Original URL: http://www.theregister.co.uk/2011/11/16/how_to_stay_anonymous_part_3/

The Register Guide on how to stay anonymous (part 3)

Browser privacy at work

By Trevor Pott

Posted in Security, 16th November 2011 13:00 GMT

Part 3 Enterprise browser usage is a messy subject. The enterprise is not what it once was; the days of the homogeneous Windows empire are past. Not only are alternative operating systems like Apple's OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator's only concern.

The consumerisation of IT has moved us past the simple, easily managed world of Windows on the desktop and BlackBerrys in our pockets. While popular amongst users, this latest trend in IT exacts both privacy and security tolls on business and users alike.

Enterprises need centralised control over browser configuration. Whitelisting and blacklisting browser extensions is critical, as is the ability to manipulate all of a browser's built-in security settings. Centralized certificate management is another common issue.

Most browsers can treat different websites with different privilege levels, and these lists need to be centrally managed. Similarly, enterprises need the ability to control locations of downloaded files, anti-malware integration and permitted file types.

Every business' needs are different, yet even in the face of the consumerisation of IT the enterprise need to exert control over browsers for security purposes remains constant. The question is: how?

The homogeneous environment

The traditional enterprise environment consists of desktop systems running some flavour of Microsoft Windows. These desktops are easily managed, and configurable via Active Directory.

Active Directory's Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer's (IE's) settings. This includes the ability to configure browser extensions such that they require permission for every website that attempts to utilize them.

GROUP_POLICY_PREFERENCES

This is a critical security feature. Certain common extensions such as Java, Reader or Flash provide worrisome attack surfaces. Without the ability to lock these browser extensions down, no internet-connected computing environment can ever be considered secure.

IE has a horrible public reputation for security largely due to the zombie-like persistence of IE6. Microsoft has spent a great deal of time and money making Internet Explorer as secure on its own as Firefox with a plethora plug-ins. These efforts have resulted in a new generation of Microsoft browser. IE8 and later can be made very secure; they even include sophisticated anti-phishing security.

IE_SECURITY

While some aspects of user privacy are worrisome - specifically the ability of advertisers and website owners to track users' browsing habits - browser issues of interest to enterprise and corporate security are perhaps best served by IE.

Corporations don't particularly care if advertisers can track the movements of their employees. While industrial espionage via web tracking is theoretically possible, if you have legitimate concerns about Google being able to glean corporate secrets via your browsing habits, far more industrial-strength security measures are called for.

Corporations do care about viruses, Trojans, and other malware finding their way onto network PCs. Here, a fully up-to-date IE can provide a secure browsing experience with unmatched manageability.

Changing up the internet

Microsoft's utter dominance of the browser market in the early 2000's fed a corporate hubris that resulted in software stagnation. Corporations wanted a stable platform to develop against, and for the longest time Microsoft felt IE6 was "good enough." The real world is no longer so clean and simple.

There are solid business cases for the use of alternate browsers. Microsoft makes an excellent mass market browser, but the lack of a browser extension community has harmed its ability to reach out to the growing number of users who need their browser to do something different.

THE_BROWSER_SHEEP

Firefox's plug-in library is unmatched. Many of these plug-ins offer time-saving productivity enhancements simply unavailable to IE users. Google's Chrome holds the speed crown for most common workloads. In an increasingly JavaScript-enabled cloud computing world, Chrome's raw speed provides a significant advantage over Internet Explorer. Some businesses even find uses for Safari or Opera.

Plug it in, baby (click to enlarge)

Chrome in particular is starting to see rapid enterprise uptake. Chrome officially supports many enterprise features, including Active Directory GPOs. This brings Chrome within reach of IE's manageability.

More importantly, Chrome offers the ability to whitelist, blacklist, and force installation of extensions. This includes the ability to host extensions on your own server.

Though Chrome's enterprise configurability is second only to IEs, this enterprise functionality does have its drawbacks.

While not officially supported by Mozilla, there are third parties attempting to make Firefox deployable in an enterprise fashion. While a significant first step, these projects are either abandoned, nascent, or lacking in critical granularity regarding browser extension configurability. Efforts are ongoing, supported by a determined user base.

Neither Apple's Safari team nor Opera seem particularly interested in extending enterprise functionality to their browsers. This last is a shame; the emerging importance of non-Microsoft platforms - especially mobility - makes cross-platform browsing more important than ever.

We are far from the Utopian dream where coding a website to standards results in software that will work across all browsers and platforms. All browsers have quirks. Not all businesses can afford the developer time and expertise required to support all iterations of all browsers. Businesses - especially when coding complex internal-use sites - require a stable target to code for.

The iPhone Effect

Against this backdrop, Apple holds a very special position. iOS devices are among the most popular consumer devices in the history of IT. Their remarkable popularity is almost single-handedly responsible for the increased pressures of the consumerisation of IT. And yet, given Apple's stranglehold over the iStore they alone hold the power to dictate which browsers are allowed to run on this important segment of technology.

Apple simply does not allow alternate browsers to be set as default on their devices. Worse, those third party browsers it does allow must either be remote-proxy hybrid frankenbrowsers, or Safari/Webkit reskins.

Microsoft seems to have been infected by this attitude, locking down Windows Phone 7 against all third party browsers; any third party attempts must be IE based. Only time will tell if this position will change should Microsoft's mobile platforms continue to languish in irrelevance.

While all hope of a truly cross platform browser appears to be dead, there remains a necessity to mange and configure the browsers we do have available. Here at least, there is hope. Mobile Device Management (MDM) software exists for virtually every mobile device on the market.

Assuming one is willing to omit iOS and Windows Phone devices from the enterprise, it would theoretically be possible to use a single browser across the enterprise. With proper MDM software however, we should be able to configure not only the operating system, but various browsers as well.

The fading relevance of Active Directory

Browser security in the enterprise depends on manageability. IE running on Windows managed via Active Directory made for a great combination. This digital monoculture however represents a past era that will not return.

While Active Directory is still a useful authentication service, it must be supplemented by a number of third-party tools in order to cover the wide array of devices and operating systems in use in the real world. To properly secure browsers in the enterprise, we must move beyond the simple and familiar single point of configuration that Active Directory has represented for so long.

The future of enterprise security belongs to third-part management software. Several contenders exist. Some even offer both desktop and mobile management options. As yet however, there is no single application covering all devices in play.

Eventually, one of these developers will get ambitious and combine support for virtually all operating systems - mobile and desktop - with one of the many viable replacements for Active Directory. For now, we must rely on multiple management applications to secure browsers - and their associated operating systems - in our environments.

While the days of the homogeneous operating system - and browser - are well and truly behind us, there is still hope for a unified configuration and management environment in our future. ®