Google Chrome in the Enterprise
Google released a beta version of their Google Chrome browser a few weeks ago, and many enterprises haven’t yet decided how Chrome impacts them. I suggest that it’s important to be proactive and disallow installation of Chrome on enterprise-managed machines.
Google has a truly admirable record for releasing products that have no known vulnerabilities, even after being released for several years. Secunia shows no reported vulnerabilities in Google Earth, no vulnerabilities in Picasa, 1 vulnerability in Google Toolbar (rated “Less critical”), and no vulnerabilities in Google Talk. Google should be congratulated for their security ability and obvious commitment to secure desktop software development. They don’t, however, have much experience in developing and delivering enterprise applications.
Among Chrome’s competitors, I’m concerned about Internet Explorer’s many vulnerabilities over the years (Secunia lists 31 advisories and 62 vulnerabilities), but I appreciate the granular control available through group policy. Firefox is my browser of choice, although I’m not impressed by Firefox’s also less than admirable vulnerability record. Both of those browsers have been well-tested, and many of the vulnerabilities have been discovered and fixed.
Google Chrome enters the fray with a new and untested product. I sincerely hope that Google’s excellent vulnerability track record with their other products is reflected in their work on Chrome. Unfortunately, since it’s so new, we simply don’t know whether Chrome has any significant vulnerabilities waiting to be discovered. I won’t trust the security of Chrome until it has been well-proven. A few vulnerabilities in Chrome have been found, announced, and patched, and it’s likely that others are out there waiting to be discovered.
There’s plenty to learn about using Chrome in the enterprise, including the speed with which Google releases patches to the vulnerabilities that will inevitably be discovered. How those patches are managed and distributed, and how Chrome is managed by IT organizations is also something that remains to be seen.
Chrome is a very early test version of a browser that Google will release for general availability at some point in the future. It’s open for download to anyone who would like to test it. Despite Google’s overuse of the word “beta” for products that are really in general release (such as GMail), Chrome truly is a beta product. Additionally, it’s a beta product with a significant and important impact on the security of machines used to test it. Browsers continue to be the leading point of undesired entry into workstations. They’re security-critical software, and the importance of secure browsers in enterprises cannot be understated.
Test software does not belong on enterprise machines used for business purposes. Regardless of how much users may wish to try out the latest and greatest technology, enterprise machines need to be properly managed, and kept stable and secure.
All of that said, the decision should be a simple risk/benefit evaluation. Answer the question, “what is the business benefit of Chrome?”, and compare the answer against the potential risks. I haven’t yet heard of any business benefits from the enterprise use of Google Chrome compared to current browsers, which makes the risk/benefit calculation quite simple: Google Chrome simply isn’t ready for enterprise use.
If your enterprise hasn’t yet stopped users from downloading and installing Chrome, now is the time to do so. It’s much easier to stop the use of a product before it’s widely used than to suffer the outcry when it’s taken away.
When Chrome is officially released, or when it has been used long enough to prove itself, reevaluate whether it’s still appropriate to block it in your enterprise, and adjust appropriately. I, for one, hope that Google Chrome brings some more competition to the browser market, and produces some valuable innovations for enterprises. Until that happens, though, it’s not ready for enterprise use.
Update (September 27): Zero Day at ZDNet reports on a newly discovered DoS vulnerability in Chrome. Yet another reminder that we don’t yet know what vulnerabilities await discovery.
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
I hesitate to use even upgraded versions of Chrome, since my last experience using it (first version) left my computer compromised; have they fixed the security issues beyond all doubt?