6m read

What Is Remote Browser Isolation (RBI)?

What’s inside?

Cato Networks named a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE

Get the report

Remote browser isolation (RBI) executes user browsing systems in a sandboxed, cloud-based environment. This protects users against potential web threats, such as phishing, malware, and vulnerability exploits, since none of the code embedded in these sites is run on the user’s device.

Web threats are a growing threat to corporate cybersecurity, and traditional endpoint security solutions don’t always identify and address the threat in time. Deploying RBI, ideally as part of a converged SASE solution, reduces an organization’s exposure to this threat.

Understanding Remote Browser Isolation

Malicious websites are a common threat to businesses due to the potential for compromised credentials, malware delivery, and data theft. RBI combats this threat by moving web browsing from a user’s device to a controlled, monitored environment in the cloud.

RBI can be implemented via a couple of different models, including pixel-based streaming and DOM reconstruction, that display a web page’s content in a user’s browser without running the code locally. By doing so, it prevents JavaScript and other potentially malicious code from running on the user’s device.

How RBI Works

RBI solutions execute web content in a cloud-based sandbox environment. By doing so, it ensures that any risky or malicious code only executes in the sandbox rather than on the user’s device.

With RBI, users never interact with the website itself. There are two main ways of implementing this:

  • Pixel-Based Streaming: With pixel-based streaming, the RBI system runs the website and produces the image that would be displayed in the user’s browser. It then sends the image to the user’s device, and they can interact with the image rather than the page itself.
  • DOM Reconstruction: DOM reconstruction renders a website in the cloud and essentially rebuilds it after sanitizing it. Since all potentially malicious code is stripped out, the user’s browser can safely render the result just like it would a normal web page.

How Remote Browser Isolation Works:

Stage Description Security Benefit
URL Access User clicks a link or types a URL RBI intercepts session
Cloud Execution Website loads in cloud container No code runs on user device
Visual Stream or Sanitized Content Session rendered for the user Malware is stripped or never reaches endpoint
Session Ends Container destroyed after use No persistence, no residue

Traditional Browser Security vs. Remote Browser Isolation

Traditional browser security solutions, such as endpoint protection and browser plugins, are hosted on a user’s device. Since the webpage is rendered locally, this approach depends on these solutions being able to block malicious code from running or remediating an issue after the fact.

RBI prevents malicious functionality from ever reaching the device, running it in a cloud sandbox instead. This way, sophisticated attacks that might slip through the cracks, such as zero day vulnerabilities or HTTP-smuggled content, infect a temporary cloud container rather than a user’s device.

Why Remote Browser Isolation Is Gaining Momentum

As phishing attacks grow more sophisticated, traditional browser security solutions are increasingly ineffective. RBI has gained momentum as a solution that offers safe web browsing not only on-site but also in hybrid work environments.

Companies also face increased regulatory pressure, especially in industries such as finance and healthcare. The need to offer stronger protection against web-based attacks drives the adoption of solutions like RBI.

Key Benefits of Remote Browser Isolation

RBI offers various security benefits to an organization. Some of the most significant include:

  • Remote Prevention: RBI runs malicious code in an isolated, cloud-based system. This prevents threats from ever reaching a user’s device.
  • Full Session Isolation: RBI isolates entire web browsing sessions, protecting against malware, ransomware, and phishing links. This is more robust protection than URL filtering, which depends on the ability to identify malicious content before the user visits it.
  • Hybrid Work Support: RBI works for on-site and remote workers alike. This protects off-site devices that aren’t protected by traditional, perimeter-based defenses.

Phishing and Malware Protection

Phishing and malware protection are key objectives of RBI. By rendering websites in a sandboxed environment, RBI can inspect them for phishing content and prevent malware from reaching a user’s device. This can even defend against zero day threats since the container is what’s at risk of infection, not the user device.

Support for Zero Trust Web Access

The zero trust security model assumes that everything is potentially malicious, and RBI bears out this philosophy. Web content is treated as untrusted and inspected in a secure environment before users are permitted to interact with it.

Performance and User Experience Considerations

Historically, RBI solutions had significant limitations, including latency, pixelation, and session lag. However, cloud-native RBI implemented on a network of global points of presence (PoPs) overcomes these issues by moving inspection logic geographically close to the end user.

Remote Browser Isolation and Cato Networks

The Cato SASE Cloud Platform offers RBI capabilities as part of its cloud-native Secure Web Gateway (SWG) offering. By integrating RBI into SASE, Cato is able to offer this capability without the need to deploy additional software or browser extensions. Cato’s SASE network is implemented via an array of globally distributed PoPs backed by a dedicated private backbone. This offers extremely low latency and a seamless browsing experience for RBI users.

Remote Browser Isolation Built into Cato’s Secure Web Gateway

As previously mentioned, Cato’s RBI offering is integrated into its converged SASE offering. This not only enhances performance but also improves the user experience by eliminating the need to install and manage additional software or endpoint agents.

Feature Cato Networks Traditional RBI/b>
Deployment Cloud-native, no agents Often requires browser plugins or endpoint agents
Performance Global PoPs minimize latency Pixelation, lag common in legacy tools
Integration/td>

Built into Secure Web Gateway and SASE Often bolt-on or separate
Maintenance Centralized, auto-updated Requires frequent updates across endpoints

 

Advanced Threat Protection via Remote Browser Isolation and Beyond

As part of Cato’s SASE offering, the protection RBI offers is enhanced with global threat intelligence and key security capabilities, such as intrusion prevention system (IPS), DNS filtering, advanced threat protection, and TLS inspection. These support the detection and prevention of sophisticated attacks via various vectors, reducing an organization’s exposure to cyber risks.

Integration with SASE and SSE Frameworks

By combining RBI with other networking and security capabilities, the Cato SASE Cloud Platform offers inline threat protection without introducing additional management overhead or degrading application performance and the user experience. Additionally, this integrated, cloud-native architecture enables sharing of threat intelligence and contextual data between components to improve threat detection and prevention.

FAQ

What is remote browser isolation?

Remote browser isolation (RBI) hosts browsing sessions in an isolated cloud container rather than the user’s device. This enables detection of malicious content and blocks malware from ever reaching a user’s device.

How does remote browser isolation improve security?

RBI moves the execution of potentially malicious code in a website from a user’s device to a cloud-based sandbox. This prevents drive-by downloads, phishing payloads, and malware from reaching and infecting the endpoint.

Is RBI part of zero trust architecture?

Treating everything as untrusted by default is a key tenet of the zero trust philosophy. RBI supports this by treating all web sessions as potentially malicious and executing them in a secure, isolated environment.

How does Cato Networks implement RBI?

Cato integrates RBI into its Secure Web Gateway (SWG), which is part of its converged SASE offering. This enables agentless protection backed by a global network with minimal network latency.

Strengthening Web Security with Remote Browser Isolation

RBI proactively protects against potential web security risks by moving web browsing to an isolated, cloud-based container. This prevents potentially malicious content from ever reaching a user’s device.

The Cato SASE Cloud Platform integrates RBI with other key security features to reduce management complexity and eliminate security blind spots. Additionally, hosting RBI on a global network of PoPs backed by a private backbone helps to avoid the challenges of legacy RBI, such as network latency and poor UX.

Discover how Cato Networks combines remote browser isolation with real-time threat protection, ZTNA, and a converged security stack by requesting a demo.

Cato Networks named a Leader in the 2024 Gartner® Magic Quadrant™ for Single-Vendor SASE

Get the report

Related Articles

Network Segmentation Best Practices

10 Network Segmentation Best Practices for Robust Cybersecurity in 2025
Network segmentation involves dividing a network into isolated segments based on sensitivity and business needs. By implementing segmentation, an organization can limit the potential impact of network intrusions and support a zero trust architecture. In a segmented network, traffic crossing segment boundaries must pass through a firewall, which can implement access controls and look for...
7m read
Read More

Authentication vs Authorization

Authentication vs. Authorization: Exploring Differences and Similarities
Authentication and authorization represent two of the three “A’s” in identity and access management (IAM). Along with accounting, they are crucial to an organization’s cybersecurity strategy. Without the ability to verify a user’s identity and privileges, it’s impossible to differentiate between legitimate access to corporate systems and potential attacks. Authentication verifies a user’s identity, thereby...
7m read
Read More

Cloud Application Security

Cloud Application Security: A Comprehensive Guide for IT Leaders
Cloud Application Security (AppSec) is the process of protecting applications and APIs hosted in cloud environments from modern threats. As enterprises adopt cloud-first strategies, robust AppSec practices are essential for safeguarding sensitive data and ensuring compliance with regulations like GDPR and CCPA. Cloud AppSec differs from traditional application security because cloud environments offer unique methods...
9m read
Read More

Cloud Security Best Practices

Cloud Security Best Practices: A Strategic Framework for IT Leaders
Cloud computing environments enable companies to meet both employee and customer needs, offering highly available and scalable resources that are accessible from anywhere. However, it also introduces significant security challenges for companies, including the difficulty of managing access and security configurations in complex cloud environments. Managing cloud security risks requires a comprehensive security strategy that...
5m read
Read More

Cloud Security Principles

Cloud Security Principles
As corporate cloud footprints expand and incorporate more sensitive data and vital applications, new vulnerabilities and security risks are introduced. More organizations face increased risk from cyber threat actors who are constantly refining their methods while exploiting new attack vectors.  In this article, we’ll take a look at the evolving cloud threat landscape as well...
6m read
Read More

Innovate, grow and thrive

With a true SASE platform

Cato leverages its granular network, security, and endpoint context and events to deliver a complete Threat Detection Investigation and Response (TDIR) life cycle management.

Challenge us