Zero Trust Week: New Product Demo — Browser Isolation
Presented by: David Harnett, Tim Obezuk
Originally aired on March 3, 2023 @ 4:30 PM - 5:00 PM EST
This is a session to demonstrate a new product release that will be announced the morning of this Cloudflare TV slot. Don't miss out because this will be hot off the presses!
Read the Blog Posts:
English
Zero Trust Week
Transcript (Beta)
Welcome to Zero Trust Week. These are product demo sessions. Today we're doing a demo session on browser isolation.
What is Zero Trust Week? Zero Trust Week is a big week here in Cloudflare.
We have announcements all week of new products starting on Monday.
Last Monday we announced really exciting new platform Cloudflare One.
And Cloudflare One is a comprehensive cloud-based network-as-a -service solution that really defines the future of the corporate network.
It brings together our Cloudflare for Teams products, which include Cloudflare Gateway, Cloudflare Access, and now Cloudflare Browser Isolation.
Brings it together with Magic Transit and with Cloudflare Network Interconnect for a full solution for corporations.
Really, really exciting platform announced on Monday. Go to blog.Cloudflare.com to see all of our announcements this week.
On Tuesday, we announced Access for SaaS, which is the access product extending to all SaaS applications.
That's really exciting. It's out there now. Customers are using it. On Wednesday, we announced Gateway, a secure web gateway with URL filtering, file type control, but also we announced clients and agents so that you can proxy all the traffic from your remote workers' devices directly into Gateway.
And today, we're announcing the browser isolation beta, which I will now introduce my colleague here, Tim, in a minute, which is really exciting.
And then on Friday, tomorrow, not at nine o'clock, we've been doing these sessions every day at nine o'clock, but tomorrow it's at 10 o'clock, we'll be doing a really exciting announcement around Magic Transit.
So with that, I'm going to stop sharing the screen and we'll be able to see Tim.
So I'm joined with Tim Obazuk, and Tim is the product manager for browser.
I am David Harnett, and I am director of product management for Cloudflare for Teams.
So Tim, welcome. The announcement today is for Cloudflare browser isolation.
The great thing is, I know a lot about this because I was in the company S2 Systems that was acquired by Cloudflare on January the 1st.
And on January the 1st, S2 System joined.
All of us are now part of the Cloudflare for Teams organization, which is really exciting.
And we have been working since January to move browser isolation from the network we were running it on before, as a private company, to Cloudflare's edge.
So it is now going to be running in 200 locations around the world.
It's going to be screaming fast, and we're really, really excited about that.
Back to you, Tim. I'm excited to introduce myself. I'm the product manager for Cloudflare browser isolation, which is basically a browser.
It's the ability to browse the Internet, but in a way that avoids the security implications of using a web browser.
I don't know if you noticed, David, but 70% of endpoint compromises actually occur through a web browser.
That's someone clicking a link, going into a malicious website, downloading a bad file, accidentally uploading a file to a website that looks very similar to their company website.
Browsers are extraordinary because they can do so much, but they're a real place where security vulnerabilities can occur very easily.
So at Cloudflare, we want to help build a better Internet.
And one of the ways that we're doing that is by reimagining what the web browser looks like.
It was built with a lot of assumptions back in the 90s that don't necessarily hold true to today.
So we have built a web browser that runs at the Cloudflare edge in a contained environment, and the browsing activity and the visual updates for what you're seeing stream from Cloudflare's closest data center to your computer, which delivers a really responsive and secure browsing experience.
That's incredible. When we were in S2 systems, we were always embarrassed about the latency from the five data centers that we were using, that we'd rolled it out across.
In fact, the latency was less than regular browsing because we were loading the web pages really fast in the cloud, and then by compressing the visual stream and sending it, it was actually really fast.
But now running it in 200 data centers, it's just going to be a whole different story with regards to latency.
So Tim, we've had these great announcements this week.
We've talked about Cloudflare 1 and Cloudflare for Teams.
Can you tell us how is browser going to fit with Cloudflare for Teams and with Cloudflare 1?
So when we look at the Cloudflare for Teams product suite, it's really made up of a trident of three services now.
That is Cloudflare Access, Cloudflare Gateway, and Cloudflare Browser Isolation.
Cloudflare Access is your VPN replacement tool.
Essentially, it allows you to create a secure connection to a private internal application and to allow all of your staff and your contractors to use it, regardless of what identity provider they might be using.
They could be using LinkedIn, Google, and they can all aggregate together using Cloudflare Access.
That's great for your internal applications, but what about the security of users just browsing the regular old Internet?
That's where Cloudflare Gateway comes in as the secure tunnel for the secure web gateway for making sure that any known threats, websites that are on known malicious watch lists or matching sort of signature for a malicious HTML content, we can detect them and block the web browser from even loading them in the first place.
And that works for any web browser and any application that the computer might be connected to.
Where Cloudflare Browser Isolation fits in is the web browser is ultimately the thing that executes a whole bunch of code and renders the web page.
So what happens if a threat passes through the gateway undetected because it's an unknown threat?
Ultimately, it's on your endpoint devices, on your computer, and your device is now at risk of being compromised, and that leads to your network being compromised as well.
What Cloudflare Browser Isolation does is it brings that browsing experience, all of the HTML, CSS, JavaScript that the user's interacting with when they access a website, and executes it at Cloudflare's edge.
So if there's a compromise, like a bug running on that website, and it is able to update the client with something, all it can really do is paint pretty pictures.
It can't interact with the networking stack, or the Bluetooth stack, or the USB stack.
Web browsers have hundreds of APIs, and it's extraordinary what they can do.
They're really fascinating pieces of software that really do seem to replace desktop native applications today.
But for most people, that's an enormous security risk.
Yeah, absolutely. So I'm going to ask you to do a demo now, if you could, please.
Take a minute if you want. I know you're now on your phone hotspot. I don't know whether you're going to try and switch over, but are you okay on your phone hotspot?
Is that going to work? I think so. Let's give it a go. Okay, let's go.
I've done lots of demos on my phone hotspot, going around to customers and partners.
So I know what it's like. Cool. Is my screen with the blue browser visible for you?
Yeah, I can see it fine. Cool. So one of the first questions a lot of people have about using any sort of remote browser product, or any sort of product in their business is, what's the experience for the end users?
How are you going to use it?
The great thing about browser isolation is it works like any other web browser.
It can integrate with an existing web browser. So if I want to go to a website, let's say I'm on Google and I want to go to Cloudflare, I can just type in Cloudflare and it'll show me the search results for it.
Now what we might not be able to see, and what we hope your end users would never see, is the fact that they're actually running this page within a remote browser.
And you can see that because if I open up the certificate here, you can see that it's going through to Cloudflare for Teams Gateway proxy.
If I click through a few sites, we can see different news articles, we can see some images, all sorts of things popping up with Cloudflare here.
But ultimately my browser is not rendering this web page. It's receiving the really high level two -dimensional draw commands to say, please draw a circle here, draw a box over there, and that's really easy for my browser to render.
It doesn't need to download all of the additional content that comes with this web page.
Looking here, we've got another website.
We've got the Cloudflare web page. I like this site because one, we can see some examples of third-party JavaScript.
So if I go to our Cloudflare page here, if I recall correctly, we should be able to see the chat client down the bottom here.
There it is. So this is some third-party JavaScript that we have on our website to allow people to talk to us about Teams.
This works just fine using the Cloudflare browser.
The reason for that is when we use network vectoring, we're not streaming a video, we're not sending a reconstruction of the browser that we've scrubbed or sanitized.
We're literally sending the web page as it was, as a vector that works really well, whether you're using a small device or a big, large 4K screen.
I'm on my mobile now, which I didn't plan to be, but this is a very high-resolution screen, and we can see the image looks sharp without needing to send a high-quality video or anything like that.
It's always hard to see how this thing is working over Zoom, but it looks really good.
From here, it just looks like a normal browser, which of course is good.
We always say that good demos, you don't notice that you're actually demoing a remote browser isolation, so this is great.
Tim, I'm going to ask you at some point, but you can let me know whether you want to demo any more here, but I'm going to ask you at some point to help us understand this stream.
You were mentioning that we send a visual stream. What is that about? Tell us a little bit more, because that sounds like it's the secret sauce behind this.
Yeah, the best analogy I think I can use is if you're a web developer, and you're sending an image to a client's browser, you have the option of even sending a bitmap image, exact pixels of the image you want to draw on the client's browser, but that bitmap doesn't really work on large devices.
Ultimately, you might choose to use an SVG image, which is that mathematical representation of the logo or the image, and it can scale up to any device size.
We've done that, but with what you can see in the browser window, so that is what allows us to send really small amounts of data, very small APIs in order to tell the computer to render these certain behaviors, and it's very lightweight and runs really well.
Great. I've got a few more things I want to show you, David.
Okay, excellent. So, this is a browser here.
See, if I right-click, you would normally expect to see the Chrome developer tools, but since we controlled a browser, we're able to apply a number of settings to improve the security of the web page.
So, step one is people can't play around with the dev tools and see what's going on here, but if they were to try, say, downloading the image, we can allow them to save the content, or if you even right-click and save the page, it looks like it's downloaded, but notice in my downloads folder over here, there's nothing there, right?
It's actually not downloaded to my computer.
It's downloaded to the remote computer at the Cloudflare Edge.
If I open a file, it's now downloaded to my computer, right? This is really interesting.
Definitely, this is one of the areas that customers ask a lot about.
They say, okay, great, so you're going to protect me when I'm browsing. What happens when my people download files?
And this shows that you have the ability to then hold that file so that some customers can just have their employees view it in the Cloud, or you can allow certain departments or certain groups of employees to download.
I think this is a great part of browser isolation. Yeah.
If this was a malicious file, we would have been able to hold it at Edge, scan it, and prevent it from being served, or even apply rules to control what websites people could download files from.
That's great. Okay, what's next in this demo?
I'm excited. Cool. So I wanted to move away from just basic searching or the Cloudflare website and move on to some email.
So I've created my little email account here.
Looks like I just have to log back in. So tell me here, so you're logging back in.
That's just you logging back into Google, is that right?
Yeah, just logging back into my email account. Okay, great. Within the browser session.
Yeah, I was thinking that you were going to show us that this is behind access, but that was actually you just logging back into your Google account.
Okay, great. That's right. Just normal. We can talk about that later, how this is behind access.
Yeah. So this is the Google application. So I could do things like check my emails.
I got my own emails that I've been sending to myself here with pictures of my cat hanging out on top of my computer.
Nice. But things that you would do every day, like moving it into folders, for example, that all works.
You can still star images, star your emails. Basic email kind of browsing works.
Email is actually a use case that we've been hearing a lot from customers. Email is an enormous security risk for businesses because it contains a large amount of company data.
10 years ago, it wasn't uncommon for everybody to be downloading all of their emails to their computer using IMAP and POP.
And we've since moved to web-based email.
So now the browser has become a clear target for getting access to this kind of data.
So the customers we've been talking to have been really excited to use browser isolation for individuals within their business who have very sensitive emails.
They want to make sure they never get sent to an end-user device.
Yeah, absolutely.
And the last one I want to show is my calendar as well, David.
So this is our Google calendar running in the browser.
That's great. So can you do things like move that appointment to another day?
I was hoping to take the rest of the day off, but...
Oh, you were. Should I move it? Yeah, maybe. But yeah, I can move that to Friday afternoon if I like.
Okay, that's great. So basically everything in here, you're now in a fairly detailed web app and everything is moving around just like you would want it to.
Doesn't look any different to me from this side. So that's really great.
So what else are you going to show us, Tim? I know you have a whole bunch of other things you're going to show us here.
Yeah, sure. So one of the things I'm conscious about with doing this demo is it's mostly seamless into the user's browser.
They aren't really conscious of what they're doing. So I have another way of showing how the proxy works, how the browser isolation proxy works, which allows you to get a real visual sense of what the streaming technology is doing.
So if I switch over to this tab, I've got Google here running on a website, which is tri-browser run.
Now this, if you try going to it, for those following along at home, you're not going to be able to get into it because it's protected by Cloudflare Access, our VPN alternative.
Now, the reason I like showing this example is it works just like a normal web page.
There's no proxy in the way.
So we can see it going directly to another server. And Tim, what does that mean that it is protected by Access?
What does that mean? Only people who are Cloudflare employees can complete the Cloudflare authentication to access this web property.
Whenever we're developing tools at Cloudflare, we don't really have to think about how do we secure access to this new tool or something just internal tool that we're using and how do we let people remotely access it?
Everyone just uses Cloudflare Access and can access it themselves.
It integrates with their hardware token and we can ensure that only our employees are able to access these internal tools.
I was super excited to see that we now offer it for free for the first 50 users, which is great for startups to get started for free.
That's great.
Cool.
So I've got my DevTools here and this is going to be a little bit more technical because I'm going to be talking about what's happening inside the web page.
I've connected to the Tribe Browser One site and that has then downloaded our local client which then downloads what's called a WASM bundle.
This file here. Now WASM is WebAssembly.
That is a way of running near-native code in the browser. Remember at the beginning, I was talking about how web browsers can do basically everything with near-native applications.
WASM is a way of running basically native code in a web browser.
So people are building all sorts of 3D games inside WASM.
You can do pretty much anything with it. It's also a really great tool for us to use to take the two-dimensional vector information from the browser at Cloudflare's edge and re-render it back on the web page.
So your computer, when it accesses the site, downloads this local client, a very, very thin local client and all it can really do is just interact with the draw commands.
There's about 30 of them which creates a really small attack surface and it makes it really easy for us to secure.
And then by download, Tim, so what you're talking about here is you're not talking about adding an extension.
You're talking about once you connect to the service, you're actually downloading the code that will then read the draw commands.
Yeah, it downloads. It's not an extra browser. It's not an extension. It doesn't look any different.
It just downloads. Okay, that's great. Absolutely, no other extensions are required.
And because the browser, so the blue browser I was showing you before using a proxy, that works with a proxy pack file.
It's a forward proxy like any other.
So it is very easy to integrate with your existing device management systems.
We do have a question that I think you will get to, which is, can you show us a YouTube video?
What does streaming video look like? So at some point, I think you're going to show us a video, Tim, and then that'll answer one of the questions that has just come in to us.
Sure. And then just while you're doing that, so what you're just outlining here is that a customer will have this set up and then they're going to be able to via Cloudflare for Teams.
So they will proxy their traffic and their browser will just look normal.
It won't have try.browser.run. You're on try.browser.run, which is a test site for us, but you can run this demo.
And previous to this, you showed us the browser with just a regular URL bar that was actually using our proxy.
So that's what customers are going to see. Okay, that's great.
Yeah. Okay, so let's have a look at YouTube here. Maybe that quiet.
Oh, this is the video we put out at the start of back in April, I think.
And I think that's a great question to come in, that poor Tim is talking over his phone on his phone hotspot, going through a demo here and now playing a video and it all seems to be working fairly well.
Cool.
That's great.
So what else are you going to show us here, Tim? I know when we were doing some prep for this, we were talking about some image searches, which looked pretty cool.
Yeah, yeah. I did them at the beginning, but I'll show again.
Yeah. You always like me searching for cars, don't you?
I do. Cars, you get a nice, clean set of images and there's lots and lots of them.
Yeah. So it just shows the speed of which you can pass pretty image intensive, that's pretty intensive stream to the local browser.
That looks great. Yeah, it's interesting because images are still images at the end of the day.
It's things like this little box, which is that network vector.
So the majority of the page doesn't need to be streamed like a pixel push or a video.
It can just be a lightweight content. Yeah, that's great.
So can you tell us more about the stream? And I know you've mentioned this before already, but just so that people understand.
So we are running this on the Cloudflare network on the edge.
We're running it in a container and we're sending a stream.
First of all, the WASM code gets sent into this local browser.
And then can you just walk through again, how does that stream work? And while you're doing that, you mentioned upfront that this is different than other approaches.
If you can just kind of go back through how our stream works and then how that may be different than some of the other approaches that are out there.
Sure. Here's a link I prepared earlier, which actually has a Google Slides link within the browser proxy.
So when we look at this webpage, most of this page is made up without needing any images to be sent through.
So it allows us to leverage that network vector technology.
Ultimately, when you're doing any sort of remote computing technology, you're going to need to push a visual representation of the content in some way.
Now, if you're doing a video game or a complete computer desktop, pixel pushing, serving a video -like stream is really the only approach you've got.
Now, one of the challenges with pixel pushing and video streams is the larger the resolution of the screen gets, the larger the video stream gets and the larger all of the encoding work becomes.
And it's extremely computationally intensive and requires high bandwidth for the end user.
They need a good Internet connection and to not be using their mobile phones in order to use it effectively.
That's sort of the world of like general desktop workspace computing.
When you move to the browser, you have many more opportunities to improve the method of serving the remote browser.
Since the web browser is made up of a fairly known quantity, HTML to CSS and to JavaScript, it does introduce the option of looking to scrub this content.
So a number of browser isolation technologies, what they'll do is they'll download all of the content, download it, unpack it, scrub it for known threats and then throw away anything bad and then repackage it back together and send it to the browser as the existing browser code, like CSS and JavaScript.
Now, that's great when it works and when the threat is known and you scrub the right threat.
But at the end of the day, you're still sending third -party code to the end of the device.
And if something gets through, the end device is the device that gets compromised.
So we were looking for a way to find the best of both worlds.
How do we deliver a video -like stream that works well on large displays and also take the benefits of what the web browser offers us with its way of rendering web pages?
So the stream that we came to, the outcome that we came to was to use network vectors.
So when your browser downloads all of the HTML, CSS and JavaScript, it does all of its computation and then ultimately what it sends to the computer's screen is the ability to draw the 2D instructions, draw a square here, make it yellow, put some text over here, put these boxes down the side of the screen.
This is stuff that is sent once. It doesn't need to be continuously sent.
We can use that to gain a lot of efficiency in the stream that we're sending to the browser.
That's great, that's great.
So Tim, how do we as customers, how do Cloudflare's customers, how do we integrate it with our own networks as a customer?
And then if you can tell us, since we've got one and a half minutes left, can you also tell us how do we sign up for the beta?
Yes. So if you want to use, if you want to integrate browser within your organization, one of the great things to keep in mind is browser integrates really tightly with Cloudflare Gateway.
In fact, the browsing experience is protected by Cloudflare Gateway as well.
So you get that two layers of security on your browsing experience.
So you can implement it as a forward proxy in your organization and it will be transparent to your users browsing the Internet.
We provide a pack file that you can use to point the browser to Cloudflare's network.
The next question people have is how do I secure this connection, right?
It's great that it's secured between Cloudflare and the Edge, but how do we know the identity of the user who's browsing to make sure that it's not anybody using the Cloudflare browser?
We do that using client certificate authentication.
So there's a unique certificate that you can generate for the user and then that is what allows them to connect into your remotely hosted browser and your ability to track, to control what websites individuals can access.
That's great.
And with 30 seconds to go, how do I get this beta? Yes. So you'll want to go to the Cloudflare blog, open up the webpage and you can read lots of insights about what we've done.
And if you scroll down to the bottom, you'll see a link. I think we actually had a link at the top, but there's a link here you can follow to get to the Cloudflare browser isolation.
That is awesome. Thank you very much, Tim.