Google's Chrome Enterprise offers several types of security protection for organizations, ranging from automatic updates to zero-trust access controls. Enterprises with many remote employees can leverage these protections to create a platform-agnostic, widely compatible set of safeguards that can be implemented across the organization.
"Workers now need to access data from anywhere and on different types of devices," says Robert Shield, Director of Engineering, Chrome Browser Enterprise, in a blog post. "While this change brings more flexibility and productivity to organizations, it requires them to work even harder to secure their data."
Here's an overview of the built-in safeguards available for Chrome users.
By default, Chrome updates itself, upgrading to the next stable version upon browser or system restart. This helps keep browsers as safe as possible from vulnerabilities and exploits.
IT administrators can turn off automatic updates for managed devices and update Chrome manually, or use the extended stable channel which updates Chrome every 8 weeks. It’s recommended to use the automatic updates so you get security fixes as soon as they’re released.
This feature, enabled by default, checks URL requests against a constantly updated list of known malicious sites. If there's a match, Chrome initially blocks access to the site and displays a warning, although the user can choose to proceed to the site anyway.
Safe Browsing also temporarily blocks access and displays a warning when a website's HTTPS security certificates don't match or have expired, indicating a vulnerability that could be exploited by a man-in-the-middle attack. Again, the user has the choice to proceed regardless.
In a default deployment, the end user has the option of turning off Safe Browsing entirely, which Chrome's Settings menu stresses is "not recommended." The other alternative is to choose Enhanced Safe Browsing, which alerts the user to potential threats and proactively screens URLs rather than just relying on a list of known bad sites.
In managed enterprise deployments of Chrome, IT administrators can force browser instances to use Enhanced Safe Browsing. The addition of the BeyondCorp Enterprise framework extends the protections against malware, ransomware and phishing by incorporating signals from third-party security companies, and introduces security-incident reporting, alerting and investigating.
Like many browsers, Chrome has a built-in password manager. But more useful to enterprise administrators is an optional feature called Password Alert. It’s a Chrome browser extension that runs separately from the password manager and greatly reduces the chances of organizational credentials being exposed in data breaches.
Password Alert can warn the user if they are about to enter organizational credentials into blocklisted phishing websites, or into any website that does not appear on an allow list of the organization’s domains. It matches the hash of the typed password with a hash of known organizational credentials, even before the user hits “enter” to send the password to the web server.
In its active mode, Password Alert displays a warning to the user that the organizational-account password is about to be used improperly. It can also be set to notify both the user and administrators by email. In its passive mode, Password Alert can quietly log user behavior without notifying the user.
Reports sent to administrators will include the username, a timestamp, the URL of the webpage the user is trying to log into, and whether the URL is a known phishing website.
Administrators can set Password Alert to force a user to change an organizational password that has been or is about to be reused, and can designate a URL for the password-change page. The organizational credentials being protected need not be credentials to a Google account, but the passwords being protected need to be at least eight characters long.
Administrators can set up and manage Password Alert through Google’s enterprise-cloud management system or through Windows’ Group Policy Objects.
Under normal circumstances, Chrome end users can install and use any browser extension from the Chrome Web Store, and there are also ways to install "off-road" extensions on desktops.
This is convenient for users, but it can create risk for enterprises. Using the policy settings in centrally managed Chrome deployments, IT administrators can restrict the ability of users to install extensions, remotely delete or force-install specific extensions, or have Chrome scan extensions before they are installed.
Managing extensions is just a small fraction of the more than 200 policies that centrally managed Chrome deployments can enforce.
Others have to do with data-loss prevention. Admins can restrict browsers from copying information to clipboards, taking screenshots and printing web pages, either globally or selectively by URL or by device.
For example, an end user might be able to print or copy-and-paste data from a company web application when on a managed computer, but would be blocked from doing so when using a personal device.
BeyondCorp Enterprise, based on Google's own internal network model, goes beyond the protections normally built into Chrome to implement and enforce zero-trust access.
It considers signals such as geographical location and IP address, device status, user and group profiles, and third-party signals data from CrowdStrike, Palo Alto Networks, and other security vendors to make context-aware decisions about whether to grant access to a user, service or application.
BeyondCorp Enterprise Essentials, the "on-ramp" zero-trust offering, provides zero-trust access management to SaaS and SAML-based applications. The standard BeyondCorp Enterprise offering expands that to web applications hosted on Google Cloud Platform (GCP), Amazon Web Services or Microsoft Azure, as well as to hybrid clouds and on-prem application servers. BeyondCorp Enterprise also applies zero-trust access to GCP-hosted APIs and virtual machines.
"With Chrome," says Parisa Tabriz, VP of Chrome, "BeyondCorp Enterprise is able to deliver customers a zero trust solution that protects data, better safeguards users against threats in real time and provides critical device information to inform access decisions, all without the need for added agents or extra software."