Problem solve Get help with specific problems with your technologies, process and projects.

Exploring Google Chromebook security for the enterprise

The Chromebook is unique among new entrants in the mobile device arena. Mike Cobb breaks down the key Google Chromebook security issues enterprises need to know.

A proliferation of new mobile devices has emerged in the past few years, but the Google Chromebook is something...

a little different from the norm. It is essentially a notebook computer, but instead of running Windows, it ships with the Google Chrome operating system and the Google Chrome Web browser.

Chromebook does shift many risks away from the user, who is normally the main cause of data breaches.

Unlike other mobile devices, Chromebooks, offered by computer makers Samsung and Acer, are designed to be used while connected to the Internet and have limited offline capabilities. Instead of installing traditional applications, users add Web apps from the Chrome Web Store and store their data in the cloud. As you can imagine, because the Chromebook is designed to be used so differently than today's standard notebook clients, a close inspection of its security capabilities and drawbacks is essential. In this tip, we'll examine Google Chromebook security issues, both pros and cons, and what enterprises need to know as these devices make their way onto enterprise networks.

From a security viewpoint, the Chromebook's most eye-catching claim is that its multi-layer security architecture eliminates the need for antivirus software. The Chrome OS uses the Linux kernel and is designed to defend against the never-ending threat of malware and viruses, but which security controls provide this defense in depth?

It starts with a verified boot. Chromebook stores its firmware in a custom, tamperproof Trusted Platform Module (TPM) chip with two partitions: a fixed, read-only volume and a modifiable read/write section. This secondary partition is encrypted using an 8192-bit RSA key stored on the read-only partition. It verifies the cryptographic signature on the read-write firmware to ensure the system code has not been modified or corrupted before it boots to the OS. If it has been altered, the Chromebook enters recovery mode to restore the operating system to a known, good version (Mac OS X 10.7 incorporates something similar called Internet Recovery mode).

Chromebook runs in a restricted sandbox environment for each application that is run and each Web page that is visited. The intention here is to prevent any malicious code from spreading or accessing data from other applications. Also, as all the software running on a Chromebook comes from the Chrome Web Store, the OS automatically verifies that the latest and most secure versions are always installed, which is a highly effective method to protect against malware that may exploit vulnerable user-downloaded applications. (This is in stark contrast to the Google Android platform, which, according to a June report by security vendor Lookout, includes hundreds of apps in the largely unvetted Android Marketplace that have been infected with malware.)

Chromebook also stores two copies of the OS so it can switch to a new version without interrupting the user. Of course, it can revert to the known working version if there are any more complex problems. Keeping a system updated is difficult for traditional operating systems due to the wide variety of installed software, all with different update mechanisms, so this is a positive development for administrators taxed with patch management.

However, the biggest difference with the Chrome OS is that it is a Web-only computing environment with documents being stored in the cloud, which is the user’s Google online storage area. This could make it a non-starter for organizations that do not have a security policy to cover data in the cloud or are prevented from storing data there due to regulatory or compliance requirements. While the Chromebook’s relatively small hard drive can store data locally, all applications, settings and preferences are stored in the cloud, so keeping user data there too makes migration to a new machine easy and solves the problems posed by typical backup and recovery methods.

More on this topic

  • Learn how mobile device management (MDM) products secure a variety of corporate- and employee-owned mobile device platforms.
  • Should flaws in Google Chrome extensions affect risk assessment?

Data stored in the cloud is protected by Chromebook’s TPM chip, which securely generates and stores cryptographic keys in a similar manner to Windows BitLocker. By default, it encrypts all data stored and cached in a user's home directory. This significantly raises the technological threshold to read data from a stolen laptop. It is a better solution than file ownership and access permissions to prevent users from accessing each other’s files, particularly as users with admin rights can typically access any file, and protection is only present once the OS has booted. This approach makes sharing devices within an organization much simpler, plus all browsing data and downloads are deleted when used in Guest Mode.

Chrome OS is designed to protect itself from attack and has the capacity to self-heal and update, but no operating system is perfect, as researchers have already broken past its security protections. However, Chromebook does shift many risks away from the user, who is normally the main cause of data breaches. Storing data in the cloud is a new type of risk, but cloud operators specialize in data security unlike a typical employee. This could appeal to many types of organizations, but the long-term success of the platform depends on the quality of available Web applications and how users adapt to limited offline functionality.

For Chromebooks to be successful in the enterprise market, there will need to be a greater willingness and acceptance of enterprise cloud data storage. There is evidence this is already occurring: Spain’s second largest bank, Banco Bilbao Vizcaya Argentaria (BBVA), recently announced the largest global agreement to adopt cloud-based suite Google Apps for Business. Although all customer data and other key banking systems will stay in BBVA’s own data centres, internal communications and documents will be stored in the cloud. This decision is based on a thorough risk and cost analysis though, so administrators should not let Chromebooks handle company data until they fully understand the implications of this new Web-based computer and are able to control the data it can access.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in January 2012

Dig Deeper on BYOD and mobile device security best practices