Outbrain: Taking control of extension security with Chrome Enterprise

Editor’s note: Today’s post is by Travis Naraine, IT Infrastructure Engineer, and Harel Shaked, Director of IT Services and Support, both for Outbrain, a leading technology platform that drives business results by engaging people across the open internet. Outbrain adopted Chrome Enterprise and integrations from Spin.AI to create policies for secure app and extension use and manage automatic updates for its dispersed workforce.

With a workforce as dispersed as ours, security is always a challenge. We standardized on Chrome Enterprise browser two years ago, and it’s become the linchpin of our cloud-first strategy, giving us a way to manage all of our users and stay secure. But we had concerns about browser extensions and we felt it was time to find a solution.

The value of extension management

We know people like to use browser extensions to improve their productivity and to access the tools and features they need to do their jobs. We also know there are malicious extensions available online. But vetting, testing, and blocking extensions manually was time-consuming and not 100% effective because it didn’t give us visibility into which extensions and apps were already in our environment.

Our process was reactive instead of proactive, raising concerns over missed opportunities to detect and block risky extensions. We needed a more automated way to enable employees to safely install Chrome Enterprise extensions.

Tools for extension risk assessment

As we explored solutions for another security project, we came across Spin.AI’s SpinOne platform, which includes the SaaS Security Posture Management (SSPM) solution for third-party application security. SSPM had several points in its favor, including features for continuous app assessment for browser extensions and the ability to easily integrate with Chrome Enterprise. The SpinOne platform met several of our SaaS security needs, and we like to stay with one vendor whenever possible.

Now we use Chrome Enterprise extension risk assessment, powered by Spin.AI, to generate risk scores and comprehensive risk assessment reports that assist in decisions about allowing or blocking extensions. In addition, with Chrome Enterprise Core's extension workflow, Outbrain employees can easily submit extension requests for IT and security teams to review and allow or deny use of the extensions.

The automated process through Chrome Enterprise saves significant time compared with manual reviews. The new policies and the Chrome Enterprise and Spin.AI solution has created an environment that nudges users to think more about anything they were installing—extensions, and other apps as well.

Using extensions securely and safely

Chrome Enterprise makes management and control easy, enforcing policies for the browser and extensions with less complexity. We even develop our own in-house extensions for Chrome Enterprise for tasks like inspecting widgets within the company.

In addition to setting browser policies through the Google Admin console, we can manage automatic updates to ensure our employees are using the newest version of Chrome with the latest security patches, further reducing our exposure to vulnerabilities.

We definitely have fewer worries about browser security today. We know that Spin.AI and Chrome Enterprise are doing their job in the background, so we’re not constantly concerned that a user is installing something malicious. We can set it and forget it.