I currently work in a manufacturing company with round about 5000 computers and 6000 employees.
We use a lot of web based line of business applications (all internal, non over the Internet) in order to keep the production running, developed by the internal Applications department. Although from the functional aspect they run quite well, their adoption of new releases of the browser stack is very, very slow.
In order to run the programs, they require Internet Explorer as well as the Java plug in. Any new release of any of these two requires them intense testing. Before they confirm, we can’t roll out anything new.
From the security perspective, the current stack is far too old. Right now, we are allowed to install Internet Explorer 8 as well as Java 1.6 U30 (about 9 months old).
Since neither I nor our CISO were able to change these procedures (they got full support for this from the CEO), we would like to implement a “Green” and a “Red” browser.
The idea is to cut of Internet Explorer and the IE Java plugin from the Internet (using rules on the local firewall, the central firewall and/or the central proxy) and installing Google Chrome. Internet Explorer would then be the “Green” browser for anything internal and Chrome the “Red” one for Internet Access.
As Chrome would be used solely used for Internet Access, updating it with a new version and plug ins wouldn’t need any testing from the Application department. This way, we would always have the newest version with the best protection.
Of course, this would require some extra work from our side (Version checks, deployment jobs etc.) but I think the extra benefit for security would outweigh this extra work.
Would this be considered a good solution, or would we open new security issues with it?