Chromebook Security: Learn the Basics and Guidelines to Secure Your Organization with Chromebook
Often associated with the education sector, Chromebooks actually make excellent business laptops. The main reason? They’re built to be secure. That means they’re good at protecting sensitive data. This is a must-have in today’s business environments that are besieged constantly with cyber threats.
Learn About Chromebook Security Features
Most regular laptops don’t have a lot of security out of the box. It’s usually the owner—or in the case of corporate laptops, IT— who adds security as an afterthought. Chromebooks are different. They’re all built with security features as part of their design process. Let’s discuss some of those security features now.
Smart and fast updates
Software and firmware updates are very important because they sometimes include security patches that eliminate known vulnerabilities. Unfortunately, a lot of users aren’t aware of this (or simply take it for granted), so they cancel updates as soon as they know one is underway. Chromebooks address this problem by running two partitions of Chrome OS, a primary and a backup, and then applying automatic updates to the backup.
When an automatic update is due (either every 6 weeks or anytime a critical security update is needed), it gets applied only to the backup. That way, the user can continue working uninterrupted while the update carries on in the background. On the next reboot, the backup becomes the primary (and vice versa), so the user ends up using a newly updated and more secure copy of the OS every time.
Sandboxing
To counter the threats of malware and malicious code, Chromebooks employ the concept of sandboxing. Sandboxing keeps applications and web pages in their own restricted environment or “sandbox”. That way, even if malware or malicious code is lurking in a particular web page, it will remain confined in that sandbox. And because it won’t be able to spread into other parts of the system, that threat will just dissipate the moment the tab running that page is closed.
Verified boot
Chromebooks check their own integrity the moment you switch them on. They do so through a process known as Verified Boot. Basically, upon boot up, Chromebooks check the digital signatures of various components of their systems. This includes their firmware, kernels, initial ramdisk (initrd), master boot records and so on.
Only if all signatures are verified will a boot be allowed to complete. If any malware or anything suspicious is detected during the verified boot process, the entire process is cancelled, and the device switches to recovery mode. Once a Chromebook enters recovery mode, the user will be prompted and then assisted through the rest of the recovery process.
Recovery Mode
Speaking of recovery mode, a Chromebook shifts into this mode automatically the moment it determines that both its system and the backup firmware/software are corrupt. Upon entering recovery mode, the device will ask for a recovery storage device (RSD). This is usually a USB stick or SD card with contents that were created by a recovery installer—a small program downloaded from a Google-hosted recovery website.
An RSD contains the following: a recovery kernel, a recovery root filesystem, a full Chromium OS kernel+rootfs, Chromium OS firmware and other recovery information. A device recovered from an RSD will be basically as good as new. Of course, all the user’s applications and data will be gone after recovery.
However, since all these digital assets are expected to have been synced to the Google Cloud (assuming synchronization was enabled), all the user must do is log in, and everything will be synchronized back onto the device.
Data Encryption
When a regular laptop is stolen, its data is immediately at risk. Even if the thief can’t gain access through the login screen, that thief can still retrieve data stored inside by simply booting the laptop through another operating system or extracting the hard disk and mounting it as a secondary disk on another device.
A stolen Chromebook is at less risk because most user data are stored in the cloud. However, it still holds certain information, like the user’s email, photos, HTTP cookies and browser cache files, which cyber-criminals can still use to acquire the user’s credentials if they can somehow retrieve them. That isn’t easy though. The techniques we mentioned earlier (i.e., booting from another OS or mounting the disk on another device) won’t work with a Chromebook because user data is protected with file-system-level encryption.
As a device built from the ground up with security in mind, the Chromebook is perfect for business environments, where data security is crucial. Still, there are ways to further improve the security of these devices.
Further Improve Chromebook Security
Despite all the built-in security features baked into Chromebooks, their security can be hardened even more. Here are some tips you can implement to further improve the security of your organization’s Chromebooks.
Use strong passwords and add two-factor authentication
Although certainly a very powerful security feature, encryption won’t be able to protect a user’s data if a cybercriminal somehow gets a hold of that user’s password or guesses it. Once the criminal manages to log in to that user’s Google account, the thief will be able to retrieve the user’s data.
To prevent this from happening, make sure users keep their passwords secret and follow strong password best practices, like using uppercase and lowercase characters, incorporating numbers and non-alphanumeric characters and making passwords at least 8 characters long (the longer the better).
Better yet, have users enable two-factor authentication (2FA). An authentication factor is something used to prove a user’s identity. It usually comes in either one of three forms:
- Something a user knows, e.g., a password or PIN number
- Something a user has, e.g., a phone or private key
- Something a user is, e.g., a thumbprint or facial patterns
The use of two factors of authentication (or more) would make it more difficult for a criminal to impersonate a legitimate user. For example, you can use Google Authenticator or Authy alongside password authentication, so that even if a criminal guesses or obtains the password to a legitimate user’s account, the crook will still have to hurdle that second factor of authentication to log in.
Enable sleep locking
Passwords and 2FA are only deterrents if a threat actor has to go past them. There are, however, several instances when they’re not activated. For example, when a user closes the Chromebook lid and then reopens it shortly after, the login screen will be nowhere in sight. If that user leaves the room for a few minutes, that might be enough time for a threat actor to carry out an attack.
You can prevent this type of attack by enabling the Show Lock Screen When Waking From Sleep option in Settings > People > Screen Lock. This will lock the screen automatically and require a password each time the lid is opened after being closed for any amount of time.
There are a few other things you can do to improve the security of a Chromebook. Here are two examples.
Disable a stolen Chromebook
A Chrome Enterprise customer can disable a Chromebook if it gets lost or stolen. You can do that by signing in to the Google Admin console. From there, you can use a filter to select the current status of the device you want to disable, and then select the specific device to disable it. This will lock the Chromebook in question.
Block an extension
Another thing a Chrome Enterprise customer can do from the Google Admin console is manage a users’ installed extensions. If you see anything you view as a threat or something your users don’t really need for work, you can block that extension.
These are just some of the many security controls you can apply to mitigate risks on your own or your organization’s Chromebook(s).
Access Your Windows Applications Securely with Parallels Desktop for Chromebook Enterprise
While Chromebooks offer a secure and convenient way of using cloud-based applications, a lot of users still need access to certain proprietary and full-featured legacy applications. More specifically, a large majority of these users require access to full-featured Windows applications. Currently, this can be done through solutions like Parallels® Remote Application Server (RAS) and Parallels Access™.
Both solutions enable users to access full-featured Windows applications through the internet. But what about users who prefer or need to access Windows applications on a Chromebook even without an internet connection? Businesses can now meet the needs of those users by switching to Parallels® Desktop for Chromebook Enterprise.
Parallels Desktop for Chromebook Enterprise makes it possible for IT administrators to run Windows virtual machines on Chromebooks. Once Parallels Desktop is installed on a Chromebook, users will be able to interact with their Chrome and Windows environments simultaneously. Certain folders in Windows, as well as the files stored in those folders, can be accessed from Chrome OS and vice versa.
Launching or re-launching Windows from Chrome OS is quick and easy and can be accomplished in just a few seconds. There’s no need to shut down or boot up. All users have to do is close Parallels Desktop window or start Parallels Desktop whenever they wish to suspend or resume work on their Windows environments.
Shifting between Windows and Chrome OS is seamless. Whenever the mouse pointer hovers above Windows, all mouse inputs are captured in Windows. As soon as the pointer is brought above Chrome OS, all inputs are in turn captured in Chrome OS. Printing is also straightforward. All Chrome OS printers are exposed to Windows as virtual printers, so Windows applications can use them for printing with ease.
All applications inside a Windows virtual machine share the same network connection as their Chrome OS host. The Windows guest OS won’t have its own IP address relative to the external network. Instead, it will function as a machine behind a virtual network address translation (NAT), which is great for security. Nevertheless, Windows applications will still be able to access the same network that the Chrome OS belongs to as well as the internet.
All this functionality provides great value from a security and productivity standpoint. Businesses who use Parallels for Chromebook Enterprise will benefit immensely from the security capabilities of Chromebooks without sacrificing the needs of employees who rely heavily on Windows applications to accomplish their tasks.
Find out more about the partnership between Parallels and Chrome Enterprise!
External references:
https://www.chromium.org/chromium-os/chromiumos-design-docs/recovery-mode
https://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data
https://support.google.com/chromebook/answer/3438631?hl=en
https://www.techrepublic.com/article/how-to-help-make-your-chromebook-as-secure-as-possible-6-tips/
