In this Their Story podcast episode, as part of our Black Hat USA conference coverage, hosts Sean Martin and Marco Ciappelli connect with Brian Kenyon, the Chief Strategy Officer at Island, to unpack the intricate world of enterprise browsers.
In this Their Story podcast episode, as part of our Black Hat USA conference coverage, hosts Sean Martin and Marco Ciappelli connect with Brian Kenyon, the Chief Strategy Officer at Island, to unpack the intricate world of enterprise browsers. Together, they explore the pressing need for robust web security and the challenges that orbit it. As the conversation unfurls, they navigate the evolution of browsers, their pivotal role in today's work operations, and how modern frameworks like Chromium have replaced relics like Flash and Silverlight, simplifying web backend and significantly enhancing a consistent user experience.
The trio brings to light the persistent problem of technical debt within enterprise environments, where the existence of outdated applications and frameworks continues to be a daunting issue. They assert the need for an enterprise browser capable of maintaining compatibility with older systems while simultaneously keeping pace with the advancements of the digital era. In addition, the dialogue expands to include the integration of browser technologies in cloud-based applications like Salesforce and ServiceNow, and the challenges inherent in applying policies and ensuring data security within such environments.
The pivotal value of an enterprise browser emerges strongly throughout the discussion, highlighting its ability to augment productivity and provide unique cybersecurity solutions. The conversation orbits around the value of an enterprise browser integrating with an organization's identity and access management systems, yielding granular control over access and actions within applications. Furthermore, Brian draws attention to the deployment flexibility of an enterprise browser, with its ability to be utilized across an entire organization or targeted towards specific departments or teams.
In a concluding note, Sean, Marco, and Brian emphasize the pivotal role of end-user experience in enhancing productivity and the transformative role browsers play in this scenario. They discuss the additional functionality that an enterprise browser can offer - such as built-in copy and paste palettes, PDF editors, and password managers — and caution about potential risks tied to browser extensions, underscoring the need for visibility, governance, and control in this area while allowing the end-users to drive the requests to ensure they get their work done.
A secure enterprise browser, such as the one offered by Island.io, is pivotal in transforming the business narrative, where security ceases to be a mere protective measure and becomes a business enabler. By ensuring a seamless and secure web browsing experience, it aligns with the company's strategic objectives, directly contributing to desired outcomes and fostering an environment where safety and efficiency coexist, driving the business towards new heights of digital innovation.
Ultimately, this episode provides valuable insights into the challenges and benefits of leveraging an enterprise browser within the evolving digital landscape, offering a thought-provoking, informative, and practical discourse for organizations striving to enhance their web security and improve end-user experiences.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest: Brian Kenyon, Chief Strategy Officer at Island [@island_io]
On LinkedIn | https://www.linkedin.com/in/brianmkenyon/
Resources
Learn more about Island.io and their offering: https://itspm.ag/island-io-6b5ffd
What if the browser was designed for the enterprise? See for yourself at Black Hat - Visit Booth #1474 https://itspm.ag/islandl724
For more Black Hat USA 2023 coverage: https://itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin: Marco.
Marco Ciappelli: Sean.
Sean Martin: I'm trying to remember if, uh, you actually, did you, do we go out on the water sailing at one point together?
Marco Ciappelli: We did. We did. I trusted you. You trusted me? I trusted you. Yeah, you did pretty good.
Sean Martin: To avoid the, the big giant ships in the shipping lane?
Marco Ciappelli: Yeah. To
get,
to get out of the, of the harbor. I remember that.
I was like, wow. The guy knows what he's talking about.
Sean Martin: Funny enough, even just getting out of the harbor is a, is a journey unto itself. I know. And, uh. Yeah. I mean, if for, for normal sailors or if somebody doesn't think about it, it's. You take the boat out and off you go and then you end up, uh, in Catalina Island and you have some fun and everything's fine.
No, no danger whatsoever.
Marco Ciappelli: That's the problem. No danger. You didn't bring me to Catalina. I know. We didn't, we didn't. So, I, I missed the island. I just went out of the harbor then back and I, I want to know more about this. Look, look how we're like climbing here to get to where we want to go.
Sean Martin: Well, I think there's two, two parts to this story here.
Of course, uh, we're, we're, uh, sharing the name of the company we're chatting with Highland. And, uh, I'm presenting a fact that we often don't think about our journey. We just hop on and off we go. And who knows what we're running across and what, what the dangers are. And that's especially true in, in a technology that Pretty much everybody uses at home and at work, and we don't think much about, uh, the risks on the other side of, of, uh, that browser bar that we're typing stuff into and all the buttons that we click and links that we click.
So I'm thrilled to have this conversation today because I think we, we don't generally think about this problem yet. When you do today, you'll go, Oh my gosh, we, we should be thinking about this problem and thankfully Brian and team have, have helped you, uh, with this. When you realize what's really going on here.
So Brian, I'm excited to have this chat with you. Um, before we get into. Kind of where we ended up to today with Island, uh, a few words about yourself, some of the things you've been up to and, and perhaps your, your, your journey to starting with Island.
Brian Kenyon: Yeah, thank you. And thank you for the opportunity of joining you today.
Um, so as you mentioned, I'm Brian Kenyon. I'm Island's chief strategy officer, also part of the founding team here. I'm very privileged to be part of starting something so special, but it's actually. The culmination of a couple decades of experience. In fact, I started, um, in the very late nineties, um, in my cyber career with a company called Foundstone, which was in the vulnerability management space once upon a time ago.
And many people know the Foundstone name from several of the founders who went on to take on, um, and, and build special companies like CrowdStrike and Mandiant and, um, Silence to name but a few. FoundStone was acquired into McAfee where I spent the better part of, you know, almost a decade building technology, solving various cybersecurity challenges where a small group of us as an executive team left together to go and join Bluecoat.
and solve challenges around web security, specifically with proxy infrastructure. Um, that journey, you know, as we think of our life and journeys, um, that journey had an interesting turn as Symantec acquired the technology and the company. And those of us who were the leadership team at, at Bluecoat, um, had a remarkable opportunity to become.
The leadership team at Symantec, which very rarely happens in an acquisition where the acquiring company takes over the leadership of the company that's acquiring them, right? And so we had an interesting opportunity to take a look at the Symantec portfolio and revolutionize what they were doing around integrated cyber defense.
And all this experience and, and really introductions that we've met and, and folks that we've acquired and technologies that we've acquired all culminated into this area, um, and into the specialization around web security that led to the invention and the creation of Island.
Sean Martin: So let's, let's talk a bit about What you see in the organizations.
I mean, I, I know a lot here having prepared for this conversation, but I think when, maybe I'll just start it this way, almost always when I'm having a podcast in the back of my mind and almost, almost always it ends up coming out as a question of why are we spending so much time trying to shore up?
Controls around stuff that shouldn't be that way in the first place. And I think the web browser is the perfect example where, I mean, we use it and then we spend a ton of time and money and tools and resources and, and what have you dealing with the risks and the exposure. That introduces and maybe paint a picture for us of how prevalent and people know this, but when you describe it, I think it'll really resonate with them how prevalent the browser is in the enterprise and even small, medium businesses, the things it does, the stuff that has access to the trust we place in its.
Yeah, paint that picture for us.
Brian Kenyon: Absolutely. And I think actually the theme of this conversation today should be journeys because the browser of a, you know, as an application has had an interesting journey, not only in our consumer lives, but in our enterprise applications as well. And if you think about it, right, let's go back a couple of decades.
You know, the browser ended up as a very innocuous part of our businesses. It came in through operating systems, right? It came in via Safari on the Mac. It came in via internet Explorer on, on windows. And then we got creative with Firefox and, you know, Chrome eventually came out. And we've seen many variants on their chromium, but.
When you really go back and trace its early beginnings, I mean, it came in through the OS and that at a corporate level, we really didn't care because folks were using it to shop and pay bills where they could pay bills in those early days, but shop and browse for information and, you know, do research.
And they were doing it in between meetings, lunch breaks, you know, while they were trying to kill some time. And really all we cared about from a corporate perspective was really almost HR compliance. Don't let these folks. On their break, end up on a site that's going to get us in HR trouble, right? I don't want gambling.
I don't want anything sexual. I don't want anything that, you know, could, you know, potentially cause an HR issue and inside the corporation. That was it. That's, that's what we cared about a browser. And then slowly. Almost without notice, the browser started to become a more prominent part of our daily work environment, right?
More and more applications started to become web based. If you're an IT administrator, more and more of your life started pulling up out of, you know, SSH clients and putty terminals and started coming into web browsers and, you know, console configurations in a browser and web applications. And so. More and more of our life started emanating and originating in the browser.
But here's the thing. The browser never changed, right? It didn't evolve. It didn't grow with its activity inside the enterprise. In fact, it's still the same piece of infrastructure that we deal with with these unapologetically consumer and its design and its requirements and its functionality. And yet, we use it as a main part of our daily work operations.
And we have very little governance and control over it. Now, that's not to say that the browser has gone ungoverned in our environments for all these years, right? Like I said, it's a journey. It started with web filtering and controlling the web usage. And then we started to see more and more data and applications start to become in there.
And so we started investing in DLP systems. We started investing in proxy infrastructure. We started investing in CASBs and API gateways. Then we started worrying about encryption and how we had to break encryption on the wire. And more and more tools and solutions started making it into our environment.
And here we are in 2020 and we're looking back and we're saying, How did our security you know, programs get so expensive. How did they get so complex? How did we start to erode the ultimate end user experience where just to come to work from home, they have to launch a VPN, they have to backhaul traffic, they have to use a browser and their traffic gets interrupted, and they get these opaque error messages when they can't do things.
And this is all an effort to just add shareholder value and create a going concern of our businesses. This was the opportunity statement that Island truly seized, which was, is there and can there be a better way to do this in today's modern technology stack?
Marco Ciappelli: You know, so we talk about a journey, and I love the The metaphor of the journey, every story is a journey, and especially the origin story in this case.
And the way I see it, as you're describing this, and Sean even mentioned, you know, like, we didn't even think about this as the browser to be, to be the problem. But despite that, it's like, you know, that's what we got. Let's keep going. So we wasted all this time. And I'm picturing this getting water out of it, uh, you know, fixing a hole, maybe like hammering something to it.
And, and, and I'm like, how is that nobody ever thought about, you know, maybe it's time to kind of turn around and get a better boat. And I think like the metaphor is this, is that you can get the boat for the journey. It just wasn't equipped with that. And it brings me to doing something that is using something that is secure by design.
So I would like to go into this concept here. It's like, why we couldn't, you know, why our human mind just didn't. Didn't think that way. What do you think?
Brian Kenyon: Yeah. You know, it's really interesting. I think it's, um, you know, there, there are these things in our lives that we just take for granted because it's the way they always were the browser being consumer based.
Was just the way it's always been, and there's never been an introduction of a viable solution that has ever been accepted by the end user community. And so, I, I bring this up specifically because it's not the first time an enterprise or a browser offering has been brought to corporations. We remember companies like Bromium and Invencia, we remember companies like Good Technologies and WebLife, and these were all different browser variants.
And the problem was they all died on the vine because the end users revolted. And why? Because the experience was different from what they could get at home and what they had for their entire professional life up until that point. And so while we saw huge inefficiencies with the browser and how the browser worked, the solutions we saw in the very early days were very limited.
And in fact, if you go back and you think about your security as a set of primitives and a set of, of, of principles, if you will, like we've, we all learned in our early CISSP days, you know, authorization, you know, the triple A's and all the things we think about from that perspective. But there are also other principles that were built into this.
And I think, you know, Marco, you said this perfectly, which is the concept of secure by design. And when you think about that concept, the concept is security is baked in from the inside. Well, think about the way we've addressed the browser historically. Security was never baked in the inside. In fact, the only way we could exert security on the browser was from external controls like proxies, like CASBs, like API gateways.
And the efficacy of that Is the most brittle you can find because we know just principally, it is far more difficult and costly and complex to secure a system from the outside than it is natively from the inside. We've learned this in bank vaults. We've learned this in safes. We've learned this throughout our lives and physical ways.
The same is true digitally. So How have we gotten here in 2020, where now a company like Island can disrupt and innovate in the space. The answer is Chrome. So over the last decade, Chromium has become the standard for the modern browser, and it's done so because of the way it operates, the user experience, the rendering engine, how it paints the screen, its compatibility across, you know, 99.
Point. You know, 9, 9, 9% of the internet out there that has become the standard. And so today, when we think about an enterprise offering around a browser, if you're starting anywhere else from the Chromium open source project, you're starting from a bad place because we've learned historically that the end users matter and end user experience is king.
Chromium gets us that end user experience.
Sean Martin: Can I, can I briefly interrupt Brian, because I think there's another point here. Just kind of looking back on, on history and all the different browsers and, and you talked about rendering and, and, and Chromium now supporting 99 plus percent of the operating environment.
The old stuff, all rendered things in different ways and looked at code differently in CSS and HTML and JavaScript and JSON, all the, all the things that I'm not even going to attempt to list them all. That, that underlying complexity was just a mess to try to have any consistency for the user experience, like you described, but then also from a management policy compliance control perspective as well.
If you're trying to apply controls and all this stuff works underneath differently, good luck just maintaining that. I mean, think about different firewalls and different protocols and things like that. So maybe, maybe tie that into. How things started leading into Chromium, how Island leveraged some of the simplicity or less complexity, I guess, to really make a difference here.
Brian Kenyon: You know, it's a great point. You know, if you go back, if you go back, I mean, You don't even have to go back that far. You go back five years, we, we can start talking about frameworks and technologies like Flash and Silverlight and ActiveX and Java applets. And these were all mechanisms we used for agile development because for one reason or another, it was a more efficient form.
We moved from server side compute to client side compute back to server side compute. Now we're somewhere in between with content delivery networks and everything in between. But what's happened is from a programmatic standpoint, Chromium simplified a lot of this. It abstracts an amazing amount of the web back end from the end user.
And that's where that user experience came from. I mean, we can probably all remember back in the days when web compatibility was a big problem, right? You used to go to one site and it worked great and then explore and then you had to go to another and you'd launch Firefox because that was better and it displayed better.
Those days are over with Chromium. Now what's not over inside the enterprise is in our consumer world running across an application that's prominent in our day to day lives that's still running ActiveX or Flash. It's pretty rare, right? It's hard to come up with one of those things. You got to go back to the way back machine at the internet archives that define that stuff, right?
But our enterprise environment, you go into a company that's been around a manufacturing firm that's been around for a century, that's been around for multiple decades, you are going to find technical debt. You are going to find applications that were built on IAS four and older. You are going to find these deprecated frameworks because it's what was cutting edge at the time they were deployed.
An enterprise browser has to be compatible back to those earlier versions, back to those old frameworks, because even though they don't exist in our consumer life, that Chrome and Edge and all those great, you know, new modern browsers have to work for, our corporations sure rely on them still to keep the business operations up and running.
Sean Martin: And maybe, sorry, Marco, but I'm just, I'm trying to picture the environment now with this, this point in mind. I mean. Cloud based application. Let's look at Salesforce, right? Um, a lot of business runs through the ballot or the browser through a Salesforce interface. And not only you probably describe it much better than I, but to your points, companies Became and even more so today became technology companies building their own apps, oftentimes leveraging browser technologies to do that.
And there are hybrid applications where they're, they're leveraging something like a Salesforce and have, and they have internal extensions and whatnot to kind of support their internal things. So talk to us about that environment as well, where understanding. What's what, where is it's, how's the data flowing through?
What, how do we apply policies to that? And just, just the, the, yeah, the challenges that come with that type of environment,
Brian Kenyon: well, let me, let me take a step back and first describe a little bit. Um, to our audience. Maybe what an enterprise browser actually is and what the difference is versus a consumer browser.
And then I can highlight why this is relevant in today's day and age specifically. So let me step back and just just I'm going to punch the consumer browsers one more time in the face if I can and. And again, it's not because the functionality is broken or it's not adequate. In fact, it's, I mean, listen, the way Chromium works, it's changed our life.
It's changed the way we interact. It's changed the way we collaborate. It's been one of the biggest enablers we have. But if you take a step back and think objectively, launch your favorite browser, Chrome, Edge, Brave, I don't care what it is, Safari. There are almost no differences between them when you talk about doing your job inside of Salesforce or inside of ServiceNow or inside of any of these corporate applications that we depend on.
There are very little functional differences. In fact, I would contend that employees today, if they're trying to find a more productive work experience or trying to find efficiency in their job, They're doing so through what we would call extensions or plugins into the browser that they get from the Chrome web store, the things like that.
The problem organizationally speaking is extensions introduced their own risk, right? They're unknown publishers out there writing these little Chrome extensions that go into your browser and what might be a the source one day could very well the next day turn into a screen scraper or data exfiltration because there's really no governance over that extension.
The enterprise browser was. Built. To satisfy all of these bespoke needs of using a browser inside of a corporation or an organization, whether it's health care or financial services. So, and by inheriting the user's identity, by integrating the browser to an identity stack of an organization. The browser then inherits the identity and also inherits your group memberships and other associations that are tied to your identity, like your entitlements and your claims.
And at that point, your enterprise browser becomes actuated with a policy from its management console, which is tied to your persona. The applications you're allowed to visit and browse, and more importantly, actions or operations can you perform while you're in those applications? Can you copy and paste data from Salesforce into email?
Can you download a document? Can you upload a document? What extensions can you have loaded? So, the Enterprise Browser gives you the ability to actually govern. Almost all aspects of that web experience from a corporate privilege perspective. Now, let me just kind of cut over to the end user experience about this, because if there's one piece you probably pulled from this conversation, it's that end user experience matters.
So again, the difference here between an enterprise browser and one of the consumer builds is the functionality built in for that end user. Speaks to the productivity of their work and not necessarily being able to watch a video on YouTube or post a comment on social media. Right? This is about how do I make my life better inside my job.
So when I was talking about functionality differences and those being missing inside work applications, this is where Island adds value back to the end user. We built our own copy and paste palette, so the user can keep up to the last 50 things they copied and pasted, and that's visually there for them to drag and drop and reuse that stuff throughout their day.
We've built a PDF editor, so they can edit PDF documents directly in the browser. We've built a password manager, so they can store and secure their passwords. We've built AI extensions, so now directly in the browser, you can interact with chat GPT and other large language models and generative AI solutions.
But the corporation has full control over the prompts you use, the data you put in and the data you pull out. So not only is it about giving control, but it's also about bringing productivity back to the end user, giving them capabilities that don't exist in other off the shelf browsers that they use in the consumer world.
Marco Ciappelli: Wow. I think it's one of the first time that I talk about cybersecurity and I look at something that actually. Instead of stopping you from doing something and encourage you to do something. That's right. Props to that, right? It's kind of like, okay, I can still, I can do things without having to worry that if I do this, I may create a problem.
Or... No, you can't do that because it's not secure.
Brian Kenyon: So it's funny. It's funny you mentioned this. It's the first time in my career with the cyber security technology that when I'm given a demonstration of our platform to a prospect or a customer, it'll be 10 or 15 minutes before they see Island block anything.
We spend our time talking about how we enable a faster time to onboard a user. We spend time talking about how we can get users to work faster, how the applications they use most often are accessible and quick to load and how they can actually use data across them in a visual way without having to have a one in, one out copy and paste buffer.
It's not until 10 minutes in that I show, oh, by the way, I can block this download and I can block you from going to this bad site and these other things. It's actually quite fun.
Marco Ciappelli: So how does it work with. With the rest of the environment, I mean, let's, let's, let's make a sample case study where I'm interested.
I have a company. I want to use it. What, what does it take? I mean, what does it change in my, in my security model?
Brian Kenyon: Great, great, great way to look at this. So the first thing to know is, is one of the values of an enterprise browser on unlike other areas of cyber security we've dealt with. And I'll give you a great example.
You think about endpoint protection. You don't look at your company and think I'm going to deploy CrowdStrike to 50%. I'm going to deploy Trellix to click on Semantec to the other 50%. You look at it and say, I want to find efficiency. I'm going to deploy this solution across all of it. Perfect. One of the unique things about Island is we can be deployed in pockets of usage.
So we can go and focus on a department, a call center, a small team that has access to really sensitive applications, or we could be deployed across the entire organization. So it's really flexible and granular in how you want to think about leveraging it and how you want to think about protecting your org.
But very simply, we're just a browser. We don't require any special privileges. It's just like installing any other browser you have in your personal life. But while we integrate directly to the identity stack, we inherit that authentication. So for a user, we know who you are, we know what applications you use, and all of that is tied directly into your identity of the organization.
So we're quick deployment, we're quick usage. And then from that point forward, we look, we smell, we render exactly like every other browser. So we can be used. As you know, a full primary browser across the organization where users kind of live in us through all their web browsing activities, or we could just be used for a handful of applications in either way, you can almost think of us as an API platform because we can integrate to any of your existing tool sets.
So think about this, right? A browser can work asynchronously, meaning if I'm a user and I go download a document, That document is going to take a second to download. Well, while that downloads happening, I can interact with other cyber solutions. I can interact with the sandbox. I can interact with the DLP system.
I can interact with the risk registry around that user's risk dynamics and whether or not we should allow them to download the document. All of this can happen behind the scenes asynchronously. Well, Island's enterprise browser waits for a verdict from these other systems and then informs the user as to what action and so not only can we deliver a whole host of really unique cyber security solutions and really just general I.
T. Solutions in the browser. We can integrate more elegantly with the rest of your control fabric more so than any other solution you've had because we integrate across the A. P. I. Fabric very simply
Sean Martin: seems to me and I know a lot of uh, I use a lot of tools to, to help run some of the stuff we're doing with the publication.
And a lot of them have desktop apps and web apps and I would say nine times out of ten, I, I just default to the web app version because I'm in the web app or the web browser anyway. But what I'm, what I'm leading to here is if I at a company wanted better control over how something is used by different people based on their, the risk factor, that the activity they're performing, the context of the actions.
If I can get a lot of that control through the web browser, I'd, I'd probably want to push everything. through there, then try to find controls to sit on top of a dend point and, and manage it at that level. I don't know. Have you seen use cases for that or?
Brian Kenyon: Listen, it's certainly, it's certainly how a lot of our customers are approaching this, right?
I mean, I think there's. There's certain functions inside of a company that is, has a, has a higher predisposition or as a higher likelihood to want to use like a thick app. Like I think of our finance team and our operations person, like dragging him out of his local version of Excel where all of his macros can run and all of those great things are, that's asking a lot.
And then there's, you know, our Salesforce who live in Google sheets, who live in Google docs, who live in these online productivity. So again, it speaks to that. We don't have to look at everything as all or nothing. But, I think your point is, is, if I took it one step further, is very interesting because the stated evolution of almost all of these locally installed desktop apps is a web version.
If you look at the most recent Outlook client that's been deployed by Office 365, we call it an Electron app because it's nothing more than a Chromium skin presenting the Outlook web interface. It's just locally installed. The same thing is true for the Slack client. The same thing is true for the WhatsApp client.
These are all just thin browsers standing in front of a web version of the application. This is going to become our future. This is going to become our new norm. And that's why the browser is such a really critical part of our enterprise infrastructure at this inflection point, more so than any point in history.
Sean Martin: Yeah, I've seen that as well. Well,
Marco Ciappelli: Sean, you want to keep digging deep?
Sean Martin: Yeah, I, I think, uh, yeah, we use a, a service called clickback Click app, I should say, properly that, uh, yeah, it's basically the same thing, a slim browser, uh, on top of, uh, top of all the service they offer. So I want to, um, maybe talk about some of the, the, the extensions, 'cause I know.
I know companies like to build things bespoke for their users, for their customers. And you mentioned the widgets and the extensions and things like that. How, how do you help them not just operate perhaps more securely, but do you do anything to help them ensure that they're building stuff appropriate to plug in?
Brian Kenyon: Yeah, it's interesting. So there's a couple of things, right? So when you think about extensions, there's a perfectly said there's two ways to get them right once a chrome web store. The other is when an organization big financials do this all the time. You'll see this in health care where their internal development teams created their own extension specific to one of their apps or to one of their call centers or something in between.
Um, so let me address both of those. So from a Chromium perspective, it would be, it would be a huge mistake for us or really any, any enterprise browser to forego and corrupt that extension landscape. Right? So any extension that operates in Chrome or edge or any Chromium variant operates inside of IAM.
So we can, you can go to the Chrome web store and if you're a huge dashlane user. You're a huge Grammarly user, all of those things are going to work exactly the same. Now, Island's functionality out of the box allows you from a, from a corporate governance perspective to determine not only what extensions do you want to be allowed to be installed inside that Island browser, but even more specifically, when they go to a corporate application or really any application for that matter, you get to ask the questions, what extensions am I comfortable With them having them loaded while they're in the application.
So I'll give you a great example. Everybody's favorite extension, or I'll say everybody, but a lot of people's favorite extension is Grammarly, right? Because, you know, I got mediocre grades in English and frankly you can see it in my emails. So I use Grammarly to help as we would use ChatGPT and others now to help with our language and clean up our copy as we're composing copy for marketing materials or emails.
But the way Grammarly works is it takes a copy of whatever you're working on and pushes it up the cloud to do its analysis. So I'll ask you that same question. Do you feel comfortably with Grammarly running when you connect to your legal repository that has all of your contract documents? Maybe I don't want that data up in the cloud, but I might like you use Grammarly when you're composing an email to our customers or something in between.
And so having that dexterity and that granularity to say when it's okay and when it's not okay, man, that's functionality that's never been afforded in the enterprise when it comes to browsers. Now, when it comes to Custom built homegrown extensions. Well, Island offers value there, too, because not only can we help you build the extension correctly right through our own development, but we're going to make sure that that extension runs correctly inside the browser.
So even if it's trying to access things like the network or it's trying to access page contents when it's not supposed to, Island can put guardrails around that extension and make sure it's not accessing part of the OS, not accessing part of the page or the application.
Sean Martin: So I want to Marco talked about how it fits into kind of the operations of of the business and you touched on the platform aspect of this and the API driven aspect of this to connect to other security functions. Um. Talk to me about the teams responsible for this. And I'm looking at policy teams and privacy and security and ops and I.
T. and security who has their hands on what here, um, in terms of bringing this to life,
Brian Kenyon: it's, it's, it's really, what's wonderful about this is it's, it really follows well to the organizational disciplines you've already created, meaning. In, in Island, we have the ability to, we have VPN like functionality so we can route traffic to private apps or private networks or private clouds that aren't internet routable, right?
That policy can be completely administered and only that network policy could be completely administered by network services professional. So they connect to the management console when they log in, they see just the, the network components that are not seeing the data loss prevention. They're not seeing the audit logs of what.
People's web. Um, you know, web history looks like or where they're navigating to. They just see here are the policies for routing traffic for users and which applications. And so we have that role based administrative capability so that the individual roles and disciplines. can have access and have only the provisioned access, but I think what the real heart of your question was, it sounds like Brian, you and Island have built a magic bullet or silver bullet or whatever you want to call it, but you're going to tell me it's going to take a hundred administrators and a massive amount of resources to, to actually build policy around.
And the reality is, um, it really is as flexible as you want it to be. We have organizations who look at this and say, I don't know what the first policy I want to turn on is. So just like every cyber tool I've ever had in history, I'm going to turn it into visibility mode. I'm just going to watch what people do for a while, and then I'm going to use that telemetry to start locking down things that scare me and introduce risk.
Very simple. We have other organizations who have a very acute use case who are saying, Listen, I'm watching third party contractors steal our customer database. I'm watching him steal our pricing and they're using it for other competitors are using it for new jobs or whatever. And they want to guard that data.
In that case, they build a policy and that policy really varies very minimally as users interact, because if your goal is to say, I don't want you to download the secret formula for my product, well, then I'm just creating a data protection rule around that, that very rarely changes. What changes is when Brian Kenyon shows up and says, Hey.
I know you don't want me to have that, but my role and my access really allows me to do that. And so, we've focused a lot of attention on what we call exception based provisioning. Which means, I need to get to this website, I need to download this document, I need to do X, Y, and Z. That has to be a user led process.
Exception request. And so right in the enterprise browser again, the difference between consumer and purpose built is I can put that workflow for the user. I need to download this. Let me ask for permission. We'll send a ticket to service. Now that service now ticket gets distributed to whatever operations person gets to decide yes or no.
And then an API call from service now goes to the island management console and says, Okay, Grant access one time or permanently based on it. And so we've gotten really good at that exception. So we've looked at this and we've thought about it. How do you administer it? How do the end users consume it?
And now we're at a point where we're at almost 100 customers deployed and we have the battle scars and the lessons learned from all those deployments to make it easier.
Marco Ciappelli: Wow, that's a lot when you think about flexibility. So I'm going to take this opportunity to Flex into the future. And you mentioned already the integration with the generative AI.
I mean, I'm thinking, you know, again, you know, you want to in browser use, there is a lot of services now that you're like, Hey, you want to write something, not just correct it like grammarly, but here, click here. And, uh, no, no, we're going to write it for you. Maybe good. Maybe not. Um, thinking about me journey like you can do like images or do like a illustration for your business, for your brand, your marketing and so on.
So it seems to me that you build this with flexibility in mind. You just explain a few things now. So how are you preparing for this? Uncertain future of who knows how many other AI services are coming in generative, you know, chat GPT number 10, what's, what's the future of Island looking like? To be ready for all of this.
Brian Kenyon: It's our new whack a mole, right? In cyber security. We always have one. And the new one's AI. Because as soon as one pops up and you grab control of it, there's another. So, here's what we're building towards when it comes to generative AI capabilities. RCTO, Dan, um, He's been in this web space for a long time.
He traveled around and talked to some of the biggest organizations on the planet, financial services, healthcare, and really got to them and said, what is it when you think about generative AI, what is it that scares you the most? And of course they were scared about their source code and their intellectual property, making it into these language models and being used as, you know, harvesting and information disclosure and just becoming.
You know, information that's out there about the company, of course, that's top of mind. But what they're really concerned about is when those sources create content, whether it's copy that's going into a marketing document or a website, or whether it's source code going into a project, they want to get their hands on it before it spreads through the organization.
Right. If source codes come in from generative AI, I want it to go to BlackDuck to see if it's infringing on any copyrights or any trademarks. I want it to go into my source code repository so I know it came from this AI tool from this user and this is the code they pulled out of it. They want the organization to be able to check that stuff in so they can look at a central repository and see where it came from.
Who's using it and ultimately where it got used. And so we're giving organizations a shim into that usage by all of this generative AI stuff taking place mostly in the browser, the browser becomes that good interception point for the organization to grab hold of all that new content coming in and be able to.
Put it aside and say, Okay, I'm gonna look at this. I'm gonna look at the user that generated it. And now I want to understand better how they're using it. And if it poses risk to work. So we are hard at work building capabilities to do that.
Sean Martin: All I know is this is super cool. I mean, we spoke the other day with the team to kind of get a view of what's going on here.
And Marco and I both came off thinking Um, This is pretty cool. And even, even more so after talking to you here, hearing some of the use cases and the scenarios that you're supporting and the capabilities you offer, I mean, visibility and control, uh, just out the gate, um, obviously really important, um, legacy to future stuff you can't just.
Support the old stuff, but not, not address the generated AI, uh, capabilities that are coming to bear. And I, I think what really stands out to me is, and Marco made this point, that you're actually, we, we say this a lot, a lot in cyber security, we should be enablers of the business, but You are actually doing that you're enabling productivity, you're supporting the business workflows, you're giving the users the opportunity to request exceptions to where policies might think something should or shouldn't happen in a certain way and, and not interrupting the, the experience in the process.
So I think. Uh, all that to me sounds like, like a huge win and I'll go back to the point I made earlier where I think I made it a couple of times in different ways now, but if we can kind of identify or create an environment where we have a secure by design business. And if the browser is at the heart of that, where we're not having all these apps floating around and, and we can actually put some policies around the browser to help control some of these things, I think we have a much better security posture moving forward with the flexibility to define the policies and, and to the points I made earlier, the flexibility to, to adjust them as needed.
So for me, this, this seems like a huge win for the enterprise and, uh. I'm, I'm excited to have had this conversation with you and Brian, I don't know if there's anything we didn't touch on that. Um, he thinks folks should hear before we wrap up here. Um, how can they get a trial? It's probably on most folks minds at this point.
Brian Kenyon: I mean, listen, we're, we are, we're one of the easiest organizations to work with trialing and playing with this tech is one of the easiest you'll ever do because we're not making any changes to any existing infrastructure. It's just a browser. We spin up a management console. We have some local authentication, so you don't even have to integrate it off the bat.
You can just get creating some policies and seeing how it manifests from the user experience. But you know, I guess, I guess where I'll leave you guys is, is with this statement is. This is a brand new and exciting space and exciting market, and there's a lot of potential in what is the art of the possible, and there's a lot of capability.
Like you said, this is the first time in cyber where we've looked at something and said, Wow, this is what we've always wanted, which is cyber security, enabling the business in a safe way. We have a lot to learn. We have a lot of capability to build. We have a lot of barriers to break down and that's going to happen by working with, you know, organizations around the globe.
So we're open to new ideas. We're, we have a very excited, young, aggressive development community and development team that wants to solve real organizational problems. And so our collaboration with our existing customers and prospects is probably one of the most exciting things that's happening. And so My ask of, of the folks out there that listen to this is let's work together.
Let's define the future together, because this is a platform that's going to be here for decades to come.
Marco Ciappelli: Nice.
Sean Martin: Love it.
Marco Ciappelli: And, uh, once we're done with this, I'm going to open my Netscape.
Brian Kenyon: It would be so happy. Yeah.
Marco Ciappelli: And log into MySpace. But, uh, yeah. That's me very, very vintage now, Brian, this was amazing. And I, I, I have to repeat again, what Sean said when we were talking with the team, we were like, what, where was this until now?
I mean, it really, it's a, it is a revolution and a revelation at the same time. So thank you for this conversation very much.
Brian Kenyon: Thank you for the time.
Sean Martin: And for everybody listening, of course, uh, we'll include links in the show notes to, uh, To connect with the team at Island and, uh, Brian specifically, and, and also some links, uh, for some additional resources that, uh, that the team wants to share with you, so you all can, uh, experience what Island has to offer.
So, thanks everybody for watching, listening to this story here on ITSP Magazine. See you at the next one.