Google Chrome OS Notebook: A Security Game Changer?

Google’s much-hyped Chrome OS notebook is just a few months away, promising to deliver a lean, minimalist approach to mobile computing. Fast startup time, long battery life thanks to lower power consumption, and a heavy emphasis on cloud computing add up to plenty of interest from businesses of all sizes.

But will this new operating system mean fewer security headaches for you as an IT professional? Yes and no, say technology experts who are familiar with Chrome OS, scheduled to power mobile computers from the likes of Samsung and Acer by the middle of this year. Here’s what you should consider.

The Google Chrome OS: Effective but Limited
Dino A. Dai Zovi, a New York City-based independent security consultant, says he has been playing around with Google’s Chrome OS notebook prototype, dubbed “Cr-48,” for more than a month. Although he thinks it’s an effective tool for Web communication, it likely won’t be his primary computer.

“I don’t see how you’d want Chrome OS as your main computer, because there isn’t support for popular Web apps, such as Skype, and it’s unclear what native clients will run on Chrome OS,” says Dai Zovi. “But Chrome OS could be useful as a secondary device, as a competitor to, say, tablets.”

Google OS Chrome Security Is Relative
Although Google OS Chrome notebook files are stored in the cloud, Dai Zovi says that doesn’t translate into bulletproof security. “One big limitation for business is no support for encrypted emails -- unless you use a third-party Web-based encryption product,” says Dai Zovi, who has co-authored the books The Art of Software Security Testing and The Mac Hacker’s Handbook.

Consider whether you’re willing to entrust your data to one entity, say the experts. “With Chrome OS, you need to ask yourself if you’re putting too much trust in the hands of Google,” says Bruce Schneier, a security tech consultant and author. “If you’re someone like my mother, who isn’t tech-savvy and is afraid of losing information, sure, you might prefer for someone else to take care of it. But if you’re talking about Citibank corporate accounts, forget it.”

Google’s cloud-based apps provide a uniform standard of security that works great for many people, but Schneier cautions it may not meet your organization’s standards if you need to adhere to policies or regulations. “If you have to ask Google where your data is being stored and if it’s leaving the country, then it’s not for you,” he says.

Weigh the Convenience vs. the Risk of Chrome OS
Your end users are likely to enjoy the convenience of Chrome OS’s cloud-centric approach, says Dai Zovi. After all, you can access files from virtually any online device in the world. You can collaborate and share documents easily, and data is protected from local damage, such as flood or fire or computer theft. However, there may not be adequate layers of protection for your organization’s online data.

“If your data is simply protected by a password and no additional layer of security, that’s simply not enough for many businesses,” says Dai Zovi.

Dai Zovi says Google may be considering expanding its two-step authentication system that is available on Google Apps, where the user receives a text message with a code to type in for access to the application, along with a password. But even a two-step security measure isn’t foolproof, says Dai Zovi, who recalls a recent Firesheep (Firefox extension) vulnerability that led to “sidejacking” attacks among Gmail, Facebook and Twitter users.

As it is, it’s not clear exactly how the system will be embraced. “It’s a new platform, so it’ll take a while to see how this can be a good fit for consumers and businesses,” says Dai Zovi.

Photo: http://www.google.com/chromeos/pilot-program-cr48.html

The Rising Threat of USB Drives

You can find them in pockets, purses and on key chains. They're on lanyards and in pens, built into some jewelry and even found alongside scissors and nail files in Swiss army knives. Teeny USB thumb drives are ubiquitous: In fact, Gartner estimates more than 222 million were sold in 2009 alone. Could such a tiny gadget bring big risks to your organization?

Your Data at Risk

Thanks to their small size, low cost, and capability of instant backup and file transportation between multiple computers, USB drives actually pose significant security threats for businesses.

For example, disgruntled employees can easily make off with sensitive company information on a USB drive. "The threat is not new, but the problem is exacerbated by tiny and cheap USB drives," says Leslie Fiering, research vice president at Gartner in San Jose, Calif. "The moment we had removable storage media -- going back to floppy disk drives -- there have been stories of janitors going onto computers after hours and downloading major amounts of information." Employees who plan on quitting a company -- or perhaps those expecting a pink slip -- can also easily copy over customer or client databases, emails, calendar appointments and contact lists in a matter of seconds, and then take this digital info with them to a competitor.

Increasingly, USB drives can also carry harmful malware, say security experts. USB keys can be used to install viruses or to serve as boot drives to erase data -- even unintentionally. An employee who uses a USB drive on a personal computer at home could carry malware back to a work computer without his or her knowledge.

USB Security: What You Can Do
You should take several precautions to minimize the risk of data theft or malware attacks via USB drives. Consider the following:

  • Implement strong security software. All company computers should have the right security software to detect and remove potential threats. "Without question, you need serious protection today that not only protects from online threats but also is capable of scanning external devices too, such as USB drives," warns Fiering.
  • Limit USB access. In extreme cases, organizations have cut off access to USB ports. Others have limited USB access to specific employees. Using encrypted USB drives is another option, as is disabling AutoRun on computers so that programs on a USB drive don’t immediately run when a drive is inserted.
  • Monitor use. Keeping track of USB access will help you note who is using the drive, on which computer and at what time of day." IT departments need to make sure their machines are secure and sensitive information protected," adds Michael Gartenberg, research director at Gartner in Stamford, Conn.
  • Focus on education. “Banning can result in users trying to bypass the ban,” cautions Santorelli. A usage policy augmented by an awareness campaign to educate end users will help mitigate the risks.

Fiering and Santorelli note that these risks are not limited to USB drives. Santorelli calls it an “erosion of the traditional network perimeter” because of the prevalence of mobile devices and the convergence of personal and work technology. “This is a problem that's not going away any time soon," says Fiering. With the right security measures, however, companies can ensure the security of their data, despite today’s increased risks.

Like this article? Connect with us @ITinsiderOnline