Google adds data loss prevention, security features to Chrome

Google today rolled out several new features for enterprise users of its Chrome browser, including data loss prevention (DLP), protections against malware and phishing, and the ability to enable zero-trust access to the search engine.

In all, Google highlighted six new features for Chrome – three of them specific to the browser’s existing DLP capabilities.

A new “context-aware” feature allows enterprise administrators to customize DLP rules based on the security posture of the device being used. For example, admins can allow users to download sensitive documents if they’re accessing them from a corporate device that’s up to date on security fixes or is confirmed to have endpoint protection software installed.

The context-aware feature will, however, stop users from downloading sensitive documents on personally-owned devices or with a corporate device that doesn’t meet the security criteria.

Another DLP feature includes URL filtering; it can block or warn employees about visiting websites, or categories of websites, that breach an organization’s acceptable use policies.

Google

“You can also restrict access, like blocking users from visiting popular file sharing websites, while still permitting file sharing via your corporate file-sharing site,” Google said in a blog post.

Google also announced two new risk assessment extensions for Chrome. Browser extensions can pose risks to users or request permissions that are not aligned with company policies; more than 250,000 extensions in the Chrome web store offer everything from ad-blockers to productivity tools.

Chrome’s new CRXcavator and Spin.AI Risk Assessment are tools used to assess browser extensions and minimize the risks associated with them, according to Google. “We are making extension scores via these two platforms available directly in Chrome Browser Cloud Management, so security teams can have an at-a-glance view of risk scores of the extensions being used in their browser environment,” Google said in its announcement.

By implementing advanced DLP and gaining more visibility into extension security and critical security events, organizations can identify potential threats and vulnerabilities before they are exploited, reduce the risk of data loss, and take a more proactive approach to cybersecurity. 

Google also added two new security event notifications extensions available for install on Chrome.

• Extension installs: Alerts IT and security teams when an extension is installed, so they can track new extension use in their environment.
• Crash events: Alerts IT and security teams when a browser crashes on a device, which can help them kick off investigations.

Google

“This is impactful because the browser represents a new delivery vehicle for enterprise security,” said Dan Ayoub, a senior director analyst at Gartner. “It extends security services beyond the edge of the network to solve a lot of real word problems that existing solutions may have difficulty addressing today, such as providing access from unmanaged devices.”

Gartner expects an increasing number of security services being delivered via enterprise browsers and extensions through the rest of this decade, according to 

“This will ultimately create a seamless hybrid working experience where browsers become the core platform through which workforce productivity and security software is delivered to managed and unmanaged devices,” he said.

Michael Suby, research vice president for IDC’s security and trust service, said Google’s targeting of cyberattacks is appropriate, as browsers are as vulnerable as any application sitting above the OS. But the additional features will likely create a conundrum for many organizations.

There are already third-party browsers available specifically for enterprises with similar security features to the ones announced by Chrome. For example, Island.io and Talon Cyber Security are two of the more popular enterprise browsers.

“How do I merge what they give me with what I already have?” Suby said.

Additionally, many enterprise applications already have security features built in.

“It’s adding another policy tool that needs to be managed. It’s great to have these new features in Chrome, and on their own they may be intuitive to use, but they just get added to what you already have,” Suby said. “That’s not to say they’re not good to have, but now I have something more I have to manage.”

The question becomes, who’s going to manage and control the new features and decide which ones should an enterprise use? “Or am I managing the security policies on applications? In which environment do I apply policies to?” Suby said.

Another issue is there are currently no third-party firms that independently test browser security capabilities. There’s antivirus software such as AV-Comparatives and endpoint protection and response evaluation software from firms such as Mitre Engenuity, but none for browser security, Suby said.

“This is a good direction [Google] is going — nothing wrong with it,” Suby said. “They see a problem and they’re trying to assist organizations to solve it. But in doing so there’s a set of sub problems we’ve created.”