To communicate with both the client Chrome device and the Verified Access API, your network service can use the Verified Access functionality in the Google Admin panel.
This allows you to get information from Google regarding policy compliance and (optionally) the identify of the client device.
To accomplish this, the device that communicates with the enterprise must have a Chrome extension installed.
The network service must communicate with the Verified Access API using the platformKeys extension API.
Table of Contents
What is Verified Access on Chromebook?
“We’ve been using Verified Access to enhance security by ensuring the veracity and policy compliance of Chrome devices before allowing access to resources for years, and now we’re making it available externally,” wrote Saswat Panigrahi, senior product manager for Chrome for Work, on the Google for Work blog.
In the Google Apps Admin Panel, the Chrome OS Verified Access API is now publicly available and customizable. Admins begin by enabling Verified Access and providing users permission to utilize the enterprise. API for platformKeys To communicate with the enterprise, the devices must also have a Chrome extension installed. API for platformKeys
- To generate a challenge, the Chrome extension communicates with the Verified Access API.
- The Chrome extension generates a challenge-response using the enterprise.platformKeys API and delivers the access request to the network service along with the challenge-response.
- To verify the challenge-response, the network service calls the Verified Access API.
- The network service allows access to the device if the verification is successful.
What are the advantages of Chromebook security?
Chromebooks are popular among businesses because of their security features, which include automated operating system updates, sandboxing and isolation technologies, whitelists for trustworthy Chrome extensions, and built-in encryption.
Chrome OS also makes enforcing regulations simple, such as separating the device from the Google Apps domain and utilizing Verified Boot to complicate persistence between reboots.
Chromebooks make a lot of sense for businesses that rely largely on cloud services and email-based attachments.
This is why Duo Security, a cloud-based trusted access provider, has opted to give Chromebooks to more than a quarter of its employees, representing a variety of job types and departments.
Duo Security has been utilizing Verified Access internally for the past few months to analyze Chromebooks before allowing access to business resources, according to Michael Hanley, director of security at Duo Security.
In the case of Duo, Verified Access forwarded the cryptographic guarantees to the company’s trusted access service, which made decisions about the device’s level of access.
A login attempt sends a challenge from the Verified Access API to the Chrome extension (through the Chrome Message Passing API), which retrieves a response using the enterprise.platformKeys API. Duo’s service receives the challenge answer and verifies it by sending it to the Verified Access API and getting a response. Based on the outcome, the service takes an access control decision. Access is denied if the device fails the protocol.
Automatic updates, application sandboxing, validated boot, data encryption, and recovery mode are all part of the Chromebook security concept. Each of these characteristics should be familiarised with desktop administrators because they provide value in terms of enterprise security.
Automatic updates
All Chromebook software is downloaded from the Chrome Web Store, which verifies and distributes the most up-to-date and safe versions of any software. Google also upgrades Chrome OS regularly. On each startup, the Chromebook downloads the operating system and applications, ensuring that users have access to the most up-to-date software.
IT administrators, particularly Windows administrators, are well aware that user-downloaded updates are easy targets for malware and viruses looking to exploit vulnerabilities leftover from the update process. Because there is no upgrade process to maintain, Chromebooks eliminate this problem.
App Sandboxing
Application sandboxing is a feature of Chrome OS that runs each application, including individual webpages, in its own isolated sandbox within the OS, isolating it from all other processes. Microsoft similarly isolates applications in user mode. If an app or webpage functions badly, just closing it will resolve the problem without affecting other desktop items. While it is not without flaws, it is a great security tool for preventing breaches from becoming more serious.
Boot Verification
Chromebooks run two versions of the operating system at the same time. One version is the system’s last known secure version, which is utilized when it was active and healthy. The other version is the most recent version, which is downloaded from Google when the computer starts up. The system will use the known secure version if the download is faulty, infected with a virus, or has compatibility difficulties.
This would cause a Windows desktop to crash, leaving IT administrators with the task of diagnosing the crash, locating a hotfix, installing a driver update or performing a clean and reload, or removing the desktop from production. The restore point on Windows desktops could be used, but it may not be specified and could be days old, resulting in data loss. Chrome OS and apps are updated regularly.
Recovery Mode
The recovery procedure in a Windows environment comprises of erasing and reloading data while hoping the backup is secure. However, because this technique relies on the user backing up files, it is inconvenient and time-consuming.
Chrome OS does a factory reset with Powerwash, which wipes the hard drive and reloads the OS, programs, and apps. Administrators only have to worry about restoring local files because users keep data in the cloud.
Encrypted Data
The system firmware is stored in a tamper-proof trusted platform module in a fixed read-only partition, and the read/write section is encrypted using an RSA security key of 8192 bits. As a result, the read-only partition retains the RSA key. As a result, all files are encrypted and protected without the need to deal with clumsy permissions that never seem to work. Hackers with access to the user’s Google password, on the other hand, will have access to these files.
What are the disadvantages of Chromebook security?
The following are some disadvantages of utilizing Chromebooks in the workplace:
- Users are unable to use or edit Microsoft Office apps such as Word and Excel. Users can, however, see these files. Users may not be able to use Chromebooks if Office is necessary.
- There are a limited number of applications available. Some corporate-mandated programs may not be supported by Chromebooks, which could be a deal-breaker.
- Sandboxing isn’t flawless, and misbehaving apps can occasionally cause problems with other programs, much like in Windows.
- Users must become accustomed to shutting down their Chromebooks completely after each use. However, because boot times are only a few seconds, this shouldn’t be an issue. The OS and apps are upgraded as a result of the frequent reboots.
- Because Chromebooks are part of the Google family, they will operate in a Google environment. This isn’t always a bad thing, but it does limit your options.
How to ensure Chromebook’s security?
Consider these suggestions for configuring security on Chromebooks in the workplace.
Secure your Google account with two-factor authentication (2FA)
The user password, as is customary, is the weakest link in the security chain. Users should use standard password safeguards, as well as organizational regulations and identity management technologies when creating passwords. Furthermore, Google supports two-factor authentication (2FA). This enables IT to require users to utilize the authentication wizard to input a password and a verification number.
The setup procedure also lets administrators set up passwordless authentication, which entails Google sending a code to the end user’s smartphone and allowing them to log in without having to provide a password. While the Chromebook method of authentication is important for security, the extra steps can sometimes provide a negative user experience.
By entering into Gmail as a guest, users can avoid exposing local data and apps to the internet. Guest mode allows users to email, but it does not leave any files on the machine once they log off other than a few cookies. When utilizing a public computer or a network that isn’t secure, this is a smart practice to follow.
Configure your Chrome Browser
Administrators should examine the following settings in Chrome Settings when defining corporate security policies.
Google Services and Sync: These are encryption and autocomplete options, which potentially pose a security risk to a company. “Manage what you sync” is the most crucial option. This enables administrators to control what data syncs, such as apps, history, and settings.
Privacy and safety: For faster access, cookies, and other site data preload pages.
Safe Browsing: Use a secure DNS server: Administrators can provide a custom DNS server, such as one provided by their ISP.
Site Settings: Permissions to use location, camera, microphone, notifications, Flash, popups, and other functionalities should be reviewed by IT.
Admin tools for managing Chromebooks
Google Admin is a robust administration tool included in Google’s G-Suite package. Devices, groups, users, domains, apps, security settings, admin roles, data migration, and custom reports are all managed through the Google Admin interface.
Large enterprises must pay a per-client cost, although Google Admin is not limited to Chromebooks and also includes mobile devices.
Google Chrome Enterprise is a more comprehensive platform for businesses that want a higher-level solution. Cloud-based management tools, third-party product support, enterprise-level tech support, additional Chrome extensions, Microsoft Active Directory hooks, and corporate policy support are all included. A per-client fee is charged by Google Enterprise.
Frequently asked questions
What does verified access on Chromebook mean?
Verified Access is a hardware-backed way of confirming device identity and status. Google Verified Access certifies that a Chromebook is enrolled in enterprise device management and hence complies with all enterprise policies when a user authenticates using the Duo Prompt.
What is enable verified access in Chromebook settings?
Verified Access assures that a network service (VPN gateway, server, certificate authority, or Wi-Fi access point) can obtain a hardware-backed cryptographic guarantee of the device and user attempting to access it.
What is verified access?
Verify Access uses risk-based access, single sign-on, integrated access management control, identity federation, and mobile multi-factor authentication to help you achieve a balance between usability and security. Verify Access gives you back control over your access management.
Can someone access my Chromebook?
Your Chromebook has numerous layers of built-in security that can successfully defend against malware threats. ChromeOS is open-source, and thousands of individuals review the code on a regular basis to look for security problems. Since the launch of Chromebooks in 2010, the operating system has only been hacked once.
What does enable verified access do?
Access has been verified. This setting allows a web service to request verification that its client is using a policy-compliant Chrome OS device that hasn’t been updated (running in verified mode if required by the administrator).
How do I make my Chromebook dark?
In the browser, go to chrome:/flags and look for “dark.” You may also access the flag directly by going to chrome:/flags/#dark-light-mode.
Select “Enabled” from the drop-down menu next to “Dark/light mode of system UI.”
How do I get my Chromebook out of verified mode?
Restart your Chromebook.
When you get the “OS verification is off” screen, use the spacebar to re-enable verification. This will wipe the gadget and make it secure once more!
What happens when you turn off OS verification?
Press the spacebar when the screen that indicates OS verification off appears. This will theoretically wipe the laptop clean and conduct a factory data reset. Restart your Chromebook and go through the setup process once more.
What is the benefit of a verified boot chrome box?
The Chromebook does a self-check dubbed “Verified Boot” every time it boots up. If it detects that the system has been tampered with or corrupted in any manner, it will usually repair itself without prompting, returning the Chromebook to a fully functional operating system.
Conclusion
Verified Access is currently limited to Chrome devices, with no word on whether Google plans to expand the security feature to other TPM-enabled platforms.
In the enterprise endpoint security market, Verified Access makes Chrome OS even more appealing.
Leave a Reply