As the way people work continues to evolve, keeping security policies in place that protect organizations but give workers the ability to get things done is more important than ever. IT and security teams must aim to stay a step ahead of web-based security threats that come their organization’s way. To help, the Center for Internet Security (CIS) team has released the latest CIS Benchmark 2.1 for Google Chrome. This Benchmark offers independent recommendations on which Chrome policies to configure to help support organizations’ security and compliance needs. Thanks to Chrome being built with security at its core, in many cases, Chrome default settings are aligned with CIS recommendations.
Chrome is secure by default, but we also pride ourselves on providing customizations for enterprises to allow Chrome to better fit the needs of their business. And with hundreds of policies available through Chrome Browser Cloud Management and Group Policy Objects (Note: the CIS Benchmark is also available as a GPO with CIS SecureSuite Membership), organizations can do just that.
Throughout the CIS guide you’ll notice that there are different designations for configuration profiles. Any labeled Level 1, are considered to be a good baseline for an organization. Level 2 profiles are recommended for deployments that require the highest level of security, but note that these settings could have a trade off on user productivity. We recommend looking at each setting and determining if it’s a good fit for your business.
The benchmark is made up of five sections:
- Enforced Defaults — Notes policies that are configured by default when you install Chrome. Enforcing these settings at an enterprise level can prevent these settings from being changed by business users to less secure options.
- Attack Surface Reduction — Details how to disable web features that may not be necessary in your enterprise environment and could reduce your overall attack surface.
- Privacy — Surfaces settings that improve user privacy.
- Data Loss Prevention — Contains settings that can help prevent data loss and protect your organization’s data. (Note: These recommendations cover additional capabilities that can be added to Chrome through BeyondCorp Enterprise).
- Forensics (Post Incident) — Shares recommendations on policies that give insights into post incident forensics and analysis.
Organizations can use these benchmarks to optimize the best way to secure Chrome in their environment. Download the CIS Benchmark here and check out our team’s configuration guide for additional recommendations on how to configure Chrome.
Note: This benchmark was created using a consensus review process composed of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds such as consulting, software development, audit and compliance, security research, operations, government, and legal. While these recommendations come from a trusted source, it’s important for each organization to weigh which policies make the most sense for their business.
By: Fletcher Oliver (Chrome Browser Customer Engineer)
Source: Google Cloud Blog