Sponsored: How Pfizer uses Island's enterprise browser
Risky Business News
Deep Dive
Shownotes Transcript
Hello, this is Caterine Campano and welcome to another of the Risky Business News sponsor interviews. This week our sponsor is Enterprise Browser Maker Island.
We have a unique guest today, Brian A. Coleman, who is Senior Director at Pfizer for Insider Risk, Information Security and Digital Forensics. Island has asked Brian to talk to us about how Pfizer is using its browser to secure its pretty large workforce distributed all over the globe. Unfortunately, 40 minutes before I was set to record this interview, my power went out, so I recorded this from my phone and the audio quality is not as sharp as we would have wanted.
I'd like to thank both Brian and Island for putting up with this little technical glitch from my side.
Now let's dive in the interview. And here's Brian telling me why they chose to give Island and the concept of a customized enterprise browser a chance. No, you're right. It's a new area and a very niche area. And so I think, you know, initially our use case was around protecting, you know, some sensitive web applications. And then what we kind of...
started realizing through the conversations with Island is just a lot of different use cases. And I think one of the appealing pieces to it, when I first started out of college, I was a web developer, right? And there was a lot of programming that had to go into developing a web app and whatnot. And within the Island platform now, what happens is you can have all these web apps developed in whatever language they're developed,
And some of them can be legacy applications that require a ton of development work to change them. And so what the enterprise browser allowed us to do is to build kind of a layer of security on top of that or awareness on top of that.
you don't necessarily have to change a legacy application. You can just build, you know, a piece of code that gets interpreted by Island that just sits kind of right visually in front of you on top of that through the browser. And so it really just was a lot of the capabilities, the maturity, and some of the, you know,
the ways in which you could protect the various applications, protect end users, inform users. It was just a very appealing platform. I know Island, one of the main issues that people at Island kind of relayed to me was making people jump over that hurdle that they need to pay for a browser. People would often say that, okay, consumer browsers are not ideal for our environment, but
through group policies, we would be able to control them. Were the island features that were related to you during those sales pitches so impressive that you reached that conclusion that it was an investment that you needed to make to improve the security of your staff in ways that you couldn't do with other products? Yeah. Good.
Because making a company part with its cash is usually one of the hardest parts. What exactly did Island provide to you? Was it a greater level of protection against insiders that you valued above anything else? Or was it like preventing lateral movement from environments by controlling the way people access and read information?
their emails, because I know Island has those capabilities to enforce two-factor authentication in some certain scenarios. Like what were exactly the features that made you believe that they provide
a level of protection that is worth paying for and what was exactly that. Yeah, and look, you said it right. I was pretty skeptical of paying for what essentially is free right now. But really, once you start thinking about it, some of the security that is implemented within the enterprise browsers and Island specifically is
you know, a lot of just granular controls, you know, so you can allow people to still browse the web the way they typically would in the past. Right. And they probably will not necessarily,
notice any type of difference. But when you get to a critical application, now you can enforce two-factor authentication, right? You can use some other integrations to build it with your password management solution so the passwords get rotated very quickly and whatnot.
So there's a lot of the security capabilities that became very apparent to us as we were looking at it. And like you said, now you can apply different policies to different groups of users. And in cases where you don't have great RBAC for maybe a legacy application, you can now
by the browser, create RBAC for that. And I think additionally, what it allows is just a ton more visibility into how things are performing on the network, what users are doing, protecting uploading and downloading of data, copying and pasting. A lot of that information that we typically weren't able to protect in the past, you're now able to protect it.
And so I think, you know, what it has helped drive is it's kind of more of, I call it inline user awareness, right? So as a user is performing some kind of action, right? Let's say it's an upload. They'll get prompted with a screen that says, are you sure you want to do this? Because, you know, it might be against corporate policy. It might be containing sensitive information or they'll be completely blocked.
And I think, you know, that has been, you know, a big issue for a lot of companies is people are trying to do the right thing, but they're just not, you know, they're not thinking maybe when they do it. And so this allows you to kind of inject a decision point to them to say, do you really want to do this? And a lot of times people will back out from that decision.
I do think too, as these applications come online, you can start to protect data in ways that you typically could not in the past. You could obfuscate data and then you could
as an end user, require them to provide a justification for unmasking personal information, right? And so I think there's a lot of use cases here beyond just security. It could be because of privacy regulations in other parts of the world.
It could be that you might be able to supplement other security tools or remove other security tools with this. So as you think about paying for the browser and the
the capabilities, you could think about, okay, you know, you're now going to be able to do TLS decryption at the endpoint, right? You're going to be able to do potentially VPN through it. You know, you might not need as many VDSs, right, or virtual desktops where, you know, you have a pretty wide open
environment for these people to use a VDS, now you scale it back and you only get access to the applications that you need at the time you need it. And I think that's been a huge win for us. You said there was initial skepticism in deploying Island.
How much of your infrastructure is now embodied? We are set up for global deployment, right? And so this would be enterprise-wide around the globe. We're not there yet. You know, there's obviously a lot of due diligence we have to do for making sure that the applications are loading properly. And you could imagine we're in a
a very complex environment. And so, uh, the infrastructure was, was, I don't want to say easy to set up, but it's, um, honestly in, in, in most cases you could deploy the browser and just use it. Yeah. There's really not too much overhead on the, the, the initial implementation. Now what we'll get, you know, uh,
more complex as you grow and mature in this environment is the rules and the logic and kind of all of the capabilities of the platform. You will definitely then start to need to build out processes behind that to make sure it stays organized.
and that people are aware of the implications of the things that, or the impact that they could have on an end user by implementing a various policy to a specific group or through the enterprise. - You are now over that skepticism phase, like you're now planning around Island as a core component, right? Because I'm asking this because I've recently seen both Microsoft and Google launch their own enterprise versions of their own browser,
I'm seeing this as a sign from the big dogs that, okay, enterprise browsers are now a core component of the enterprise security landscape. So I'm asking you, do you, like, let's say you go in another place, would you build that organization security posture around it?
the concept of an enterprise browser? Yeah, I mean, look, I think people have to give it a real look. There is a lot of skepticism, you know, and even, you know, in my management chain as well. But the reality is when you start to look at potentials
potentially the savings you might be able to to make financially by you know minimizing you know the use of other tools and whatnot you know there's there's some real real savings there as well as the improved security that the browser will give you there's I think you would be
It would be in people's interest to at least explore the options that are out there. And look, you got to look at what the use cases are as well and what you're trying to accomplish with the browser. If it's just internet surfing,
You might have to look at something else. But if there are very sensitive applications that you're trying to protect that are web-based and whatnot, then I think you really do need to look at the different security layers and see what are the gaps that you have and where does...
browser provide you the value and it could very well be you know that the ability for me now to log in from my iPad from my iPhone from my you know laptop and getting all that same experience and controls across those environments that becomes kind of critical no one particular object that I am curious about is is related to your work title
which included the title of digital forensics expert. Does Island provide any kind of forensic trail in case of an incident? Oh, absolutely. You know, the days of, you know, having to go get a hard drive and clone it or image it, you know, physically are pretty much, I've said they've been pretty much done, uh,
at least maybe in the corporate environment, it's very rare that you can't get the data you need from network telemetry or other repositories now with kind of the way everything is cloud-based.
And, you know, with the visibility that Island gives us, yes, it becomes very valuable in understanding what are people typing in related to an incident? What sites are they going to related to the incident? Did they try to upload or download? And so I do think from a forensic artifact perspective,
There's a lot of valuable data that is within the browser. Obviously, you do that all within the boundaries of whatever your privacy and legal department or your process is, but we coordinate very closely with all of our global privacy offices around the world.
to ensure that, A, we're abiding by local privacy rules, but also we're working with them in these investigations to get them all the data that they might need in a matter. And the browser data tends to be very, very rich. And in some cases, I'll tell you, there are legacy applications that maybe don't have as robust of
of logs that we would like to have. And you can add that on top with Island? Yes, exactly. Yes. And it becomes really powerful with some of those platforms where maybe they don't have a logging for what people are searching for in this custom app, right? But now you get it through the browser and it becomes very, very powerful. And from an investigation perspective,
could be critical to a matter. So Ryan, the last question I wanted to ask, if you could recommend to other customers, what would be your favorite island feature or features? What would it be?
Yeah, look, I don't know that we'll have enough time on this call, but yeah, there's a lot of features that I really think are very powerful. One of them is kind of the integration with the environment, right? So seamless authentication across the multiple applications.
customization right so so think of the crowd strike incident that nearly affected everyone in the in the world in that instance right you can very quickly get people you know access to the data that they maybe need with you know a very customized splash screen that can be developed within minutes that says hey here's what you need to do to to kind of help self-remediate
the ability and the flexibility of modifying some of the favorite features that are not really flexible in a way that are easy to make any modifications.
And, you know, we've worked with the team and very easily, you know, disabled various buttons, made buttons disappear off of websites, right? Or built in, you know, a watermark onto a page. And so I think, you know, the customization and the ease of use of it is, I think, by far, you know, the strongest.
some of the favorite features. Now, the other piece I would say that I really do like is it's almost too much data, right? There is so much visibility you're getting from the browser, right? You can base policies on do they have an antivirus installed? Do they have a specific version of
of a endpoint protection out there? Do they have encryption enabled? And unless they have those features or those properties enabled or the posture of the device meets the criteria, they don't get access. Or maybe they get access, but they can't print, they can't screen capture, they can't do whatever. And so I think like,
The ability to now go kind of create this customized menu of protections for the business and say, okay, in this organization, we'll allow printing. But in this organization, we're actually not going to allow printing or saving or use dev tools or any of that stuff. And that customization becomes really, really powerful as kind of you build security systems.
into the business, right? And now they keep coming back to you saying, hey, we got this new application or this legacy application that you haven't really been able to protect. How can we use, you know, Island or an enterprise browser to build security on top of that without impacting the performance of the application? Brian, thank you very much for your time today. And thank you to the folks at Island for arranging this interview. Yes, you're welcome. Thank you.