CenturionStudio.it - Fotolia
Organizations may look to Chromebooks as low-cost endpoints for certain enterprise use cases, but desktop administrators must be aware of the Chromebook security architecture and determine if these endpoints are secure enough for business use.
Chromebook laptops first came out nine years ago and have gained popularity as a low-cost endpoint to run cloud-hosted applications, user data and web portals. These factors make the Chromebook attractive to enterprise organizations looking to save on hardware and support costs. Typically, Chromebooks are only a few hundred dollars but there are also more powerful enterprise Chromebooks by Lenovo, Acer, Dell, HP and other vendors in the $1200-$1400 range.
Software vendors are moving away from local applications to subscription services, which allow administrators to deliver applications and user data to different endpoint devices, such as Chromebook laptops, via an internet connection.
However, new devices in the enterprise bring new security concerns. Desktop administrators should ask themselves certain questions to determine if Chromebooks are secure for enterprise use. These questions could include the following:
- Do antivirus programs and other security software support Chromebooks?
- What is their vulnerability to viruses, malware and dangerous links in email?
- How does Google handle software and security fixes and updates?
- What are Chromebooks' security limitations?
To answer these questions, let's first examine how Chromebooks work.
Chromebook architecture and design
Generally, Chromebook laptops are much less vulnerable to typical security threats due to the simple operating system design. Chromebooks also benefit from the fact that hackers don't target them as much due to their small market footprint -- similar to macOS devices.
Google frequently updates the Chromebook OS, based on the Linux kernel, and the apps, which Google controls and validates in the Chrome Web Store. Users can only run the Chrome browser, and there are no third-party local applications, which virtually eliminates the need for administrators to manage software and OS upgrades. Just like running Linux from a bootable CD, it is practically risk-free.
However, the unfortunate downside of this approach is that if the user loses internet access, the user can't access web applications or any other work-related data from the browser. Some limited offline applications are available and user data can be saved locally, but this is not the optimal use of a Chromebook. With the architecture, simplicity and limits of the Chromebook in mind, organizations can evaluate how secure Chromebooks are for enterprise use and if their strengths outweigh their shortcomings.
Top Chromebook security features for the enterprise
Chromebook laptops have a multilayer security model that includes automatic updates, application sandboxing, verified boot, data encryption and recovery mode. Desktop administrators should familiarize themselves with each of these features because they offer value from an enterprise security perspective.
All software on Chromebook comes from the Chrome Web Store, which verifies and delivers the latest and most secure versions of any software. Google frequently applies updates to Chrome OS as well. The Chromebook downloads the OS and the applications to the device on each startup, ensuring users access updated software.
IT administrators -- especially Windows admins -- know that user-downloaded updates are easy targets for malware and viruses that exploit vulnerabilities that remain after the update process. Chromebook eliminates this issue because there is no update process to manage.
Chrome OS features application sandboxing, as it runs each application -- including individual webpages -- in an isolated sandbox within the OS, thus isolating it from all other processes. This is similar to the way Microsoft isolates applications in user mode. If an app or webpage misbehaves, simply closing it will stop the issue, and no other desktop elements will be affected. While it is not perfect, it is an excellent security tool to prevent breaches from escalating.
Chromebooks load two versions of the OS simultaneously. One version is the known secure version that the system used when it was last active and healthy. The other version is the newest version, downloaded from Google on startup. If the download is corrupted or infected with a virus -- or has compatibility issues -- the system will use the known secure version.
This would force a Windows desktop crash and leave IT admins stuck analyzing the crash, finding a hotfix, running a driver update or a wipe and reload, or taking the desktop out of production. Windows desktops could use the restore point, but that may not be configured and could be days old, causing data loss. Chrome OS and apps are always updated as they are not local.
The system firmware is located in a tamper-proof trusted platform module in a fixed read-only partition, and the read/write section is encrypted with a 8192 bit RSA security key. In turn, that RSA key stays in the read-only partition. All files are thus encrypted and protected without managing messy permissions that never seem to work. However, if hackers have access to the user's Google password, they will have access to these files.
In a Windows environment, the recovery procedure consists of wiping and reloading data while hoping the backup is secure. However, this process depends on the user backing up files, is painful and costs productivity and time.
Chrome OS uses Powerwash to perform a factory reset, which wipes the hard disk and reloads the OS, programs and apps. Because users store data in the cloud, administrators only have to worry about recovering local files.
Chrome OS supports VPNs for end-to-end protection. Most organizations provide VPN connection software for remote employees to connect from their laptop to the company server. Chrome OS supports L2TP over IPsec and OpenVPN (SSL) protocols, but not Point-to-Point Tunneling Protocol. In addition, to protect against malicious DNS servers that route users to a fake website, Chrome allows administrators to configure a custom DNS server, including one provided by the ISP. However, users should never trust DNS coming from a public Wi-Fi connection from locations such as a coffee shop or hotel.
Overall, Chromebooks are more secure in a threatening environment. A sales rep on a business trip, for example, must be fearful of having the laptop's data stolen over the wire or by losing the laptop. Organizations could exclusively use Chromebooks for travel assignments while keeping another personal computer at the office. In this context, a Chromebook provides a high level of security because there is little or no user data on the device, and it eliminates the need for updating to the latest patches and security updates.
Issues with using Chromebooks in the enterprise
There are some negatives to using Chromebook in the enterprise, including the following:
- Users can't run Microsoft Office applications such as Word or Excel or edit Office files. However, users can view these files. If Office is required, users may not be able to use Chromebooks.
- Applications are limited. Chromebooks may not support some corporate-mandated applications, which could be a complete deal breaker.
- Sandboxing isn't perfect, and misbehaving apps can sometimes affect other programs, just like in Windows.
- Users must get used to fully shutting down the Chromebook after each use. Boot times are only a few seconds, however, so this shouldn't be a huge issue. The frequent reboots ensure that the OS and apps are updated.
- Chromebooks are part of the Google collective, so they will run as a Google environment. This is not necessarily a bad thing, but it leads to less flexibility.
Tips to ensure enterprise Chromebooks are secure
Like any computing device, Chromebooks and Chrome OS require user interaction and administrative configuration. Consider these tips for configuring security on any enterprise Chromebooks.
Secure Google account and password
As usual, the user password is the weakest link in security. Users should take normal password precautions, using company policies and identity management tools. In addition, Google allows for two-factor authentication (2FA). This allows IT to require users to enter a password and a verification code using the authentication wizard (Figure 1).
The setup wizard also allows administrators to configure passwordless authentication, which involves Google sending a code to the end user's smartphone, letting the user log in without entering a password. While the Chromebook approach to authentication is good for security, it can sometimes lead to a bad user experience due to the extra steps.
Users can avoid exposing local data and apps on the internet by logging into Gmail as a guest. Guest mode allows users to email, but it does not leave any files other than a few cookies on the machine after logging off. This is a good practice when using a public computer or on an insecure network.
Configure the Google Chrome browser
When administrators define corporate security standards, they should consider the following settings, located in Chrome Settings.
- Sync and Google Services. These are options for encryptions and autocomplete, which could be a security issue for an organization. The most important setting is "Manage what you sync." This allows admins to configure what data syncs, including apps, history and settings.
- Privacy and security. Cookies and other site data preload pages for faster access. In this section are several settings:
- Allow or block cookies: Choose the right option for the organization and user.
- Preload Pages for Faster Browsing and Searching: This configuration was formerly known as "Prediction service" and "DNS prefetching." It preloads links on webpages that the user may or may not attempt to access. This speeds up connecting to web pages, but it also allows those sites to write cookies to the browser. Many experts advise turning this off for the additional cookies, but this may lead to a performance hit.
- Send a "Do Not Track" request with your browsing traffic: It sounds good not to let websites track users, but it's not that simple. Some will still track the user, and the user may get inappropriate or uninteresting ads. It may not be beneficial to disable this feature.
- Safe Browsing
- Use a secure DNS: This is where administrators can define a custom DNS server such as the one provided by an ISP.
- Site Settings. IT should review permissions to use location, camera, microphone, notifications, Flash, popups and other functions.
Administrative tools for managing Chromebooks
Google Admin is a powerful administration tool that comes with Google's G-Suite offering. The Google Admin tool manages devices, groups, users, domains, apps, security settings, admin roles, data migration and produces custom reports (Figure 2).
There is a per-client fee to manage large organizations, but Google Admin is not limited to Chromebooks, and it even includes mobile devices.
Google Chrome Enterprise is a more comprehensive platform for organizations that want a more enterprise-level product. This includes cloud-based management tools, third-party product support, enterprise-level tech support, additional Chrome extensions, hooks to Microsoft Active Directory and corporate policy support. Google Enterprise comes at a per-client fee.