Secure access via remote browser isolation

What is claimed is: 1. A system to provide access to a service, comprising: a communication interface configured to receive a request from an unmanaged device to access a service; and a processor coupled to the communication interface and configured to: authenticate a user associated with the request at least in part by prompting the user to use a managed device associated with the user to interact with data displayed at the unmanaged device; in response to authenticating the user, cause the unmanaged device to send a request to establish a connection with a virtual browser instance running on a secure node; and provide access to the service via the unmanaged device at least in part via the virtual browser instance running; wherein the virtual browser instance comprises a secure and isolated instance of a browser software and the virtual browser instance is configured to access the service on behalf of the user, receive responsive data from the service, and stream to the unmanaged device content data comprising a subset of the responsive data. 2. The system of claim 1 , wherein the unmanaged device comprises an unmanaged desktop or laptop computer. 3. The system of claim 1 , wherein the unmanaged device comprises an untrusted browser. 4. The system of claim 1 , wherein the processor is further configured to determine that the unmanaged device is not managed. 5. The system of claim 4 , wherein the determination that the unmanaged device is not managed is based at least in part on a determination that the request did not arrive via a secure tunnel associated with the managed device. 6. The system of claim 1 , wherein the user is authenticated at least in part by causing a QRC or other optical code to be displayed via the unmanaged device and prompting the user to scan the code using the managed device. 7. The system of claim 1 , wherein access to the service is provided at least in part by auto-posting an authorization token to a virtual browser provider. 8. The system of claim 7 , wherein the auto-post communication includes context data associated with one or more of the unmanaged device, the user, the service, and the request. 9. The system of claim 8 , wherein the processor is further configured to receive at least a portion of the context data from the virtual browser instance. 10. The system of claim 1 , wherein the processor is further configured to provide to the virtual browser instance a SAML assertion or other credential to access the service on behalf of the user. 11. The system of claim 1 , wherein the processor is further configured to set at the virtual browser instance a user-identifying cookie associated with the request. 12. The system of claim 11 , wherein the service comprises a first service and the virtual browser instance is configured to use the user-identifying cookie to provide the user with access to a second service via the virtual browser instance. 13. The system of claim 1 , wherein the processor is further configured to provide to the virtual browser instance a SAML assertion or other credential to access the service on behalf of the user and the virtual browser instance is configured to use the SAML assertion or other credential to access the service on behalf of the user. 14. The system of claim 1 , wherein the virtual browser instance is configured to provide access to the service via remote browser isolation. 15. The system of claim 1 , wherein the virtual browser instance is configured to provide access to the service at least in part by streaming to the unmanaged device HTML, or other data comprising data received from the service. 16. The system of claim 1 , wherein the virtual browser instance is configured to provide access to the service at least in part by receiving and processing service-related commands entered by the user at the unmanaged device via a page associated with the service displayed at the unmanaged device. 17. The system of claim 1 , wherein the processor is further configured to filter service-related data received from the service to exclude at least a subset of service-related data from being provided to the unmanaged device. 18. The system of claim 1 , wherein the processor is further configured to filter service-related data based at least in part on one or more of a policy, a rule, a context data, and a configuration data. 19. A method to provide access to a service, comprising: receiving via a communication interface a request from an unmanaged device to access a service; and using a processor to: authenticate a user associated with the request at least in part by prompting the user to use a managed device associated with the user to interact with data displayed at the unmanaged device; in response to authenticating the user, cause the unmanaged device to send a request to establish a connection with a virtual browser instance running on a secure node; and provide access to the service via the unmanaged device at least in part via the virtual browser instance running; wherein the virtual browser instance comprises a secure and isolated instance of a browser software and the virtual browser instance is configured to access the service on behalf of the user, receive responsive data from the service, and stream to the unmanaged device content data comprising a subset of the responsive data. 20. A computer program product to provide access to a service, the computer program product being embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving via a communication interface a request from an unmanaged device to access a service; authenticating a user associated with the request at least in part by prompting the user to use a managed device associated with the user to interact with data displayed at the unmanaged device; in response to authenticating the user, causing the unmanaged device to send a request to establish a connection with a virtual browser instance running on a secure node; and providing access to the service via the unmanaged device at least in part via the virtual browser instance running; wherein the virtual browser instance comprises a secure and isolated instance of a browser software and the virtual browser instance is configured to access the service on behalf of the user, receive responsive data from the service, and stream to the unmanaged device content data comprising a subset of the responsive data. 21. The system of claim 1 , wherein the authenticating the user associated with the request includes authenticating the user with respect to the service for which content data is received by the secure node. 22. The system of claim 1 , wherein the processor is further configured to determine that the request to access the service is received from an unmanaged device in response to receiving the request and determining that the request was received other than via a secure tunnel. 23. The system of claim 1 , wherein the virtual browser instance restrict a storage on the managed device of protected data comprised in the subset of responsive data. 24. The system of claim 1 , wherein the streaming of the responsive data restricts a functionality of the unmanaged device with respect to protected data comprised in the subset of responsive data.