Blend protects sensitive consumer financial data using Chromebooks and Chrome Enterprise license
Editor’s note: Today’s post is from Jon Debonis, head of security at Blend, which makes platforms to help financial institutions streamline lending and simplify consumer finance. Blend is using Chromebooks and Chrome Browser to provide secure access to its engineering production environment, and for its new customer call center.
Security is one of the biggest concerns for the Blend engineering team. To help banks and mortgage providers use our platform to make customer loans, we collect sensitive consumer information such as tax records and bank account statements. We need to protect that data from security breaches. At the same time, we have dozens of engineers who need access to our production systems, opening up for risk if one of their accounts were compromised. Chromebooks, along with the Chrome Enterprise Upgrad, help us lock down our production environment with easy-to-manage and affordable tools that help safeguard consumer data and our networks.
Our engineers want to use laptops so they have flexibility around when and how they work. But with many laptops and tablets, we can’t control which apps the engineers download and install, and we don’t know how secure those apps are against hackers. And even savvy engineers can be fooled by phishing messages that attempt to steal login credentials for our production systems—giving attackers the chance to access private consumer data. Our plan was to give engineers additional laptops solely for accessing sensitive production systems that use encrypted communication, with centralized controls for security—but with almost 100 engineers, cost was a factor.
Chrome Enterprise and Chromebooks provided management and security tools that are cost-effective for a startup that’s watching its budget. We can whitelist apps and Chrome extensions that engineers can use, eliminating worries about threatening rogue apps. We built a Chrome extension that creates a security certificate uniquely tied to the Chromebook that each engineer uses; without that certificate, no device can connect to the production environment. It’s a very simple way to close security gaps.
Because Chromebooks give us a sandboxed environment all the way from the device keyboard to production, we can bring more engineers into production to perform privileged administration tasks. Before using Asus C302CA Chromebooks with Chrome Enterprise License, only 10 engineers had access to the production environment, and those 10 had to handle all troubleshooting and code fixes. After giving out Chromebooks, we feel confident giving almost 100 engineers production access. That’s a huge increase in the number of problem fixers. Today, Chromebooks are the only devices that we allow to connect to our production environment.
Chromebooks’ affordability and ease of management gave us ideas for using the devices beyond engineering. Blend recently set up a new customer call center for our insurance subsidiary, and we aim to equip 50 agents with Chromebooks by the end of the year. Agents don’t need bulky laptops loaded with software—they can use G Suite and other CRM applications to look up customer records. And our IT team can centrally manage Chromebooks, just like we do in engineering.
For both engineers and call center agents, Chrome Browser plays an important role in keeping our data and employees safe from online attacks. We wrote a Chrome extension that tells us when someone is trying to enter a password in a non-secure webpage; we also use an extension from KnowBe4 that lets people report possible phishing emails that we can investigate. The automatic patch management in Chrome is also a huge help to our IT team—it’s one of the reasons why Chrome is our preferred browser.
As well as saving us money, Chromebooks buy us time and freedom. Engineers don’t need to wait for IT to configure or lock down Chromebooks—they can just get to work. And with better consumer data security, we can breathe easier about keeping our customers’ information private.