Could Chrome be a real security weapon for defenders? A new $6/user proposition has potential...
From vanilla data breach risks to insider threats, Chrome Enterprise Premium's capabilities look worth exploring...
Chrome is ubiquitous, with over 68% of global browser market share – well over three billion users. A new offering from Google, Chrome Enterprise Premium, priced at $6/user monthly, aims to not just monetise that reach, but also, potentially, make it a central plank of enterprise cybersecurity.
Knowledge workers spend an average of 63% of their productive time in the browser, and 48% of business-critical applications are also now browser-based, according to a recent report for Google by Enterprise Strategy Group. On that basis alone, it makes sense to be mindful of browser security – and possibly, to deploy more controls via the browser.
Chrome Enterprise Premium, launched at Google Cloud NEXT in Las Vegas this week, builds on its existing Chrome Enterprise offering, but adds significantly more security capabilities. Nick Reva, head of corporate security engineering, Snap Inc. was one advocate, saying in a release that his company had “set up data loss prevention restrictions and warnings for sharing sensitive information in applications like Generative AI platforms and noticed a noteworthy 50% reduction in content transfers…”
“Once the solution was turned on, we were able to identify and stop an attempt to exfiltrate a large amount of corporate information within hours,“ added Tim Ehrhart, domain head, information security, Roche.
So far, so glowing press release. So what can you do, specifically, with Chrome Enterprise Premium? A launch blog was a little light on detail, so The Stack asked Mark Berschadski, Director, Product Management, Chrome Enterprise, to answer some questions on its new capabilities.
Content inspection and data loss prevention
The blog, for example, mentioned “content inspection and data loss prevention” and the ability to “enforce continuous Zero Trust access to SaaS”. In terms mitigating data exfiltration risk/DLP, Berschadski said by email that Google’s new Chrome Premium Enterprise lets admins:
"Implement agentless and URL-based DLP rules based on web categories or specific URLs; prevent users from downloading, saving, copying and pasting, or printing your sensitive company information; access summarized insights of top data security events such as sensitive data types and domain categories... securely store content that triggers malware or DLP rules, in a customer-supplied Google Cloud Storage (GCS) bucket."
He added: “There are 400+ policies IT admins can use for managing and customizing Chrome in the enterprise environment. Some examples include setting a homepage for all users, allowlisting/blocklisting extensions and turning on Enhanced Safe Browsing for all users.
Many of these policies are also available to Chrome Enterprise Core customers at no cost, Google said. All Chrome Enterprise Core and Premium policies are listed here.
“Enforce continuous Zero Trust access to SaaS”
Crucially, Chrome Enterprise Premium offers support for both user-based and device-based enforcement; the former allowing admins to mandate Chrome sign-in and track Chrome data (e.g. history, bookmarks etc.) from machine to machine. It also offers an "Evidence Locker" that saves content to a sandboxed cloud security bucket when a data protection rule is triggered.
A launch blog promised “context-aware” access controls to SaaS or private web applications based on user, device, and security contexts, as well as the ability to…
"Mitigate data exfiltration risks by detecting sensitive data downloaded, uploaded, saved or pasted; control access to any web application such as Salesforce, Workday and others with a continuous context-aware authorization; Endpoint Verification to pull additional device management information, and allow admins to set context-aware access policies.
This has real potential for when a traditional agent can't be pushed to an unmanaged machine of a remote or contractual user. If The Stack reads the documentation correctly, SaaS logins can be restricted to Chrome Premium Enterprise-managed browsers giving more oversight.
“Chrome audit logs provide admins with a record of user and device activity related to Chrome, including login attempts, malware, crashes, enterprise credential protection and security relevant encounters that happen within the browser," Google boasts, with admins able to push these to Chronicle, Google Cloud Pub/Sub, Google Security Center or SIEM/sec tools from the likes of Splunk, Trellix, Broadcom, Palo Alto Networks, Crowdstrike and Okta.
His team has made a host more details available in a set-up guide.
Join peers following The Stack on LinkedIn
nb: Perhaps needless to say, Chrome’s ubiquity also makes it a major target: In 2023 Google fixed eight Chrome zero-day bugs exploited in attacks: CVE-2023-6345, CVE-2023-7024, CVE-2023-4762, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-2136, and CVE-2023-2033 and 2024 has already seen Chrome zero-days exploited; including CVE-2024-0517: an out of bounds write in V8 in Google Chrome that allowed a remote attacker to exploit a heap corruption bug.