Organizations may look to Chromebooks as low-cost endpoints for certain enterprise use cases, but desktop administrators must be aware of the Chromebook security architecture and determine if these endpoints are secure enough for business use.
Chromebook laptops first came out nine years ago and have gained popularity as a low-cost endpoint to run cloud-hosted applications, user data and web portals. These factors make the Chromebook attractive to enterprise organizations looking to save on hardware and support costs. Typically, Chromebooks are only a few hundred dollars but there are also more powerful enterprise Chromebooks by Lenovo, Acer, Dell, HP and other vendors in the $1200-$1400 range.
Software vendors are moving away from local applications to subscription services, which allow administrators to deliver applications and user data to different endpoint devices, such as Chromebook laptops, via an internet connection.
However, new devices in the enterprise bring new security concerns. Desktop administrators should ask themselves certain questions to determine if Chromebooks are secure for enterprise use. These questions could include the following:
Do antivirus programs and other security software support Chromebooks?
What is their vulnerability to viruses, malware and dangerous links in email?
How does Google handle software and security fixes and updates?
What are Chromebooks' security limitations?
To answer these questions, let's first examine how Chromebooks work.
Chromebook architecture and design
Generally, Chromebook laptops are much less vulnerable to typical security threats due to the simple operating system design. Chromebooks also benefit from the fact that hackers don't target them as much due to their small market footprint -- similar to macOS devices.
Google frequently updates the Chromebook OS, based on the Linux kernel, and the apps, which Google controls and validates in the Chrome Web Store. Users can only run the Chrome browser, and there are no third-party local applications, which virtually eliminates the need for administrators to manage software and OS upgrades. Just like running Linux from a bootable CD, it is practically risk-free.
However, the unfortunate downside of this approach is that if the user loses internet access, the user can't access web applications or any other work-related data from the browser. Some limited offline applications are available and user data can be saved locally, but this is not the optimal use of a Chromebook. With the architecture, simplicity and limits of the Chromebook in mind, organizations can evaluate how secure Chromebooks are for enterprise use and if their strengths outweigh their shortcomings.
Top Chromebook security features for the enterprise
Chromebook laptops have a multilayer security model that includes automatic updates, application sandboxing, verified boot, data encryption and recovery mode. Desktop administrators should familiarize themselves with each of these features because they offer value from an enterprise security perspective.
Chromebook has a multilayer security model that includes automatic updates, application sandboxing, verified boot, data encryption and recovery mode.
Automatic updates
All software on Chromebook comes from the Chrome Web Store, which verifies and delivers the latest and most secure versions of any software. Google frequently applies updates to Chrome OS as well. The Chromebook downloads the OS and the applications to the device on each startup, ensuring users access updated software.
IT administrators -- especially Windows admins -- know that user-downloaded updates are easy targets for malware and viruses that exploit vulnerabilities that remain after the update process. Chromebook eliminates this issue because there is no update process to manage.
App sandboxing
Chrome OS features application sandboxing, as it runs each application -- including individual webpages -- in an isolated sandbox within the OS, thus isolating it from all other processes. This is similar to the way Microsoft isolates applications in user mode. If an app or webpage misbehaves, simply closing it will stop the issue, and no other desktop elements will be affected. While it is not perfect, it is an excellent security tool to prevent breaches from escalating.
Verified boot
Chromebooks load two versions of the OS simultaneously. One version is the known secure version that the system used when it was last active and healthy. The other version is the newest version, downloaded from Google on startup. If the download is corrupted or infected with a virus -- or has compatibility issues -- the system will use the known secure version.
This would force a Windows desktop crash and leave IT admins stuck analyzing the crash, finding a hotfix, running a driver update or a wipe and reload, or taking the desktop out of production. Windows desktops could use the restore point, but that may not be configured and could be days old, causing data loss. Chrome OS and apps are always updated as they are not local.
The system firmware is located in a tamper-proof trusted platform module in a fixed read-only partition, and the read/write section is encrypted with a 8192 bit RSA security key. In turn, that RSA key stays in the read-only partition. All files are thus encrypted and protected without managing messy permissions that never seem to work. However, if hackers have access to the user's Google password, they will have access to these files.
Recovery mode
In a Windows environment, the recovery procedure consists of wiping and reloading data while hoping the backup is secure. However, this process depends on the user backing up files, is painful and costs productivity and time.
Chrome OS uses Powerwash to perform a factory reset, which wipes the hard disk and reloads the OS, programs and apps. Because users store data in the cloud, administrators only have to worry about recovering local files.
Network security
Chrome OS supports VPNs for end-to-end protection. Most organizations provide VPN connection software for remote employees to connect from their laptop to the company server. Chrome OS supports L2TP over IPsec and OpenVPN (SSL) protocols, but not Point-to-Point Tunneling Protocol. In addition, to protect against malicious DNS servers that route users to a fake website, Chrome allows administrators to configure a custom DNS server, including one provided by the ISP. However, users should never trust DNS coming from a public Wi-Fi connection from locations such as a coffee shop or hotel.
Overall, Chromebooks are more secure in a threatening environment. A sales rep on a business trip, for example, must be fearful of having the laptop's data stolen over the wire or by losing the laptop. Organizations could exclusively use Chromebooks for travel assignments while keeping another personal computer at the office. In this context, a Chromebook provides a high level of security because there is little or no user data on the device, and it eliminates the need for updating to the latest patches and security updates.
Issues with using Chromebooks in the enterprise
There are some negatives to using Chromebook in the enterprise, including the following:
Users can't run Microsoft Office applications such as Word or Excel or edit Office files. However, users can view these files. If Office is required, users may not be able to use Chromebooks.
Applications are limited. Chromebooks may not support some corporate-mandated applications, which could be a complete deal breaker.
Sandboxing isn't perfect, and misbehaving apps can sometimes affect other programs, just like in Windows.
Users must get used to fully shutting down the Chromebook after each use. Boot times are only a few seconds, however, so this shouldn't be a huge issue. The frequent reboots ensure that the OS and apps are updated.
Chromebooks are part of the Google collective, so they will run as a Google environment. This is not necessarily a bad thing, but it leads to less flexibility.
Tips to ensure enterprise Chromebooks are secure
Like any computing device, Chromebooks and Chrome OS require user interaction and administrative configuration. Consider these tips for configuring security on any enterprise Chromebooks.
Secure Google account and password
As usual, the user password is the weakest link in security. Users should take normal password precautions, using company policies and identity management tools. In addition, Google allows for two-factor authentication (2FA). This allows IT to require users to enter a password and a verification code using the authentication wizard (Figure 1).
The setup wizard also allows administrators to configure passwordless authentication, which involves Google sending a code to the end user's smartphone, letting the user log in without entering a password. While the Chromebook approach to authentication is good for security, it can sometimes lead to a bad user experience due to the extra steps.
Users can avoid exposing local data and apps on the internet by logging into Gmail as a guest. Guest mode allows users to email, but it does not leave any files other than a few cookies on the machine after logging off. This is a good practice when using a public computer or on an insecure network.
Configure the Google Chrome browser
When administrators define corporate security standards, they should consider the following settings, located in Chrome Settings.
Sync and Google Services. These are options for encryptions and autocomplete, which could be a security issue for an organization. The most important setting is "Manage what you sync." This allows admins to configure what data syncs, including apps, history and settings.
Privacy and security. Cookies and other site data preload pages for faster access. In this section are several settings:
Allow or block cookies: Choose the right option for the organization and user.
Preload Pages for Faster Browsing and Searching: This configuration was formerly known as "Prediction service" and "DNS prefetching." It preloads links on webpages that the user may or may not attempt to access. This speeds up connecting to web pages, but it also allows those sites to write cookies to the browser. Many experts advise turning this off for the additional cookies, but this may lead to a performance hit.
Send a "Do Not Track" request with your browsing traffic: It sounds good not to let websites track users, but it's not that simple. Some will still track the user, and the user may get inappropriate or uninteresting ads. It may not be beneficial to disable this feature.
Safe Browsing
Use a secure DNS: This is where administrators can define a custom DNS server such as the one provided by an ISP.
Site Settings. IT should review permissions to use location, camera, microphone, notifications, Flash, popups and other functions.
Administrative tools for managing Chromebooks
Google Admin is a powerful administration tool that comes with Google's G-Suite offering. The Google Admin tool manages devices, groups, users, domains, apps, security settings, admin roles, data migration and produces custom reports (Figure 2).
There is a per-client fee to manage large organizations, but Google Admin is not limited to Chromebooks, and it even includes mobile devices.
Google Chrome Enterprise is a more comprehensive platform for organizations that want a more enterprise-level product. This includes cloud-based management tools,third-party product support, enterprise-level tech support, additional Chrome extensions, hooks to Microsoft Active Directory and corporate policy support. Google Enterprise comes at a per-client fee.
Generally, Chromebook laptops are much less vulnerable to typical security threats due to the simple operating system design. Chromebooks also benefit from the fact that hackers don't target them as much due to their small market footprint -- similar to macOS devices.
Chromebooks are suitable for workers who frequently browse the web and research information. With Google Chrome as its primary browser, Chromebooks use browser-based software instead of Windows or macOS software used in other devices.
Every time the Chromebook starts up, it does a self-check called "Verified Boot." If it detects that the system has been tampered with or corrupted in any way, typically it will repair itself without any effort, taking the Chromebook back to an operating system that's as good as new.
When it comes to malware, a Chromebook is among the most secure type of computer that you can buy. Based on the Linux operating system, the Chrome OS features sandboxing, automatic updates, verified booting, data encryption and full OS recovery, all of which should keep your computer running smoothly.
Businesses that use Chromebooks can save as much as 45 percent on licenses, ESG reports. Many SMBs transitioning to Chromebooks also adopt Google Workspace, gaining access to a full suite of productivity tools for a low monthly subscription.
Chromebooks can run apps from Android, Linux, and Windows concurrently in the same session." Most of you may never need those alternatives. Google's G Suite may be all the office you need. If you're wedded to Microsoft Office, Microsoft now supports Office and Microsoft 365 on Chromebook.
You can access your Microsoft 365 apps from the web — including Word, Excel, PowerPoint, OneNote, OneDrive, and Outlook. The web apps allow you to: Create, edit, and collaborate on documents and files.
Do Chromebooks need antivirus software? Yes, Chromebooks need good antivirus software. Although you are likely to face fewer threats on ChromeOS than, for example, on Windows or even macOS, Chromebooks are still vulnerable.
With every update, your laptop becomes more secure. These improvements automatically help make your Chromebook useful even longer by providing enhanced security and stability for 10 years from the platform release date.
You don't have to worry as much about these problems with the ChromeOS. Chromebooks come with built-in malware and virus protection, first of all, and uses virtual sandboxing that isolates every single app and browser tab from the rest of the operating system.
Yes, Chromebooks can get infected with viruses or malware if there is a breach of the system's security when you fall for a phishing scam, install malicious apps and extensions, or practice unsafe online habits.
The answer is an easy one: yes.It's just as safe as doing online banking on your Windows 10 PC or a MacBook. Chrome OS is, more or less, just Google Chrome, and chances are you're using that on a Mac or PC anyway. So, if you're doing online banking in the browser, there really is no functional difference.
QuickBooks can work on Chromebooks. But there are limitations. QuickBooks Online can be accessed on the Google Chrome web browser. But the desktop and enterprise versions like QuickBooks Pro, Premier, and Enterprise Solutions need to be used with the native Windows operating system.
Chromebook vendor shipments worldwide 2019-2023, by quarter
In the third quarter of 2023, Acer was the leading Chromebook vendor worldwide, shipping close to 900,000 units. It was followed by HP and Dell, with both company's shipping around 670,000 Chromebooks in the third quarter of 2023.
Storage Capacity: Chromebooks usually don't have a lot of storage space built in. They tell people to store their files in the cloud, but some people might need more local storage for some chores. Support for tools: Chromebooks might not work with all external devices or tools that work well with other OSes.
However, not to worry, because QuickBooks Online is accessible for Chromebook users. QuickBooks Online is the cloud-based version of QuickBooks. This can be accessed on a Chromebook through the Google Chrome browser.
With FreshBooks mobile accounting app, you can handle your finances from anywhere on your Chromebook. Create professional looking estimates and invoices on your Chromebook from anywhere and run your expense report at the end of the day from your home.
The wealth of software available on ChromeOS these days means that it's easily conceivable that MBA students can access everything they need on a Chromebook – and if you want a Google-based notebook to impress, the HP Elite Dragonfly should be at the top of your shopping list.
Introduction: My name is Allyn Kozey, I am a outstanding, colorful, adventurous, encouraging, zealous, tender, helpful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
