CenturionStudio.it - Fotolia
Organizations may look to Chromebooks as low-cost endpoints for certain enterprise use cases, but desktop administrators must be aware of the Chromebook security architecture and determine if these endpoints are secure enough for business use.
Chromebook laptops first came out nine years ago and they have gained popularity as a low-cost endpoint to run cloud-hosted applications, user data and web portals. These factors make the Chromebook attractive to enterprise organizations looking to save on hardware and support costs. Typically, Chromebooks are only a few hundred dollars. There are also more powerful enterprise Chromebooks by Lenovo, Acer, Dell, HP and other vendors in the $1200-$1400 range.
Software vendors are moving away from local applications to subscription services, which allow administrators to deliver applications and user data to different endpoint devices, such as Chromebook laptops, via the Internet.
However, enterprise desktop administrators are often concerned about security on such a relatively new device for the enterprise. Desktop administrators should ask themselves certain questions to determine if Chromebooks are secure for enterprise use. These questions could include the following:
- Do antivirus programs and other security software support Chromebooks?
- What is their vulnerability to viruses, malware and dangerous links in email?
- How does Google handle software and security updates?
- What are Chromebooks' security limitations?
To answer these questions, let's first examine how Chromebooks work.
Chromebook architecture and design
Generally, Chromebook laptops are much less vulnerable to typical security attacks due to the simple OS design. Chromebooks also benefit from the fact that hackers don't target them as much due to their small market footprint. This is similar to the security advantage that macOS devices hold.
Google frequently updates the Chromebook OS, based on the Linux kernel, and the apps, which Google controls and validates in the Chrome Web Store. Users can only run the Chrome browser, and there are no third-party local applications, which virtually eliminates the need for administrators to manage software and OS upgrades. Just like running Linux from a bootable CD, it is virtually risk free.
The unfortunate downside of this approach, however, is that if the user loses Internet access, the user can't access web applications or any other work-related data from the browser. There are some limited offline applications available and user data can be saved locally, but this is not the optimal use of a Chromebook. With the architecture, simplicity and limits of the Chromebook in mind, organizations can evaluate how secure Chromebooks are for enterprise use and if their strengths outweigh their shortcomings.
Top Chromebook security features for the enterprise
Chromebook laptops have a multi-layer security model that includes automatic updates, application sandboxing, verified boot, data encryption and recovery mode. Desktop administrators should familiarize themselves with each of these features because they offer value from an enterprise security perspective.
All software on Chromebook comes from the Chrome Web Store, which verifies and delivers the latest and most secure versions of any software. Google frequently applies updates to Chrome OS as well. The Chromebook downloads the OS and the applications to the device on each startup, which ensures users access updated software.
IT administrators -- especially Windows admins -- know that user downloaded updates are easy targets for malware and viruses that exploit vulnerabilities that haven't been patched during the update process. Chromebook eliminates this issue because there is no update process to manage.
Chrome OS features application sandboxing, as it runs each application -- including individual web pages -- in its own isolated sandbox within the OS, thus isolating it from all other processes. This is similar to the way Microsoft isolates applications in user mode. If an app or web page misbehaves, simply closing it will stop the issue and no other elements of the desktop will be affected. This is not perfect, but it is an excellent security measure to prevent breaches from escalating.
Chromebooks load two versions of the OS simultaneously. One version is the known secure version that was used when the system was last active and healthy. The other version is the newest version, downloaded from Google on startup. If the download is corrupted or infected with a virus -- or perhaps has compatibility issues -- the system will use the known secure version.
On a Windows desktop, this would force a crash and would leave IT admins stuck analyzing the crash, finding a hot fix, running a driver update or a wipe and reload, or taking the desktop out of production. Windows desktops could use the restore point, but that may not be configured and could be days old, causing data loss. Chrome OS and apps are always updated as they are not local.
The system firmware is located in a tamper-proof trusted platform module in a fixed read-only partition. The read/write section is encrypted with 8192 bit RSA security key encryption. The RSA key is also stored on the read-only partition. All files are thus encrypted and protected without managing messy permissions that never seem to work. If hackers have access to the user's Google password, however, they will have access to these files.
Chromebook has a recovery procedure called Powerwash. In the Windows environment, this would be equivalent to a wipe and reload, hoping the backup is secure. However, the process on Windows depends on the user backing up files. This process is painful and costs productivity and time.
With Chromebook, Chrome OS can execute a Powerwash or factory reset, which wipes the hard disk and reloads the OS, programs and apps. If user data is stored on a cloud drive, then that also saves. Administrators only have to worry about recovering local files on the Chromebook.
Chrome OS supports VPNs for end-to-end protection. Most organizations provide VPN connection software for remote employees to connect from their laptop to the company server. Chrome OS supports L2TP over IPsec and OpenVPN (SSL) protocols, but not Point-to-Point Tunneling Protocol (PPTP). In addition, to protect against malicious DNS servers that route users to a fake web site, Chrome allows administrators to configure a custom DNS server, including one provided by the ISP. However, users should never trust DNS coming from a public Wi-Fi connection from locations such as a coffee shop or hotel.
Overall, Chromebooks are more secure in a threatening environment. A sales rep on a trip to Russia or China, for example, must be fearful of having the laptop's data stolen over the wire or by losing the laptop. In this context, a Chromebook provides high level of security because there is little or no user data on the device, and it eliminates the need for updating to latest patches and security updates. Organizations could exclusively use Chromebooks for users on travel assignments, while keeping another personal computer at the office.
Issues with using Chromebooks in the enterprise
There are some negatives to using Chromebook in the enterprise, including the following
- Users can't run Microsoft Office applications such as Word or Excel or edit Office files. However, users can view these files. If Office is absolutely required, users may not be able to use Chromebooks.
- Applications are limited. Corporate-mandated applications may not be supported on Chromebook, which could be a complete deal breaker.
- Sandboxing isn't perfect, and misbehaving apps can sometimes affect other programs, just like in Windows.
- Users must get used to fully shutting down the Chromebook after each use. Boot times are only a few seconds, however, so this shouldn’t be a huge issue. The frequent reboots ensure that the OS and apps are updated.
- Chromebooks are part of the Google collective, so they will run as a Google environment. This is not necessarily a bad thing, but it leads to less flexibility.
Tips to ensure enterprise Chromebooks are secure
Like any computing device, Chromebooks and Chrome OS require user interaction and administrative configuration. Consider these tips to configure security on any enterprise Chromebooks.
Secure Google account and password
As usual, the user password is the weakest link in security. Users should take normal password precautions, using company policies and identity management tools. In addition, Google allows for two factor authentication (2FA). This allows IT to require that users to enter a password and a verification code using the authentication wizard (Figure 1).
This wizard also allows administrators to configure passwordless authentication. This involves Google sending a code to the end user's smartphone, which lets the user log in without entering a password. This is good for security, but it can sometimes lead to a bad user experience due to the extra steps.
Users can avoid exposing local data and apps on the internet by logging into Gmail as a guest. Guest mode allows users to run email, but it does not leave any files other than a few cookies on the machine after logging off. This is a good practice when using a public computer or on an insecure network.
Configure the Google Chrome browser
When administrators define corporate security standards, they should consider the following settings, which are located in Chrome Settings.
- Sync and Google Services. These are options for encryptions and autocomplete, which could be a security issue for an organization. The most important setting is "Manage what you sync." This allows admins to configure what data that is synced or not, including apps, history and settings.
- Privacy and security. Cookies and other site data pre-load pages for faster access. In this section are several settings:
- Allow or block cookies: Choose the right option for the organization and user
- Preload pages for faster browsing and searching: This configuration was formerly known as "Prediction service" and "DNS prefetching." It pre-loads links on web pages that the user may or may not attempt to access. This speeds up the process of connecting to web pages, but it allows those sites to write cookies to the browser. Many experts advise turning this off for the additional cookies, but this may lead to a performance hit.
- Send a "Do Not Track" request with your browsing traffic: It sounds good to not let web sites track users, but it's not that simple. Some will still track the user, and the user may get inappropriate or uninteresting ads. It may not be beneficial to disable this feature.
- Safe Browsing
- Use secure DNS: This is where administrators can define a custom DNS server such as the one provided by an ISP.
- Site Settings. IT should review permissions to use location, camera, microphone, notifications, Flash, popups and other functions.
Administrative tools for managing Chromebooks
Google Admin is a powerful administration tool that is included with Google's G-Suite offering. The Google Admin tool manages devices, groups, users, domains, apps, security settings, admin roles, data migration and produces custom reports (Figure 2).
There is a per-client fee to manage large organizations, but Google Admin is not limited to Chromebooks, and it even includes mobile devices.
For organizations that want a more enterprise-level product, Google Chrome Enterprise is a more comprehensive platform for Chrome devices. This includes cloud-based management tools, third-party product support, enterprise-level tech support, additional Chrome OS extensions, hooks to Microsoft Active Directory and corporate policy support. Google Enterprise is offered at a per-client fee.