Chrome OS: Secure from bootup to shutdown
Chrome OS: Secure from bootup to shutdown
Receive newsletters with updates, promotions, event invites, and research studies focused on Chrome for your business.
https://goo.gl/vcQdoY
Content
9.36 -> hi my name is rajan sheth and today
11.44 -> we're going to talk a little bit about
12.639 -> the security of chrome os and i'm going
14.32 -> to tell you a little bit about how we
15.92 -> think about security and why security is
18 -> so important for you
19.6 -> so security is more important than ever
22.16 -> for the typical business and as we think
24.8 -> about it the more and more we we
26.96 -> implement technology and bring new
28.64 -> technology to the businesses security
30.8 -> will be even more important and so some
32.8 -> of the things that you need to think
34.16 -> about when you think about security is
36.079 -> protecting devices and data on more
38.8 -> endpoints and the number of endpoints
40.559 -> are growing as you think about not only
42.559 -> laptops but mobile and a variety of
44.8 -> other endpoints that will be there
46.719 -> within your enterprise the continued
48.96 -> increase in malicious threats across all
51.36 -> verticals we're seeing a huge increase
53.68 -> in the number of threats
55.6 -> that are there and the different types
56.96 -> of threats there that are there and so
58.96 -> security becomes part of every it
61.359 -> decision
62.48 -> you need to make and moreover you need
65.199 -> to think about not only the security of
67.04 -> the device or a piece of equipment that
68.96 -> you have but also about how you manage
71.36 -> that how you maintain it and how you can
73.76 -> keep it secure
75.2 -> over time the more connected devices you
77.84 -> have the more risk you are of security
80.479 -> issues spreading and so this becomes a
82.479 -> very important area to deal with so here
85.04 -> are a couple of stats for you so by 2019
88.479 -> 70 of major multinational corporations
91.2 -> with roots in the us and and europe will
93.52 -> face significant cyber security attacks
96.56 -> and so if you think about that it's
99.119 -> almost every business out there will be
101.759 -> facing this at some point or another
104.4 -> so then looking at the next uh and the
106.24 -> next area the amount of spending that
108.479 -> that you'll need to think about for
109.92 -> security will increase quite a bit as
111.84 -> well uh too we'll see an increase of 7.6
115.84 -> over last year and then it's expected to
118.159 -> top over 113 billion dollars uh by 2020.
122.479 -> and so this is this is
124.399 -> the kind of technology that you need to
126 -> think about as you think about security
129.84 -> so chrome os
131.76 -> what we've tried to do is figure out how
134.08 -> do we make a better
136.16 -> pc or a better laptop and how do we make
138.879 -> computing better overall and especially
141.36 -> how do we make it more secure how do we
143.76 -> make it such that your laptop or your
145.92 -> desktop or your tablet is secure by
148.64 -> nature and so there are a variety of
150.72 -> things we do for this and i'm going to
152.64 -> tell you a lot about this over the
154.319 -> course of this webinar the first is that
156.64 -> every device is built with security in
159.04 -> mind from the ground up all the way from
161.2 -> the hardware all the way through the
162.4 -> software all the way through to the
164.16 -> applications and we've
166.319 -> taken a very unique model that i'll tell
168.08 -> you a little bit about over time over
169.84 -> the course of the webinar about how we
171.92 -> think about security
173.44 -> the second part is that the device
175.2 -> itself is thinner in terms of the data
177.84 -> footprint so there's less data on the
180.08 -> device and more data in the cloud which
182.4 -> inherently prevents data loss and and
185.599 -> makes it so that it's easy to protect
187.28 -> your and easier to protect your
188.879 -> endpoints
190.239 -> it also protects you from boot up all
192.72 -> the way through shutdown and there are
194.319 -> very unique things that we do to make
196.08 -> sure that every time you boot up we know
198.48 -> that you're secure and lastly it's very
201.44 -> easy to deploy manage and update and
203.599 -> updates are very crucial to security you
205.92 -> may have the most secure endpoint in the
208.319 -> world right now but if you don't update
210.4 -> it you're not keeping up with threats
211.92 -> that are there
213.36 -> so we keep security in mind throughout
216.159 -> all parts of this so first of all we
218.319 -> look at this from the hardware up and we
220.799 -> design every board that goes into every
223.68 -> every chromebook and make sure that
225.44 -> security is there from the tpm security
227.84 -> chip which is there on every chromebook
229.92 -> all the way through the firmware with a
231.84 -> technique called verified boot and i'll
233.44 -> tell you more about that the second
235.28 -> thing we do is make sure that the
237.12 -> operating system automatically updates
239.36 -> itself and we update it every six weeks
242 -> and try to make those updates as
243.36 -> transparent as possible and the last
245.439 -> thing is application protections we make
247.519 -> sure to sandbox applications and keep
249.92 -> them protected from each other but then
252.159 -> also give you policy and management
255.76 -> and the ability to deliver applications
258.16 -> so that you can set the policies that
260.16 -> you need for these devices
262.4 -> so on the hardware let's start there
264.639 -> we have a tpm chip and a security chip
266.88 -> on every chrome device uh regardless of
269.759 -> price and so what that means is that we
272.639 -> have security all the way down to
274.96 -> down to the hardware layer and we
276.4 -> established that trust chain all the way
278.24 -> from the hardware on up and we designed
280.88 -> the firmware itself and we make sure
282.96 -> that we have the same firmware on every
285.199 -> device
286.4 -> that's out there so that we know that
288.08 -> that will be secure
289.68 -> so the first part is the firmware
292 -> we have a technique called verified boot
293.919 -> that ensures that the device is is going
296.96 -> to be secure every time you boot it and
299.52 -> so what we do is that we know that the
301.759 -> signature of each part of the operating
304 -> system and so when we boot up the device
306.16 -> we actually check the signature of each
307.84 -> part of the operating system and only
309.68 -> let it go through
311.28 -> if we're able to uh to verify the
313.919 -> success of of that signature
316.72 -> if we hit malware at any point in time
319.44 -> or we see something that's not expected
322.24 -> we stop the boot process one unique
324.639 -> thing that we do is we actually keep two
326.56 -> partitions we keep two copies of the
328.479 -> operating system on the device and so if
331.919 -> we detect an issue with one of the
333.68 -> copies we'll back up immediately to the
336.72 -> last best known copy of the operating
339.44 -> system and make sure that the user is
341.68 -> protected instantly
344.639 -> once the operating system is up and
346.32 -> running we have a variety of techniques
348.32 -> to make sure that the user is protected
350.4 -> we have privileged separation and
351.919 -> process sandboxing to make sure that
354 -> applications only have the right
355.6 -> privileges and they're separated from
357.44 -> each other so that they can't affect
359.44 -> each other with full disk encryption at
361.919 -> a user level for every single user so
364.56 -> each user's set of data is encrypted
366.96 -> with their unique key
369.199 -> on the on the device and so if you were
371.28 -> to give a device from one user to
373.039 -> another
374.08 -> their their device their data is
376 -> actually encrypted in different ways so
377.919 -> you can ensure that the data is is
380.56 -> protected on the device and then as i
382.639 -> mentioned before we have automatic and
384.72 -> seamless updates that happen uh every
387.12 -> six weeks on the operating system
389.52 -> so let's talk a little bit about updates
391.759 -> so i mentioned that chrome os actually
393.52 -> has two partitions and we actually run
395.84 -> two copies of the operating system
398.24 -> what we do is that every six weeks or as
401.199 -> quickly as possible in the in the case
402.96 -> of critical updates where there are
404.72 -> security issues we update these devices
408 -> what we'll do is we'll actually update
409.919 -> the backup partition and update that in
412.72 -> the background so the user can continue
415.28 -> to use the device and use the operating
417.28 -> system as
418.56 -> as is while we update that backup
420.88 -> partition so then the next time they
423.28 -> reboot we switch partitions and we make
426 -> it so that that backup partition becomes
428.24 -> the primary
429.44 -> and the user actually doesn't even have
431.599 -> to see anything
433.199 -> what they'll see is that when we've
434.8 -> updated they'll see an icon on the
436.479 -> bottom
437.44 -> of their of their toolbar to let them
439.36 -> know that there is a new version of the
442 -> operating system and when they reboot
443.84 -> they'll just reboot into that new
445.52 -> version
446.56 -> this is another critical part of this
448.479 -> because it requires much less i.t
451.12 -> resource to be able to do this update
453.12 -> because it's automatic but another part
455.12 -> of this is that oftentimes if there is
457.52 -> work disruption involved with an update
459.84 -> one that's lost productivity but also
462.4 -> a lot of times users may not take the
464.16 -> update in the case of chrome os because
466.88 -> it's in the background users are much
469.199 -> more likely to take that update and not
471.599 -> have worked as a work disruption as a
473.52 -> result of this
475.68 -> in the user session itself we do a
477.44 -> variety of things to protect the user as
480.08 -> i mentioned we have per user encryption
482.08 -> of their data to make sure that their
484 -> data is protected with their own key
486.639 -> and then we have process sandboxing and
488.24 -> defense and depth to make sure that each
490.8 -> process and each application that
492.639 -> they're running or each web-based app
495.039 -> is protected from each other and and we
498.479 -> make sure to to to have various layers
501.199 -> of defense there uh such that even if a
504.56 -> certain layer is is is penetrated we
507.68 -> have other layers to to protect the user
509.759 -> from there
510.879 -> we also have cross device uh policy
513.039 -> compliance and so what that means is
514.719 -> that any device that you go to that's a
516.8 -> chrome device your policies come with it
519.44 -> and you're able to actually
521.36 -> protect that device no matter what user
523.44 -> though what where that user is
525.6 -> in the browser and the browser itself we
527.76 -> have safe browsing settings to make sure
530.399 -> that users are going to
532.8 -> safe sites and if we detect that they're
534.399 -> going to a site that we know may not be
536.399 -> safe we will let them know about that
539.04 -> and then also we have certificate
540.56 -> enrollment and transparency to make sure
543.2 -> that that we're able to
545.519 -> we're able to bring on user certificates
547.68 -> and make sure that those are enrolled in
550.399 -> the correct way and the devices are
551.76 -> enrolled in the correct way
554.32 -> as we think about policy and
556.56 -> management that's another big area of
559.04 -> security so security isn't just about
561.44 -> the security of the operating system
563.04 -> itself but it's a lot of it is about how
565.68 -> we match the policies of your
567.92 -> corporation and what control do we give
570.08 -> you and so we give you control over a
572.16 -> variety of parts of the stack that are
574.16 -> all done through a centralized web-based
576.72 -> management console and that that policy
579.279 -> is pushed out to every chromebook that's
582.16 -> out there that you need that policy on
584.32 -> so that includes things like permission
586.56 -> controls what a user can and can't do so
588.959 -> for example
590.48 -> disabling the camera or having
592.88 -> particular settings about video and
594.8 -> audio for uh for for particular uh for
598 -> particular uses things like that there
599.76 -> are policies around we also have
601.36 -> policies around network and proxies and
603.12 -> so you can essentially set these things
604.959 -> up
605.68 -> before the user logs in such that as
607.6 -> soon as they log in the device all of
609.44 -> these things are all set up no matter
611.44 -> what device they log into
613.519 -> we do a variety of other things so we
615.36 -> have an ephemeral mode and so you can
617.519 -> set a user into ephemeral mode which
620.079 -> means that no data is actually preserved
622.399 -> on that device so when they log out of
624.72 -> that device the data is wiped from the
626.88 -> device and so if you have instances
628.64 -> where you don't want the user to keep
630.16 -> data on the device we can support that
632.16 -> as well
633.04 -> we support sign in restrictions so not
635.519 -> anyone can sign into a corporate
637.279 -> chromebook you can restrict it to for
639.36 -> example users from your own domain
642 -> to make sure that only certain users can
644.399 -> can uh sign that and we sign the policy
647.839 -> delivery it's as well so the chromebook
650 -> knows that that policy is coming from a
652.8 -> trusted source and not just uh not just
655.839 -> any any source um
658 -> all of this is done from the cloud so
659.6 -> when you update a policy it gets updated
663.04 -> uh on the chromebook itself
665.519 -> as we think kind of further about this
667.68 -> we we've been thinking a lot about app
669.519 -> delivery one of the recent things that
671.44 -> we've brought onto
672.88 -> the chromebook is the ability to use
675.519 -> google play and bring android apps onto
678.079 -> the chromebook
679.279 -> and we've we have a variety of
680.72 -> protections within google play to
682.48 -> protect the user uh from uh from
684.72 -> applications that they have
686.399 -> one is that we have a very sophisticated
688.72 -> server-side malware detection
691.44 -> system in place to check the the
694.32 -> applications that are within google play
696.24 -> and detect and detect malware we use
698.8 -> machine learning to be able to do this
700.48 -> to do it in in quite a bit of a
702.48 -> different way than is done typically
704.32 -> with applications uh that are there uh
706.88 -> and we do remote uninstall of malware
709.12 -> when we did uh detect malware that
711.76 -> that's there and are able to actually uh
713.92 -> uninstall that off of a system we also
716.72 -> provide a variety of controls for the
719.92 -> administrator with google play
722.48 -> so we have a way for enterprises to be
724.64 -> able to have a white list
726.399 -> of applications that they want to permit
729.04 -> the users to use or a blacklist as well
731.68 -> too so they're able to control the
733.92 -> applications that the user has and also
736.8 -> restrict side loading of apps so that
739.04 -> applications can only come from the play
741.279 -> store so you can't get a random
743.04 -> application from somewhere else onto
745.12 -> this device and you can make sure that
746.88 -> applications that are there are checked
748.959 -> through the protections that we we
750.639 -> talked about before
752.72 -> from a networking perspective we've gone
754.639 -> a step above and beyond and we have a
757.2 -> system called verified access that can
759.44 -> be integrated into your backend systems
761.76 -> and what this does is it actually checks
764.72 -> to make sure
766.16 -> that the chromebook is in the right
768.72 -> state so it has the right version of the
770.88 -> software it has policies that are
772.88 -> already delivered uh to it it's
774.8 -> complying with the policies that you
777.04 -> wanted to be complying with
779.04 -> so when you actually have a user go to a
783.12 -> network service that network service can
785.279 -> actually check with google to make sure
787.2 -> that this is a
788.32 -> safe endpoint
789.92 -> and then be able to ensure that if it's
792.399 -> delivering a web-based service it's
794.48 -> delivering it to a safe endpoint so
796.32 -> chrome os really is built uh for for a
799.2 -> secure business from the ground up we
801.68 -> designed it from the ground up with
803.12 -> security in mind and we make sure that
805.92 -> all chrome devices that are out there
807.68 -> meet these security requirements so you
809.839 -> can ensure that any device that you go
812.16 -> to that is running chrome os has these
814.56 -> protections in place
816.8 -> we also make it so that you have a low
818.72 -> total cost of ownership and easy
820.32 -> maintenance which lets you focus on
822.48 -> other efforts and makes it so that you
824.48 -> don't have to focus on maintaining and
826.839 -> managing your your devices that are out
829.6 -> there they maintain themselves this is a
832 -> modern platform to address today's
834.24 -> security challenges and the with regular
837.36 -> regularly scheduled updates we can
838.959 -> ensure that not only are we meeting
840.88 -> today's challenges but we're meeting
842.399 -> tomorrow's challenges as well as you
844.399 -> think about your endpoints you also
846.72 -> should consider chrome browser on other
848.639 -> endpoints that are outside of chrome os
850.399 -> and we have a lot of similar a lot of
853.04 -> similar techniques on chrome browser to
855.199 -> ensure security so the same areas around
858.32 -> auto updates we do that with with chrome
860.56 -> browser as well
862.079 -> we ensure that we can update chrome
864.16 -> browser for critical security bugs and
865.92 -> we do
866.72 -> regular updates every six weeks and
868.8 -> automatic flash updates as well too to
871.12 -> make sure the chrome browser is is
873.519 -> secure employees can also secure
876.72 -> can securely sync multiple devices and
879.279 -> so what that means is that if you've set
880.88 -> your settings on one device when you log
883.04 -> into another device all of your settings
885.199 -> are synced there including things like
886.639 -> bookmarks but also settings and and
889.12 -> security uh configurations that are
891.12 -> there and your passwords are kept safe
892.8 -> as well uh too and then we also
895.36 -> implement the similar behind the scenes
897.44 -> security layers the warnings that i was
899.36 -> mentioning and alerts for dangerous uh
901.36 -> dangerous websites protecting tabs from
903.519 -> each other and preventing eavesdropping
905.839 -> uh to make sure that that the user is
908.399 -> protected
909.68 -> some of the interesting things that we
911.04 -> do with the with chrome browser include
914.639 -> these configurable auto updates
916.56 -> sandboxing
917.92 -> and safe browsing but then also
921.199 -> better support for web security
923.04 -> standards and we make sure we're on top
924.88 -> of the latest web security standards and
927.199 -> better support for networking security
928.959 -> as well too we also have a technique
930.959 -> called fuzzing where we run chrome
933.519 -> browser in our data centers and throw
936.079 -> a variety of challenges at it
938.48 -> and test it and really pressure test it
940.639 -> to make sure that with every update of
943.519 -> chrome browser it's protecting uh it's
946.32 -> it's protecting the user and we try we
948.48 -> try to break it uh with sets of threats
951.04 -> uh to make sure that before you even see
953.279 -> an update it has been pressure tested
957.6 -> so in terms of where do you go from here
959.839 -> if you're ready to deploy chrome os then
962.72 -> definitely use this link to contact us
965.44 -> and get in contact with your google
966.8 -> sales drive and if you're not sure yet
968.56 -> you can try the security of chrome
970 -> browser all you have to do is go to the
971.839 -> link that you see on the screen to
973.759 -> download chrome browser and it gives you
976.16 -> all the tools you need either for a
977.6 -> single download or to be able to
979.759 -> download it within and deploy it within
981.759 -> your organization
983.68 -> so with that we'll take questions and
985.44 -> you'll see uh you'll see an area at the
987.12 -> bottom of your screen where you can ask
989.199 -> questions and we'd be happy to answer
991.279 -> more thank you for listening we
993.12 -> appreciate your your time and looking
995.759 -> forward to talking to you more about
997.92 -> chrome os and chrome browser
Source: https://www.youtube.com/watch?v=kBb2k7R7-oc