manager, the actual password is never disclosed to the user. Since every user is identified within the browser, you get an accurate record of every user and every login event where shared credentials are used. Password rotation is much easier, with a single place to update in the Island management console. And revoking credentials is as simple as removing that user from the access list in your IdP.

3. Support Internet Explorer 11 compatibility

As published by Microsoft:

The Internet Explorer (IE) 11 desktop application ended support for Windows 10 semi-annual channel on June 15, 2022. Customers are encouraged to move to Microsoft Edge with IE mode. IE mode enables backward compatibility and will be supported through at least 2029.

In global web browser market share, Edge holds about 4% behind Safari (20%) and Chrome (63%). Rolling out Edge with IE mode is a sizable effort for a rather limited benefit. It doesn’t answer either of the issues addressed above, so MFA and shared credential challenges remain unsolved.

The Enterprise Browser is a better choice: it’s built on the same Chromium browser engine as Edge or Chrome, so it looks and feels familiar. It offers IE11 compatibility mode so you can run legacy web apps in a separate tab, and it can solve the other legacy web app challenges listed above. Of course it doesn’t stop there–The Enterprise Browser is built for the modern workplace with security and user productivity in mind.

enterprise browser, IE replacement
5 Myths of the Enterprise Browser

5 Myths of the Enterprise Browser

June 7, 2022
Tad Johnson
Read Article

Click here for an infographic of this article

The Enterprise Browser is just another flavor of remote browser isolation (RBI)


The Enterprise Browser achieves the same outcomes as RBI — protecting malicious code execution, phishing attempts, and dangerous file downloads — but does so from within the browser itself. This means no added latency for the user and much less complexity  for the organization. And unlike RBI that only isolates a fraction of web activity, The Enterprise Browser by definition protects all web activity.

Takeaway: Island, The Enterprise Browser, keeps all web-based work fundamentally secure—without the cost and complexity of a full RBI implementation. 

The Enterprise Browser is just another web security tool 


While the Enterprise Browser delivers end-to-end security for web applications and their data, it’s so much more than that. By operating inside the browser presentation layer, it provides granular, “last-mile” controls such as screen capture, copy/paste, and download/upload control, or sensitive data redaction. But it doesn’t stop there: it also enhances any web app with robotic process automation (RPA), such as adding MFA to legacy web apps or placing additional approval steps for mission-critical workflows. And all data flows directly into your SIEM for detailed visibility and forensic analysis.  

Takeaway: Island takes an entirely different approach to security that goes beyond the network or content layer to inspect and modify web apps at rendering time, opening a range of possibilities far beyond other security tools. 

The Enterprise Browser requires a managed device for policy enforcement  


The Enterprise Browser secures access to web apps and content on any device, managed or not. It knows the posture of the device it’s running on and enforces policies accordingly. For example, the Enterprise Browser can redirect file downloads from an unmanaged device to in-browser secure storage to prevent data leakage. Many organizations are using the Enterprise Browser in place of more complex VDI or DaaS implementations to give contractors or BYOD users secure web access. Whether it’s running on an unmanaged or managed device, the full power of the Enterprise Browser remains intact.  

Takeaway: Island secures access to web apps & content, regardless where it’s installed, with a deployment mode that’s far less complex than VDI or DaaS. 

The Enterprise Browser is a locked-down secure browser


While the Enterprise Browser provides secure-by-design access to web apps, it’s built with the same familiar browsing experience that users already know and love. Policies are context-aware, so the security controls that keep sensitive data secure and enterprise apps protected are only applied where they’re needed. Unlike single-purpose secure browser products, the Enterprise Browser is often used as the default browser for all web access. 

Takeaway: Island pairs enterprise security & management policies with a granular enforcement engine so the important apps and data are always protected without sacrificing browser speed or user experience.

Existing browsers already have enterprise features


The enterprise features offered by popular consumer-oriented browsers like Google Chrome and Microsoft Edge are significantly limited and only skin deep by nature. For example, the controls offered are only applicable at the device level, which means policies are by definition applied to all web apps, leaving no room for granular policy enforcement. And most essential enterprise features are missing entirely, such as device posture assessment for tailoring policy management, or inserting browser-based RPA to enhance web app functionality.

Takeaway: Existing browsers offer few, limited, and surface-level enterprise features that were not designed to address the wide-ranging needs of the enterprise. The Enterprise Browser, however, offers comprehensive control, visibility, and governance over all browser behavior, delivering a level of security that was previously unimaginable.


It may seem easy at first glance to confuse the Enterprise Browser with some familiar solutions we’ve seen over the years. But dig deeper, explore what the Enterprise Browser has to offer, and the truth comes out - changing this one thing really does change everything. 

Chromium Internals 101

Chromium Internals 101

June 7, 2022
Peleg Wainberg
Read Article

What is Chromium?

As described in the Chromium project's official site:

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web

Technically, Chromium is the name of the project, and is not referred to in the code. The product itself is Chrome, not to be confused with Google’s browser named Google Chrome.

Over the years, the Chromium project became more than just a browser. It’s a powerful web platform that can be used in many ways to build different products (Electron, Chromecast, etc). It even became an integral part of an OS (Chromium OS).

Chromium is one of the largest codebases in the world, and it runs almost everywhere. It is developed mostly in C++, but already includes some Rust, TypeScript and more.

Basic concepts / Terminology

Before we begin, let’s set some common terms which anyone interested in Chromium must know.

Process model

One of the most commonly known facts about Chromium based browsers is that they have lots of processes. But why are they all needed?

First of all, for security reasons. If we run all of our code in the same process, exploiting one part can lead to code execution all over the browser. It’s harder to isolate threads, so the browser leverages operating system’s features and isolates processes. In Chromium, a renderer doesn’t run in the main browser’s process. Different sites will run in different renderers who have different processes. Also, different types of processes have different privileges. Some processes are sandboxed. This makes exploiting the browser much harder, as in most cases you will have to chain multiple vulnerabilities in order to gain control of the whole browser

This separation is also good for the user’s experience. As more “services” or logical components are moved out of the browser process, it is more likely to recover from errors and crashes - it might be possible to just relaunch the service seamlessly. To be as fast as it can, it uses more operating system resources.

Process Types

So what kind of processes do we have? Here are some notable examples

  1. The browser process - The main broker of the engine. It is not sandboxed, provides capabilities via its interfaces and acts as a broker between different processes
  2. Frame/Tab processes - The renderer of the tab itself. In Chromium, a different renderer instance is created per frame (tab, iframe, etc), usually in its own process
  3. Utility/Service processes - Provide specific capabilities as a service. The network service is an example of such process, and it's responsible for, as you can guess, network operations
  4. Extension Processes - each extension runs in its own process

And of course there are more.

You can view your own browser’s processes by opening the browser’s task manager:

In this example, we can see a browser with 2 tabs. It has a browser process, some utility processes, a tab process for each tab and an extension process.

So we’ve got different logics in different processes, and some of them are tightly restricted. But how do they work together? If tabs are sandboxed and cannot access most of the operating system’s features, how can we listen to music or download files? It all starts with a bit of mojo.


Mojo is a platform-agnostic collection of runtime libraries, providing inter process communication primitives, a messaging format and a binding system. To make it simple, it allows components (within the same process or not) to communicate with each other over predefined messages, in different languages.

Mojo is the successor of a legacy IPC system, which barely exists as most code was migrated. Nowadays, the different components of Chromium communicate with each other almost only using Mojo. That way, when we upload a file, the renderer process asks the browser for the file’s contents - and the renderer doesn’t need to actually access the filesystem.

Mojo is relatively similar to other IPC systems, but is unique for its ability to pass object handles - such as file descriptors and file handles. It also allows validations that the browser uses for security (e.g. it doesn’t allow passing file path objects if the receiver might not have permissions to it now or later on).

Mojo's top level design, taken from the official documentation

Blocking/Non blocking threads

In order to maintain a fluid user experience, the browser doesn’t allow blocking/synchronous operations to run everywhere. It would be a shame if the entire UI would freeze while the browser tries to write a file, or a single tab waits for server response.

Any blocking task that runs in the browser must be marked as such, and it would usually run in a dedicated thread. Blocking APIs always validate that they run in a context that allows blocking.

In the browser process itself there are different UI and IO threads.

Extensions and applications

Chromium provides interfaces which allow third parties to extend the browser and provide non-generic features to the browser. Extensions are the most known interface, but others exist as well.

Extensions and apps should be downloaded from the official store, but can practically be downloaded and installed from anywhere else.

Chromium provides APIs for such components, making them more powerful and versatile. You can read more about it here. They are developed in JavaScript (or any other language that can be transpiled to JavaScript).

An extension is defined via a manifest file. In this file it declares the permissions it requires, its scripts and in which tabs to inject them, what resources it needs, some metadata and more. An extension is limited in regard to what it can and cannot access, and it must ask for specific API permissions in the manifest (e.g. - storage, bookmarks, …).

Extensions can run two types of scripts - background and content. Background scripts run in the extension’s process, have access to the chrome API and in general have more capabilities. Content scripts are injected into the requested tabs and can access them. Background and content scripts can communicate with each other and work together.

Web platform or a browser?

While for the end user Chrome is the entire product, the project is actually built as a framework and a specific implementation of it.

The framework, often referred to as the web platform or the web engine is the multi-process sandboxed browser platform itself. It includes the rendering engine, interfaces for all supported features, most of the services and components of the browser and more. Think about it as a browser library.

Chrome is the product itself, the browser built atop the web platform - the UI, implementations of platform interfaces, browser specific logics and so on. It uses the framework’s library, implements some of its interface and “makes it an app”.

While the two were separated for code health reasons, it also allowed new opportunities such as creating other products on the platform - such as Electron, Chromecast and others.

in the code, all of Chrome’s code is under src/chrome, while the platform’s code is under src/content.


Great, you’re ready to dive deep into Chromium’s internals! We’ve learned what Chromium is, covered some basic concepts and set a common ground. In future blogs, we will move on to explore various features and areas in the project. Stay tuned!


  1. Chromium's official site
  2. Chromium's official documentation
  3. Chrome University

Extensions in Chromium and where to find them

Extensions in Chromium and where to find them

May 24, 2022
Michael Maltsev
Read Article

Chromium extensions provide a way of customizing the web-browsing experience by adding extra functionality to the browser. The straightforward way of loading an extension in Chromium is by installing it via a supported extension store. But that’s not the only way. An extension can also be loaded from a folder on the computer, via the registry, or via admin policies. Some extensions, called component extensions, are an integral part of the browser which happen to be implemented as extensions.

For each loaded extension, Chromium keeps track of its source location type, which affects the way the extension is treated. For example, component extensions are not displayed on the extensions page (chrome://extensions) and have some extra privileges.

In this post, we’ll take a closer look at where inside Chromium extensions are found, and why their location matters.

The ManifestLocation enum

The ManifestLocation enum is defined in the manifest.mojom file in the Chromium source code, and at the time of writing, it has 10 valid values. The enum is preceded by a short explanation comment:

Historically, where an extension was loaded from, and whether an extension's files were inside or outside of the profile's directory. In modern usage, a Location can be thought of as the installation source: whether an extension was explicitly installed by the user (through the UI), or implicitly installed by other means. For example, enterprise policy, being part of Chrome per se (but implemented as an extension), or installed as a side effect of installing third party software.

Here are the 10 values and comments from the source code which provide a short explanation:

The location rank

The values in the ManifestLocation enum are ordered chronologically, with each newly added value added to the end of the list. I found it more convenient to order the values by their rank. The GetLocationRank function, implemented in, assigns a rank to each ManifestLocation value in order to be able to decide which extension to load if there’s an extension of the same id in different locations. The rank has a good correlation with the privileges that are given to the extensions from the corresponding location.

Here are the ranks along with short comments which can be found in the source code:

In addition to the rank values, the ranking function divides the 10 ManifestLocation values to 5 groups, which helps get some extra intuition about the values and the way the browser treats them.

Listing installed extensions

Before we begin looking at the different extension types, let’s tackle another basic question - how do we list all of the installed extensions and their location values? There’s the extensions page (chrome://extensions), but as we mentioned, not all extensions are displayed on it, and it also doesn’t show the location values.

One way to see all enabled extensions, including component extensions, is to navigate to chrome://system and look at the extensions row. Another way to see component extensions is to run Chromium with the --show-component-extension-options command line switch which will show them on the familiar extensions page (chrome://extensions). But those two methods still don’t give us enough information. Specifically, we still can’t see the location value of each extension.

To get full visibility, we can look directly at the information in the user profile folder. The “Secure Preferences” file contains the information we need. For Chrome on Windows, the file for the default profile is located in the following folder:

%localappdata%\Google\Chrome\User Data\Default

The file is a JSON file containing, among other details, the list of installed extensions for the profile which can be found under extensions.settings. For each extension, the key of the entry is the extension ID, and one of the properties is “location”. The location value is a number corresponding to the ManifestLocation enum defined in the manifest.mojom file.

For example, Google Chrome comes bundled with a component extension called Google Hangouts, and we can see the following entry for it in the Secure Preferences file:

This tells us that the location value of Google Hangouts is kComponent. The path parameter is also interesting - we can see that the extension is loaded from the readonly installation folder of Chrome, not from the profile folder.

After installing vanilla Google Chrome (version 97.0.4692.71) on Windows 10, here’s what I got under my profile:

Note that 4 extensions are visible on the extensions page, but in fact 14 extensions are installed.

Extension types

The post wouldn’t be complete without mentioning extension types. Chromium defines another enum called Type, defined in manifest.h, which contains the following values at the time of writing:


The logic that determines the extension type is implemented in the GetTypeFromManifestValue function in That’s the reason why, for example, the Slides extension was visible on the extensions page for me, but the YouTube extension wasn’t - the former is of type TYPE_EXTENSION, while the latter is of type TYPE_HOSTED_APP (and is visible on chrome://apps).

In this post, we’ll be focusing on extensions of type TYPE_EXTENSION.


As a reminder, here’s what the comment in the ManifestLocation enum says about kComponent:

An integral component of Chrome itself, which happens to be implemented as an extension. We don't show these in the management UI.

Component extensions are registered to be loaded by the AddDefaultComponentExtensions function in, and loaded by ​​the AddComponentExtension function in The list of component extensions is predefined in the code, and can’t be changed without changing the code and recompiling the browser. The extensions themselves are loaded from the browser installation folder, not from the profile folder, and don’t change unless the browser changes, e.g. on a browser update. That means that component extensions don’t update independently like regular extensions do.

As an example, here’s the commit that adds the Google Network Speech component extension.

It can be useful as a reference for adding your own component extension to Chromium.

Regarding special treatment of the browser for component extensions, you can find several such code snippets in the source code by looking for “kComponent” and “IsComponentLocation” around the code. Here are a couple of examples:

Note: Confusingly, in addition to component extensions, Chromium has something completely unrelated called components. Components are listed in chrome://components, and are bundles of files, usually dynamic libraries or data files, which are updated separately from the browser itself. To add to the confusion, components are distributed in .crx files, but they have nothing to do with extensions.


Before proceeding to kExternalComponent, there are details that are common to all kExternal* values. Extensions for all 6 kExternal* values (kExternalComponent, kExternalPolicy, kExternalPolicyDownload, kExternalRegistry, kExternalPref, kExternalPrefDownload) are loaded by loaders which are specialization classes of the ExternalLoader class. Those loaders are used by instances of ExternalProviderImpl that pass the loaded extensions to an installation service. The extensions are eventually loaded by the CheckForExternalUpdates function in

Each external provider can provide extensions in two ways: Extensions originating from .crx files, and extensions originating from update URLs. The external provider is initialized with a location type for each of the two ways, which the installed extension will end up being marked with.

Here is the rough list of extension loader specializations and their location values. ChromeOS-specific and other OS-specific cases are not included.

It’s interesting to note that kExternalPolicy is not present in the table. It’s only being used in ChromeOS.


The comment from the ManifestLocation enum:

Similar to kComponent in that it's considered an internal implementation detail of chrome, but installed from an update URL like the *kDownload ones.

External component extensions are registered in the StartLoading function in The registration sets the extension IDs and the extension store URL to be used for installing the extensions.

Like with component extensions, the browser has special treatment for external component extensions. You can find relevant snippets in the source code by looking for “kExternalComponent” and “IsComponentLocation”.


The comment from the ManifestLocation enum:

A crx file from an external directory (via admin policies), cached locally and installed from the cache.

As was already mentioned, the kExternalPolicy location is only used in ChromeOS.


The comment from the ManifestLocation enum:

A crx file from an external directory (via admin policies), installed from an update URL.

kExternalPolicyDownload extensions are registered in the StartLoading function in Two instances of ExternalPolicyLoader are created, one for forced extensions (that can’t be disabled) and one for recommended extensions.

Like with other location types, the browser has special treatment for policy extensions. You can find relevant snippets in the source code by looking for “kExternalPolicyDownload” and “IsPolicyLocation”.


The comment from the ManifestLocation enum:


Extensions that are loaded by using the --load-extension command line switch are marked with the kCommandLine location. They are loaded by ​​the LoadExtensionsFromCommandLineFlag function in, which delegates the loading to UnpackedInstaller which loads the extensions from their target folders.

The browser has special treatment for extensions which are loaded unpacked. You can find relevant snippets in the source code by looking for “IsUnpackedLocation”. There are also a few places with special treatment specifically for “kCommandLine”.


The comment from the ManifestLocation enum:

From loading an unpacked extension from the extensions settings page.

Extensions that are manually loaded from a folder for development are marked with the kUnpacked location. They are loaded by ​​the FileSelected function in, which delegates the loading to UnpackedInstaller which loads the extensions from their target folders. They are also reloaded by ​​the LoadExtensionForReload function in on browser launch.

The browser has special treatment for extensions which are loaded unpacked. You can find relevant snippets in the source code by looking for “IsUnpackedLocation”.


The comment from the ManifestLocation enum:

A crx file from an external directory (via eg the registry on Windows).

kExternalRegistry is a Windows-specific location for extensions that were loaded from a local .crx file via the registry as specified here: Pre-installed Extensions (Pre-installing via the Registry). The extensions are registered in the StartLoading function in

Note: Extensions that were loaded from a URL (and not a .crx file) via the registry as specified here: Alternative extension distribution options (Using the Windows registry) are registered with the kExternalPrefDownload location, not kExternalRegistry.


The comment from the ManifestLocation enum:

A crx file from an external directory (via prefs).

kExternalPref is a location for extensions that were loaded from a local .crx file via the browser preferences as specified here: Alternative extension distribution options (Using a preferences file). The extensions are registered in the StartLoading function in Two instances of ExternalPrefLoader are created, one for the system-wide preferences and one for the per-user preferences. kExternalPref is not used on Windows (except for ExtensionMigrator which is a specific migration case).

Note: Extensions that were loaded from a URL (and not a .crx file) via the browser preferences as specified here: Alternative extension distribution options (Using a preferences file) are registered with the kExternalPrefDownload location, not kExternalRegistry.


The comment from the ManifestLocation enum:

A crx file from an external directory (via prefs), installed from an update URL.

kExternalPrefDownload is a location for extensions which were loaded from an update URL via the registry (Windows) or via the browser preferences (non-Window). See kExternalRegistry and kExternalPref for more information.


The comment from the ManifestLocation enum:

A crx file from the internal Extensions directory. This includes extensions explicitly installed by the user. It also includes installed-by-default extensions that are not part of Chrome itself (and thus not a kComponent), but are part of a larger system (such as Chrome OS).

Except for a couple of specific cases, kInternal extensions are the common, regular extensions that are installed by the user from the extension store.


In this post, we went over the extension locations that Chromium defines and uses. We looked at when and where they’re used, and how they affect the way the browser treats the extensions.

How software teams avoid death by hypergrowth

How software teams avoid death by hypergrowth

May 20, 2022
Alon Biran
Read Article

We were building a really big product, and we knew we needed to do it right from the start and keep it right at scale, no matter how many engineers we onboard. 

We knew the code itself was less important, as it would change frequently, but building a mechanism that would allow us to move fast while continuously onboarding people was critical. And because of that, we decided to invest in building the right infrastructure.

Here are the five main areas we focused on to successfully launch Island.

Create consistency by systemizing the development of new services

We wanted the code to look similar across the system, so we made a skeleton of how a microservice looks, how an extension “service” looks, and made sure they were similar to each other. This made diving into any code and things like code reviews much simpler. It also enabled us to get into someone else’s code very quickly, easily, and confidently, since all of the code looked similar. Naturally, we didn’t want to create a big boilerplate for each service, so we wrapped it in generators and Jenkins jobs to create the code as easily as deploying it. Today, populating a new service takes less than a day and is mostly automated. Engineers focus on the business logic rather than how to install dependencies, or how the code structure should look.

And of course, in the specific cases where you’d want to go out of the template, it would be obvious to understand a discussion is needed around it

Ensure the highest standard of quality with ongoing tests, coverage, automation, & CR

We then understood that, while we wanted to move fast and release features in rapid phases, our releases had to be of the highest quality and remain that way. Maintaining this high-quality standard was extremely important because the browser is such a crucial tool for everyone – bugs could negatively impact our customer’s productivity – and because of that we kept progressing without letting ourselves get “stuck in the mud” with a lot of regression bugs.

First, we had a rule: No code goes unreviewed. Every piece of code must be reviewed by at least one person from the team. Every feature, every bug, every configuration file, even every typo fix. In specific cases we even added code owners to make sure only the code they approve makes it into the product.

Second, we added CI in the form of github actions to enforce specific style, coverage of tests, build and quality of the code (no warnings etc.), and while coverage does not always point to quality, it at least forced the engineers to think about what they wanted to test and how.

Here’s a nice graph on how our coverage looked after we started enforcing it. When we started back in Jan ‘21 we were at around 80%, eventually making it to 97%.

In addition, we invested heavily in automation from the beginning. This gave us the ability to test features E2E and and keep ourselves accountable for its stability and consistency, while always improving our ability to understand and debug issues on a given PR.

Here is an example of our Grafana presenting the automation success rate:

Another good example is our per-test fail ratio & build time, for monitoring which tests are giving value, which are not, and of course which are slowing us down:

Make gradual deployment easy with feature flags

Deploy, deploy, deploy. Since we use our own browser on a daily basis, we wanted to make sure engineers are comfortably deploying multiple versions a day while maintaining a high level of quality. Instead of canary or blue-green deployments style, we wanted to make sure our deployment strategy fits the Island company strategy – lots of engineers moving at a very fast pace. We chose a strategy to keep deploying and keep testing in production while having granular control on how each feature behaved. For that, we chose to use feature flags. Each development, each feature can be controlled by a feature flag (not only boolean, but every variation of a parameter) and each feature is gradually deployed among customers as well. 

First we deploy features to our own browsers, then we deploy them to our demo segment and sales engineering. Afterwards we deploy them to specific customers (beta customers, early stage adopters) and finally to all customers. This strategy allowed us to control the quality of releases while getting continuous feedback from both internal and external users and our internal tools and metrics. In addition, it allowed our product managers to have granular control over the product and its deployment, and to decide how and when they wanted to present it to the customer instead of having to depend on engineering. Of course, we’ve added granular control flags in both unit-tests and E2E automation in order to ensure the system is working in all kinds of variations.

I suggest this strategy to any early stage startup wanting to move fast while maintaining high quality.

Invest in onboarding as much as your code

As we planned on continuously onboarding engineers, we made sure everything was well documented so a clear plan was presented to each engineer as they joined. Of course, like most companies, we assigned each new engineer a ‘buddy’ to guide them along the onboarding process. Our initial goal with onboarding was to have an engineer fully ramped up with all of our tech and be ready to insert code into the product by the time onboarding was finished. The engineer received a clear checklist of what needed to be done and what exercises were to be completed. There would be planned checkpoints between each technology, that included a sync with his/her assigned buddy where they’d show what they worked on. In addition, the engineer would add a module that improved the life of the day-to-day work of the developers, followed by a “kudos” shared with the whole company from his/her buddy to celebrate what the new team member achieved in such a short time. 

What’s important to understand is that onboarding is not a static, one-time, “check the box” creation. It’s an ongoing process.

Every new employee joining the Island team improves and fixes the onboarding flow as we go, in case something is wrong or no longer relevant. In addition, we do a retrospective with the engineer and his/her buddy, and see what other items we need to add to the onboarding. For example, our onboarding originally focused only on technology. But over time, we added architecture sessions, product functionality overview, automation and other areas.

Create visibility into your production environment via monitoring & alerting

Finally, you can’t keep the flow without visibility and alerting. We added logs everywhere and set up alerts to dedicated slack channels on every error. We assigned a “developer on duty” to continuously investigate bugs and improve our monitoring infrastructure. We added dashboards to ensure quality as well as user experience, which measured latency of calls, time of browser events as well as error rate and uptime of production cloud services, all alerting into Jira.


It’s important to make a conscious effort to recognize when your organization is in scale mode. Every tiny decision is important, even the small stuff like how you organize a specific file in the development environment file system or taking the time for a regular retro with new employees. 

Find a way to create an environment where quality is top priority but does not cause fear of deploying and merging. Enable the tools your engineers need to deploy their code comfortably while putting strict methods in place for having granular control over what is deployed and when, as well as ensuring overall quality. In addition, engaging product leadership to understand those decisions will create a healthy work environment while enabling the speed and velocity you need for early stage start-ups aiming to grow fast.

Solving Critical SaaS Vulnerability with an Enterprise Browser

Solving Critical SaaS Vulnerability with an Enterprise Browser

April 26, 2022
Jason Trunk
Read Article

SaaS and corporate web apps present challenges to the enterprise many have not considered. The process of signing up and migrating critical business operations to the cloud is fast, easy and can add remarkable value, but comes with a tradeoff that’s not always obvious. These apps can increase an organization’s vulnerability to cybersecurity risk. Due to the nature of the web and traditional web clients (browsers), there is simply not an adequate level of data protection or governance.

Given the massive adoption of SaaS and web apps, this presents an urgent problem. Organizations are operating with thousands of apps, sanctioned and unsanctioned, and often have thousands of employees across myriad departments with their own needs. The need to create constant exceptions to give workers what they require creates massive complexity, along with equally massive risk.

In other words, the present situation is a colossal headache for IT departments.

Here’s the good news: we’ve solved this problem by creating an innovative new product category: the world’s first Enterprise Browser.

A Simple, Elegant Solution for Data Protection and Governance

The web browser is now an integral part of the business technology landscape. Yet they were never meant to be enterprise tools. Conventional browsers may work beautifully, but they are a consumer product at core.

Pressing a consumer-grade tool into enterprise service comes with a slew of security complications. You can’t see how users interact with data within a browser. They can print screens, copy and paste data, take screen snapshots–a full range of potentially compromising actions for which organizations had minimal visibility.

There have been attempts to address this problem by bolting on tools such as web gateways and Cloud Access Security Brokers (CASBs). These approaches have always failed because these tools are cumbersome and do not offer fine-grained control, creating an ongoing governance mess.

These failures led us to pose a fundamental question: what if we approached this problem of control and governance directly in the browser?

Marrying Enterprise-Grade Security with Consumer-Grade Usability and Performance

Role-Based Access Controls (RBAC) associated with some apps provide a level of control, but they can’t do the one thing that enables effective governance: assert control over the right app, at the right time, for the right user.

An Enterprise Browser can do this by checking device posture during user logins to ensure trusted devices are being used to access critical SaaS apps. An Enterprise Browser allows you to create policies to block things like screen printing, cut & paste into non-approved destinations, or sharing information over web conferencing.

Additionally, you can use an Enterprise Browser to redact sensitive data types within applications via browser-based Robotic Process Automation (RPA) or enable deep audit logging to see every action a user has taken. An Enterprise Browser can also encrypt cookies to protect app sessions from intrusion, scan for malware, or create policies governing data storage and enhance privacy.

This gives you everything you need to make data protection and governance headaches a thing of the past.

While SaaS and Web apps have seen extraordinary adoption and delivered numerous benefits, cyber-risk and unstructured governance have hitched along for the ride. Creation of the enterprise browser is the breakthrough that IT departments urgently need to solve this long standing problem.

For a more in depth article on protecting critical SaaS and web apps using an enterprise browser, click here.

Navigating the Challenges of Contractor and Third-Party Access

Navigating the Challenges of Contractor and Third-Party Access

April 11, 2022
Bradon Rogers
Read Article

It’s been impossible to miss the recent cybersecurity incidents involving contractors and third-party access to organizational resources. While these headlines are hardly new, their impact is now exponentially more serious given the major shift to hybrid work, paired with mixed cloud and on-premises hybrid architectures.

Contractors and third parties often serve as the functional backbone of many operations. In some cases, they are individuals performing a specific function. In others, it’s a third-party organization performing an entire function like logistics management or HR. To ensure at least a basic level of security, organizations typically ask them to legally attest to their understanding of their responsibilities toward protecting the critical resources they are given access to. This may also involve rigorous inspection of the contractor’s controls and resources. But given the urgency of many contractors’ work, these inspections are often treated  as a mere “checkbox.” Regardless of the need for speed or not, it’s a given that onboarding contractors and third parties is slow, expensive and cumbersome. Here’s why.

Third parties need to be granted access to an organization’s critical systems just to do their jobs, which organizations typically do using one of these two approaches;. 

  1. They allow third parties to use their own devices 
  2. They ship a company-owned device that the contractor or third party must use to access these systems and fulfill their duties

Both approaches involve different complexities and levels of risk that cause unnecessary pain on both sides. Let’s take a closer look:

Unmanaged Contractor and Third-Party Devices

As uncovered in recent news stories, third parties very often use their own devices. The advantages of this approach are fairly obvious. Allowing these resources to use personal devices saves time, reduces onboarding costs and allows the third-party’s resources to operate in a familiar environment, which significantly speeds up productivity.

But this approach has its downsides as well. It requires giving individuals account credentials to the systems (VPNs, Virtual Desktops, and actual applications) they need to perform their roles. Onboarding this kind of access is complex, costly, and requires ongoing attention to manage provisioning and revoking access and credentials. 

Managed Devices for Contractors or Third-Party Access

On the other hand, many organizations opt to ship a company-owned, managed and pre-configured device to the contractor or third party. The upfront cost and effort involved in buying, building, and shipping these devices at scale is immense.  Not to mention the timing - it can take a month or longer to get a single contractor up and running. It also creates a steep learning curve on the third-party’s side to integrate new devices and systems into their workflow. While ultimately this may be the less risky approach, the significant tradeoffs feel unacceptable to both the organization and the third party.

The Ongoing Effort

In both of the above scenarios, provisioning alone is a serious organizational challenge. And yet, it’s only the beginning. Ongoing governance is also necessary to ensure contractor and third-party access is limited to only the sources and systems necessary to perform the responsibilities they were hired to carry out. This requires uncomfortable architectural choices to be made to balance the often opposing forces of efficiency and risk. On a practical level, these considerations include whether to use VPN backhaul, cloud forward/reverse proxy implementations, virtual desktops, CASB, DLP, Web Gateways, or ZTNA technologies to govern third-parties safely. Unfortunately, these decisions cause complexity and costs to explode, leaving the organization vulnerable to the contractor or third-party risk.  This was made quite evident in recent headlines where the level of complexity for offshore third-party access was undoubtedly one of the core issues.

The Enterprise Browser: An Ideal Way to  Onboard and Oversee Contractors

We’ve always been forced to choose between security and complexity or speed and efficiency. This is what we challenged ourselves with. A way to ensure security while enabling work. Maximum efficiency, minimum risk. And out of this challenge came the industry’s first browser built for the enterprise. Imagine, instead of all the organizational challenges, all the workers’ frustrations, all the costs and complexities, contractors or third parties just logged into a browser that had all the resources they needed waiting for them. This is what the Enterprise Browser can do for work. 

Let’s start with provisioning. For third-party organizations or contractors using their own devices, you provide a download link for the Island installer. Once the browser is installed (it takes less than a minute), you give them credentials and access privileges aligned with their role, and in seconds they begin working. The applications they need are immediately made available with no complex configurations or additional software required. And for organizations choosing to provide their own managed devices to contractors or third parties, simply include the Island Enterprise Browser in your device build, and the process is exactly the same as above.

Once the user is working on the Island Enterprise Browser, your organization’s applications and associated data are fundamentally protected. Island’s unique last mile controls allow you to easily create policies to govern application and data access. And further, it allows you to control who has privileges to add new users, who is authorized to change or copy data, and whether or not a user can download, screenshot or save content.  

You also get extraordinary visibility in a way that simply wasn’t possible before; deep forensic audit logging to keep a close watch on what these resources are doing as they do their jobs. You can even output these activities in real-time to data aggregation environments such as SIEM to monitor user behaviors and actions to quickly discover unwanted activities. Island sheds light on a unique dimension of user-based data by keeping tabs on the contractor or third-party’s actions within the browser window. 

As seen in recent news stories, the inability to govern contractor or third-party usage of key application areas was  what allowed attackers to manipulate backend application areas that very well could have been out of the scope of the third-party’s work in the first place. Last-mile control and deep logging could have been the difference between identifying and preventing any sort of compromise and hunting down and remediating the problem once the damage is done. 

And while it’s essential to govern the actual contractors or third parties as they engage in critical application areas, it is equally necessary to ensure that they are protected from outsiders who might leverage them as a vulnerable attack vector in the organization. Island ensures that the browser is safeguarding the entire journey on all sides, at all times. Island delivers several key capabilities to ensure that attackers are thwarted in their attempts to use the contractor or third party as a vector of compromise.  These capabilities include:

  • Man-in-the-Middle Protection
  • Anti-tampering Protection
  • Browser Isolation
  • Malware InspectionDocument Isolation and Disarmament
  • Malicious and Unknown Site Categorization

These built-in capabilities ensure that the organization’s applications and the contractor or third party are always protected from attack as they perform their work.

The Bottom Line. 

Third-party contractors and resources are pervasive and the practice is growing exponentially as the gig economy and the need for hyper specialized project work expands. Companies are purposefully building this practice into their business models, making these services very often mission critical to operations. But recent compromises using this vulnerable channel threaten to either reduce the practice entirely or forcefully add more cost, complexity and inefficiency into the process.  

It is time to consider a whole new way to approach contractors and third-party access.  We need to be able to get people to work quickly, and allow the organizations and people on both sides of the equation to be confident that both the applications, data and users are protected. With Island’s Enterprise Browser at the core of these use-cases, you can safely and quickly get people to work, create a great user experience and be confident your data and applications are protected. 

Frost & Sullivan Thinks an Enterprise Browser is Critical for SaaS

Frost & Sullivan Thinks an Enterprise Browser is Critical for SaaS

March 29, 2022
Bradon Rogers
Read Article

When was the last time you thought about your web browser?

The truth is that today's browsers are so powerful, refined and simple-to-use that we essentially take them for granted. Most people use the browser for personal/consumer use and the same exact thing to access their work environment.

A new report from leading analyst firm Frost & Sullivan highlights the challenges of using a consumer browser for business and points out the features and functions a true enterprise browser must offer.  You can download it here.  

I think the report sums it up best with this statement: 

“An enterprise browser with a different approach, which delivers functions with the enterprise in mind, is needed. With the proper control, the browser is able to solve serious problems more easily. Its position is a very unique intersection of users, critical web applications, the underlying data, and the threat landscape.”

Here’s a quick summary of the report.  

Consumer-Grade Technology Can't Provide Enterprise-Grade Security

Consumer-centric design hasn't stopped web browsers from playing a critical role in the business technology ecosystem. Yet it has created a very significant (and often underappreciated) problem: Conventional browsers don't have the visibility, control and manageability required for corporate SaaS and web-based applications.

In other words, reliance on conventional browsers means the assumption of significant and sustained cyber-risk.

Fortunately, there is good news: A new category of browser now exists -- one that pairs the speed and flexibility of a consumer browser with the security of an enterprise-grade product.

Meet the Enterprise Browser.

Why CISO's Need a New Browser Approach

Today, the browser has become the new office. Employees spend much of their workday accessing data and applications through browsers. This greatly accelerated during the COVID-19 pandemic, which sparked an explosion of telecommuting activity.

Massive adoption of work-from-home and bring-your-own-device scenarios, however, means that IT departments now have even less visibility into user behavior and how people and data are interacting.

For CISOs, the security concerns that come with vastly expanded work-from-home opportunities simply add another layer of stress and pressure.

Other key issues include:

  • Addressing growing complexity (which is often exacerbated by deployed security solutions)
  • Dealing with a shortage of skilled staff
  • Navigating evolving regulations, privacy and compliance mandates

That's a tall order. Fortunately, it's now possible, for the first time, to address these challenges at the browser level.

A New Breed of Browser

A browser rests at the intersection of organizational users, critical applications and underlying data. They are deeply embedded in almost all organizational activity.

Yet enterprises have not been able to exert flexible control over what happens when employees use these browsers. Consumer-grade browsers simply do not offer tools to implement security policies. As a result, they leak data. They are vulnerable to screen grabs or printouts, downloads, copying and pasting into personal apps or even smartphone snaps.

Enterprises understand this and have historically attempted to mitigate these risks with multiple security and management tools. Plus, they are forced to do things like banning the use of personal email accounts or other applications. Yet these measures are not truly effective, and they alienate employees.

Enter the Enterprise Browser -- an innovative new product category.

An Enterprise Browser mitigates cyber-risk by assessing the posture of the device on which it is installed. It then dictates the appropriate policy depending on the device type of the logged-in user. This means organizations can manage access regardless of device, user or location.

In essence, an Enterprise Browser gives CISOs infinite control over how users and information interact.

Fine-grained controls aren't the only benefit offered by an enterprise browser. They can also audit user behavior, giving enterprises visibility if unauthorized screen grabs or data copying occurs. This level of visibility into browser-level user and data interaction has never existed before. And what’s more, is that organizations can enforce the use of an Enterprise Browser for certain applications, while allowing standard consumer browsing for personal use or access to non-risky applications or destinations. And for the final kicker, since it is based on the open source Chromium browser, the basis of the majority of browsers in use today, the Enterprise Browser delivers the same experience to users, lowering resistance to adoption significantly.

Bottom Line

Conventional browsers are powerfully elegant pieces of software. Yet they are poorly suited for the integral role they are being asked to play within the business technology ecosystem.

Introducing enterprise-grade security at the browser level with an Enterprise Browser is one of the most impactful things CISOs can do today to simplify their entire security architecture and mitigate some of the most urgent cyber-risks they face.

Get the Frost & Sullivan report by clicking here.  

Press Release: First Enterprise Browser Improves Enterprise Security

Press Release: First Enterprise Browser Improves Enterprise Security

February 1, 2022
Read Article

Backed by Insight Partners, Sequoia Capital, Cyberstarts and Stripes, Island delivers a familiar Chromium-based browser experience with built-in critical security control and governance for corporate applications and data

DALLAS and TEL AVIV – Feb. 1, 2022 – Today Island unveiled a new category of enterprise software that revolutionizes security control, visibility and governance with the introduction of the world’s first Enterprise Browser. After almost two years of product development, the company emerged today from stealth mode to introduce the Enterprise Browser, eliminating the massive gaps between current consumer-focused browsers and the increasingly complex IT and security requirements of enterprises worldwide. With core needs of the enterprise naturally embedded within the browser itself, Island is the first browser to provide end-users with the same Chromium-based experience they expect, while giving the enterprise much needed functionality to vastly improve corporate security and employee productivity.

Headquartered in Dallas with research and development in Tel Aviv, Island is led by co-founder and CEO Mike Fey, previously president and COO at Symantec and GM and CTO of McAfee; and co-founder and CTO Dan Amiga, inventor of web isolation technology and previously founder and CTO of Fireglass. Island emerges from stealth with a complete senior management and technical team bringing decades of experience in enterprise security from both successfully established cybersecurity firms and start-ups, as well as deep domain expertise in Chromium research and development.

To date, the company has secured almost $100 million in financing from leading early-stage investors including Insight Partners, Sequoia Capital, Cyberstarts and Stripes and has hired over 100 employees.

“For decades, organizations have globally utilized consumer browsers in the corporate computing environment,” said Mike Fey, co-founder and CEO, Island “These organizations require strong control and governance, which consumer browsers were never built to deliver. Island uniquely provides manageability, control, security and enhanced productivity features from within the browser itself, while users enjoy a familiar browsing experience. We envision the Enterprise Browser fundamentally improving not just security, but enterprise work itself.”

“SaaS has fundamentally changed how IT teams are providing value added services to their companies and the industry is ripe for a new way of thinking about how we secure that value,” said Bob Schuetter, CISO at Ashland Global Holdings, Inc. “A browser built for the enterprise can fundamentally change the industry, empowering us to reimagine how we approach our use cases with tremendous power yet elegant simplicity.”

Product Features, Capabilities and Use Cases

The Enterprise Browser enables organizations to deeply govern how users interact with all SaaS and internal web applications. Through the use of the Island Enterprise Browser, security teams can fully control last-mile actions from advanced security demands to more basic data exfiltration protections such as copy, paste, download, upload, screenshots and other activities that might expose critical data. This opens up unprecedented opportunities across a growing number of enterprise use cases, including securing critical SaaS and internal web applications from data leakage, safe access for contractors and BYOD workers, and full governance over privileged user accounts. It can also reduce VDI dependency while also supporting built-in safe browsing, web filtering, web isolation, exploit prevention, smart network routing, and Zero Trust access.

“The browser is the office where today’s hybrid workforce lives,” said Dan Amiga, co-founder and CTO, Island, “We have engineered the Enterprise Browser to be the platform for the future of their work. It begins by redefining how an organization secures its work but will positively impact endless needs across information technology.”

“It’s rare that you see a security technology with the potential to reimagine the industry the way Island’s Enterprise Browser does,” said Jeff Horing, Insight Partners co-founder and managing director. “Island has all the attributes we look for in a successful venture – an experienced management team, a brilliant idea and a large market disruption capability.”

Market Demand Intensifying

Island released and deployed its GA product beginning in September 2021 to some of the world’s most recognizable brands across a range of industries, including several in the Fortune 500.

“When we first saw Island’s design, we immediately recognized the revolutionary impact it could have on securing the workplace,” said Doug Leone, Sequoia global managing partner. “By delivering on the long-standing goal of security by design, we see it as a disruptive solution within the security industry.”

“Our focus at Cyberstarts is to invest in important ideas and people that will change the cybersecurity industry,” said Gili Raanan, Cyberstarts founder and Sequoia general partner. “Island’s Enterprise Browser has the potential to positively impact every part of the space.”

About Island

Island, the Enterprise Browser is the ideal enterprise workplace, where work flows freely while remaining fundamentally secure. With the core needs of the enterprise naturally embedded in the browser itself, Island gives organizations complete control, visibility, and governance over the last mile, while delivering the same smooth Chromium-based browser experience users expect. Led by experienced leaders of the enterprise security and browser technology space and backed by leading venture funds -- Insight Partners, Sequoia Capital, Cyberstarts and Stripes -- Island is redefining the future of work for some of the largest, most respected enterprises in the world. Island is based in Dallas with research and development in Tel Aviv, and can be reached at or (866) 832 7114.

For more information contact:

Hannah Carroll/Tim Hurley
Matter Communications for Island

Enterprise Strategy Group highlights Island Enterprise Browser

Enterprise Strategy Group highlights Island Enterprise Browser

February 1, 2022
Bradon Rogers
Read Article

As organizations turn towards SaaS cloud-based applications to help them grow, there is an increasing need for access control and sensitive data control measures to be taken. However, internal security teams have many different complications to work through in order to maintain compliance and protect sensitive data across enterprise-level organizations.

Third-party SaaS applications are increasingly important for businesses, as they help manage key operations, improve employee collaboration, and help new initiatives start quickly. While these applications provide many benefits to organizations, they also make security management difficult as there are limitations to access controls for internal IT, risk, and security teams.

Adding even more complication to the problem is the increased reliance on non-corporate-owned devices and personal devices. This goes hand-in-hand with the growing hybrid workforce, making it even more difficult to maintain compliance and security standards across an organization. New strategies are needed in order to address these problems.

The Challenges of IT, Security, and Compliance Teams

There’s no question that third-party SaaS applications help businesses grow, compete with competition more effectively, and cover gaps within the workforce. However, they do add challenges to IT, security, and compliance or risk teams' ability to:

  • Implement fine-grained user-access privileges
  • Prevent sensitive data leakage from personal and non-corporate devices
  • Audit access and user functions and sensitive data access
  • Leverage network security controls and strong encryption protocols

IT, security, and risk teams struggle to manage the staggering amount of third-party SaaS and internal web applications that organizations are adding to their workplace. SaaS applications are often designed for the most common use cases, making specific access and compliance controls difficult to manage and security hard to maintain across departments and at-home or hybrid employee offices.

Identifying the Need for an Enterprise Browser

Most organizations use consumer browsers like Chrome or Edge to engage with SaaS and web-based applications. However, these browsers were not built with governance in mind and offer no controls over what a user can do inside an application, including printing, taking screenshots, or downloading content.

Clearly, a new approach is needed in order to provide security to modern businesses with cloud-based SaaS applications, hybrid work environments, and non-corporate devices. ESG has identified a new, disruptive approach to securing and managing user and data access—an enterprise browser.

What is the Island Enterprise Browser?

Island is a security-enabled and compliance-focused web browser. It uses the same capabilities and user experience that you would find in Chrome or Edge, but ensures that organizations have control over how users interact with information and provides core security controls for IT, risk, compliance, and security teams.

Island enterprise browser provides:

  • Sensitive data protection
  • Safe browsing
  • Device posture assessment
  • Forensics and audit capabilities
  • Multi-tenancy control
  • Centralized management
  • Browser-based robotic process automation

To learn more about the need for an enterprise browser and the capabilities that are provided by Island, read the whitepaper from ESG and discover the bigger truth about modern security and governance in enterprise-level organizations. Click here to see the report.

Why “The Last Mile” is the Most Critical Terrain in Cybersecurity

Why “The Last Mile” is the Most Critical Terrain in Cybersecurity

February 1, 2022
Brian Kenyon
Read Article

Cloud growth continues to be nothing short of astonishing: Gartner estimates 95% of new digital workloads will be deployed on cloud-native platforms by 2025, up from just 30% in 2021.

Yet this race to adopt cloud technology has left security teams with an extremely challenging mandate: They need to keep critical assets safe in a world where remote work, BYOD and virtual desktop use are all exploding.

Fortunately, they have no shortage of options. Security concepts such as Zero Trust, and the usual range of data loss prevention, identity management and cloud access security tools, provide a framework for risk management.

However, one urgent risk remains underappreciated: No matter how many security tools you wield, you’re still deeply vulnerable if you continue to use conventional web browsers.

Why the Consumer-Focused Web Browser Creates Massive Enterprise Risk

Web browsers have become an essential cog in the wheel of business technology. Many of the productivity applications and SaaS platforms that organizations use today are highly dependent on browsers.

The truth, however, is that they are not truly intended to be used as such. Because they were designed for advertising, tracking and search optimization, they offer minimal control over “the last mile” – the space where users interact with data and applications within the browser.

This means that a user can compromise security through printouts, screen grabs, copying-and-pasting text or even taking a photograph of the screen – and an organization may never realize it because conventional browsers also offer no visibility into how users have acted in the past.

That absence of control is a huge problem – one that organizations have often attempted to address by placing severe restrictions on how workers can use applications or devices. Unfortunately, this is not only ineffective, but it also constrains how businesses operate, and alienates workers.

Fortunately, there is a simple change you can make to avoid this risk: Start managing “the last mile” via an enterprise browser.

Last Mile Control and the Enterprise Browser

Consumer-grade browsers gush data because they don’t allow you to implement security policies. An enterprise-grade browser solves this long standing problem by offering a centralized management console for policy enforcement to govern activities such as downloading, saving, cutting-and-pasting or screen grabs within critical apps.

This gives organizations the ability to give workers much more latitude in terms of how they interact with applications and data.

That’s not the only benefit:

  • An enterprise browser extends the practice of role-based access to provide a governance layer in areas that have always been inaccessible.
  • This means it closes a cyber-risk blind spot, vastly strengthening your security posture.
  • An enterprise browser is highly scalable and delivers exceptional ROI.
  • It also significantly reduces resource use.

Ultimately, by merging the speed and seamless UX of a consumer-grade browser with last mile controls, the enterprise browser represents an urgently needed innovation – and one of the most exciting new product categories in years.

Read a more in depth editorial brief on this topic by Brian Kenyon, Chief Strategy Officer at Island, by clicking the title: Enterprise Browser Management – The Last Mile Challenge.

The next chapter of enterprise work. Introducing The Enterprise Browser.

The next chapter of enterprise work. Introducing The Enterprise Browser.

February 1, 2022
Mike Fey
Dan Amiga
Read Article

We began our journey in enterprise security with a single goal in mind: to build a truly secure-by-design environment. Where work could thrive because security is naturally woven into the enterprise.

So we teamed up with some amazing people. Built anti-malware, DLP, proxies, CASB, firewalls, and many other enterprise security products that became industry standards. Even invented brand new technologies like browser isolation that carved a new path towards a safer enterprise. We were fortunate to build products that truly mattered.

But as the enterprise evolved in ways we couldn’t even imagine, the industry’s approach to securing it stayed more or less the same. An upgrade here. A plus-one there. These improvements were effective. But that’s exactly it - they were merely improvements - on an ecosystem designed years ago for a very different world.

Today, the most precious parts of most organizations live in the cloud. Our employees work in offices, coffee shops, living rooms, and beach chairs. And they use whatever device they want. Let’s face it - even the best versions of yesterday’s security tools weren’t meant to handle the size and scale of today’s modern enterprise. And as long as we were playing by the old rules, that vision of a secure-by-design work environment couldn’t become reality.

The teams we were privileged to lead solved some of the biggest challenges in our industry. Yet, the narrative hadn't changed. And it was becoming painfully obvious why. The one place where basically all our work takes place - where our users, apps, and all underlying data meet - that place was still fundamentally not in our control.

The browser.

The browser is the one application enterprises use more than any other on planet earth. By far. And yet, ironically, the browser isn’t even an enterprise application. It was built for consumers and advertisers. Optimized for content distribution and consumption. Organizations and employees? They were never part of the picture.  

But we knew this already, and we chose the consumer browser for work anyway. Its value to the enterprise was so immense that we ignored the fact that it was built for consumers. We embraced it for its amazing speed, rendering power, universal compatibility, and near flawless user experience. And we learned to live with the tradeoffs - the lack of control, visibility, governance, or privacy - the core elements of a safe work environment.

We accepted this as reality.

A reality where the centerpiece of our workplace wasn’t designed for work. Which meant the one place nearly all our critical data lived was the very place we couldn’t protect or even see.
And this reality forced us to treat our browser like a caged animal - surrounding with an endless stack of heavy, expensive, and inefficient tools just to keep it from working against us.

It’s not the browser’s fault. It just wasn’t designed for the enterprise.

Well, what if it was?

It was such a simple question. One that deep down we’ve all wanted to ask. What if there was a browser specifically designed for the enterprise? A browser that put the organization in complete control over how its users, apps, and data interact? A browser that let the enterprise in instead of shutting it out? A browser that integrated into your infrastructure instead of fighting against it?

And suddenly it hit us - That was it. The goal we’ve been working towards our entire careers, right before our eyes.

The ideal enterprise workplace. Security, visibility, and governance built right into the work experience, without getting in the way of work itself.

That vision of secure by design - finally realized.

Why hadn’t it been done before?

It seemed almost too obvious. Why hadn’t someone built this yet?

Three stars needed to align for the enterprise browser to seem like a viable idea.

  1. The SaaS revolution. As work migrated to SaaS, work categorically shifted away from desktop services and towards the web-first experience. Critical apps were now available anywhere all the time, making the browser the center of enterprise work.
  2. The Chromium effect. When the Chromium open source browser project was introduced - all major browsers suddenly became standardized. All fueled by the same technology, all providing the same powerful, yet enjoyable user experience. Which made it possible to build the core needs of the enterprise into the browser, while retaining the consumer-grade experience users have come to expect.
  3. The rise of the endpoint. With widespread adoption of the remote workforce, the shift to SaaS and cloud services, and the explosion of network encryption, the endpoint suddenly became the best place to anchor our security operation. This new work reality not only brought about a greater need to secure the endpoint, but it created a major opportunity to leverage the endpoint to secure our critical data right where it was being accessed and used.

All the pieces were finally in place. The only thing left was to build it. So we did.

And we call it Island. The Enterprise Browser.

The Enterprise Browser fully integrates the browser into the organization, providing complete control and visibility over everywhere work happens. All while delivering the same smooth, powerful, nearly flawless experience users have come to expect. It’s work as it should be -  fluid, yet fundamentally secure.

And with it, the possibilities are endless. SaaS and internal web apps truly live anywhere without leaking data everywhere. Contractors and BYOD workers work freely while organizations keep the data they access fully secure. Consumer or risky apps can be safely introduced into the enterprise without compromising security posture. Users are naturally protected from the inherent dangers of the web. And this is all just the beginning.

For years we had one goal - to design the place where work naturally belongs.

Island is that place.

Welcome to the next chapter of enterprise work.

The use cases

Fully govern how contractors interact with your data by setting highly specific policies around which apps and data they access and what they can do with them.