Google Explains Why Chrome OS is More Secure

Posted on May 31, 2017 by Paul Thurrott in Android, Cloud, Mobile with 39 Comments

Google Explains Why Chrome OS is More Secure

Google today offered an interesting overview of how it secures Chrome OS. And while much of it will be very familiar to Windows users, there is one aspect to Chrome OS that is quite unique.

“The multiple security layers of Chrome OS work together as part of a cohesive security approach, including automatic updates to provide protection on a recurring basis without disrupting your work,” Google product manager David Karam explains. “Today we’re sharing a closer look at how automatic Chrome OS software updates maintain ongoing security of the platform and devices.”

Note that this post is aimed at businesses. As you may have heard, Chrome OS is starting to make inroads with Microsoft’s core customer base, and according to IDC, Chromebook growth with business was the only reason that PC sales to businesses grew at all in the last quarter.

Anyway, here’s the unique bit: Chrome OS always maintains two system images on disk at the same time, each in its own partition. That way, you can continue working while system updates are applied, with just a 6-10 second delay on the next reboot so that the second partition can be updated too.

“Essentially, Chrome OS swaps between the two images,” Karam writes. “That means there’s no waiting for the updates to be applied: You can be up and running in just seconds with new software.”

This approach has other benefits, too. IT admins will never need to schedule or otherwise micro-manage updates because these updates are both automatic and non-disruptive. (In the Microsoft sphere, we’re batting about .500 on that measure.)

Karam also describes the Chrome OS update schedule: Google ships major version updates for Chrome OS about every six weeks, with minor improvements often added in-between. But important security updates can be pushed out in 24 to 48 hours when required.

“These updates happen automatically in the background and are applied seamlessly to the backup partition,” he notes. “Additionally, all software updates are provided and pushed directly from Google, so there’s no third-party intermediary involved, further helping to speed the delivery of Chrome OS updates.”

If you’d like to learn more about Chrome OS security in businesses, Google is hosting a Chrome OS Security webinar next week.


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (39)

39 responses to “Google Explains Why Chrome OS is More Secure”

  1. Nonmoi

    Obviously, if a system is more closed and more limited, it will be more "secure", more or less.

    But with Android Cloak & Dagger floating out there, you really need to dive deeper into the fundamental design of the OS to find out how safe it really is.

    • Waethorn

      In reply to Nonmoi:

      It's open source. Go ahead and look. The only difference between what you see in Chromium OS and what's in Chrome OS is proprietary drivers (OEM's are shamed if they offer proprietary binaries though), and patented software like the MPEG-4 codecs and Flash plugin support. Chromium OS doesn't auto-update either because it doesn't contain Google's code-signing certificates, nor does Google think that developers want their software auto-updating.

      • Nonmoi

        In reply to Waethorn:

        Open source means little (in terms of security, or quality of the software), without trained eyes and abundant (paid) times to conduct actual audit, we learnt this from Heart-bleed, and more recently SambaCry.

        I for one would first admit that I as an individual don't have the know-how and resources to preform such an audit.

  2. chrisrut

    I guess the only part that surprises me is that MS isn't already doing something similar in updating W10 images - it's as old as the hills, tried and true, etc.

  3. tremblaymax

    Google should learn from Google when it comes to update Android.

    • dcdevito

      In reply to tremblaymax:

      *golf clap*

      In Android O (or was it Nougat?) they are essentially doing the same thing, so an update downloads and won't interrupt your workflow. So the IMPLEMENTATION of Android updates are great but yeah the business model gets in the way.

    • crfonseca

      In reply to tremblaymax:

      The problem with updating Android is mostly the OEMs not bothering to do it, or taking their sweet time to do it.

      I really don't see how Google can fix this.

      They could mandate that OEMs update Android when they grant them their Google Play license, but then what would they do when a OEM doesn't keep its word and doesn't deliver the updates?

  4. ChristopherCollins

    A long time ago, I posted this very thing as a comment (the dual partitions) and someone hopped right in to tell me I was incorrect. I am glad to see my research was correct.

    I hope MS gets near this one day. I realize their OS is MUCH larger, but with compression and other things always improving, maybe it could happen.

  5. skane2600

    “Additionally, all software updates are provided and pushed directly from Google, so there’s no third-party intermediary involved, further helping to speed the delivery of Chrome OS updates.”

    Unless we are talking about phones, this is exactly the same scenario Windows uses. All updates come directly from MS.

  6. dcdevito

    I agree. While I'm not a full-time Chrome OS user, updates is something you NEVER worry about and it never interrupts your workflow. I just wish they made it more powerful.

  7. Jeff Jones

    I'm glad you brought this up. I think the Pixel phone does this too doesn't it? Supposedly all new Android phones after v7, but not older upgraded phones, have dual partitions for a seamless update experience.

    Do you think Windows 10 S will have this dual partition upgrade method?

    • skane2600

      In reply to Jeff Jones:

      I doubt it. It's really a time vs. storage issue. You can update the system software faster at the expense of doubling the amount of storage it takes.

      • Jack Smith

        In reply to skane2600: The problem is MS have massive amounts of technical debt so it is really difficult for them to change to something that works better for today.

        This is why Google has such an advantage as they do not have the same technical debt as MS.


        • skane2600

          In reply to Jack Smith:

          Well, technical debt is about favoring the short term over the long term. It's not as if Windows NT design could have anticipated the 2017 environment. The whole idea of technical debt, however, is a one-sided argument. Many great and successful products would never have seen the light of day if developers had waited until they had the perfect system. And trying to anticipate future needs can lead to wasted time and bloated systems. Sometimes it makes more sense to pay for the future IN the future.

  8. VancouverNinja


    Your own article ( The PC Market Just (Barely) Bounced Off the Bottom (Premium) ) states the following

    "But Chromebooks were not what’s responsible for that growth, contrary to what you may have read elsewhere." - this in relation to the overall growth.


    "But Chromebook? No. IDC did note that “the commercial PC market [in the US only] came out strong mostly backed by growth of Chromebooks,” but the consumer market—which is where Chromebooks see most sales—still fell in the US, as did the overall US PC market. "

    From what I have read Chromebooks was not the only reason for the PCs growth in the Business segment.

    I have been saying that Google's opportunities in Business and Education have peaked since the Windows 10 S announcement and I think over the next 12 months Chromebooks growth will end up being greatly diminished if not outright halted.

    Recently I spoke with a VP from a top IT consultancy (6,000 employee strong) firm that is changing direction away from suggesting Chromebooks going forward. He said that introducing and maintaining another OS platform into Windows based networks doesn't make sense anymore - Windows 10 S will be taking that role over and makes more sense to their IT customers and them.

    It would serve the community best on this site (in my opinion) if you could work on getting us more information surrounding Windows 10 S instead of articles on Chromebooks which is a marginal OS platform for both consumers and businesses.

  9. lvthunder

    So they do the same thing TiVo does with the two images thing.

  10. rameshthanikodi

    Google Chrome on Windows pioneered this updating method first. Chrome on MacOS does it too. Android after upgrading to Nougat uses this method now as well. It's great.

    • Jack Smith

      In reply to rameshthanikodi:

      Totally agree on Chrome pioneering this approach and personally love it as very lazy. It is now called "evergreen". Think the name fits well.

      What surprises me is MS does not figure out how to copy the approach. Recently son was going to bed for the evening and went to shutdown his PC and it indicated "updating 1 of 3 and do not turn off the computer". Told him fine to leave on for the night. He gets up in the morning and computer indicates "updating 1 of 3 and do not turn off the computer".

      Really? Come on MS it is 2017 and this is the best you can do? The Chromebook just automagically updates and none of this silliness. We are now CBs with the kids for everything but hardcore gaming which is still Windows as really no other choice.

  11. Waethorn

    None of this is real news - Chrome OS has been working like this for years. Google always has this information available for businesses too. They always refresh their documentation whenever a new tech show is scheduled though.

  12. Waethorn

    The other advantage that they have is that when OEM's use open-source drivers, Google can review them properly, unlike Microsoft. The drivers are integrated into each hardware image for a piece of hardware under the open source device tree. Each system is categorized into a codename, and each system is built off a developer kit (usually a dev board or SBC unit) of a certain chipset. All of these devices are in the Chromium device tree. Any OEM can use a device in the device tree and build a new piece of hardware off the same chipset. It's a far more flexible hardware development system than Microsoft has, which is full of OEM's that have no accountability.

  13. Locust Infested Orchard Inc.

    Chrome OS and secure in the same sentence? Well I never - an oxymoronic statement of gravity-defying proportion.

  14. hrlngrv

    For large enterprises already using Citrix, using Chromebooks/Chromeboxes as thin clients to connect to in-house servers running Windows desktop software makes considerable economic sense. Locally those machines are running the Chrome browser 2/3 (and growing) of employees are already using outside of work.

    The other thing to consider is that 2 full Chrome OS system images can fit on 16GB drives and still leave more than 10GB for local storage (in ~/Downloads). Windows is just a bit heftier.

    • VancouverNinja

      In reply to hrlngrv:

      It really doesn't make sense going forward. Enterprises will be able to buy windows 10 S at the same inexpensive prices, have the same interface as all of their pcs, and not manage another different OS. Chromebooks have no reason or value anymore to the enterprise. Google moved too slowly and MS has closed the window of opportunity for them. To be fair it is a Windows world not a Chromebook OS world and for Google trying to gain any real meaningful penetration of it is more of a task than Bing trying to over take Googles search engine. Start studying up on Windows 10 S - its the future.

      • Tony Barrett

        In reply to VancouverNinja:

        Is Win10S even aimed at the Enterprise? It probably only makes (some) sense if you upgrade to Pro, but the telemetry collection risks to businesses in that version make it a non starter for most. Every Chromebook is just the same, running the same version of ChromeOS - Windows just has so many different SKU's - with more being added - it's just confusing.

        Win10S is definitely where MS want Windows to go, but they've tried it before with WinRT, and we all know how that ended up. It's just MS trying to dump Win32 and get service lock in via another route, but there's no reason to believe this will succeed either.

      • Jack Smith

        In reply to VancouverNinja:

        The issue is how inefficient Windows is compared to Chromebooks. It was really explained well by one of the actual Microsoft engineers that works on the Windows OS (Kernel) in a blog post. Here is a link and really recommend reading.

        "I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why."

      • skane2600

        In reply to VancouverNinja:

        Neither Chromebooks nor Windows S are well suited for the Enterprise. What they have in common is an inability to run most existing Windows programs.

        • siko

          In reply to skane2600:

          Wrong answer. They can run any windows app that comes through the store. Enterprises might (I don't know this for a fact, but know that technically it would be easy to do), run apps from their 'own' in house store....

          Store-App model is very successful (iOS/Android) and end-users stay safe and happy and I bet enterprises want it!

        • jean

          In reply to skane2600:
          with CItrix Receiver UWP that equation just changed dramatically...

          • skane2600

            In reply to jean:

            Yes using Citrix you can run legacy Windows programs on the server at reduced speed. That doesn't change the fact that you can't run them natively on Windows S. Of course, you can achieve the same poor performance using Citrix with Chromebooks.

          • hrlngrv

            In reply to jean:

            There's a Citrix Receiver extension for Chrome too. Any enterprise using Citrix to connect employees to application servers shouldn't care what OS those employees' local machines are running.

      • hrlngrv

        In reply to VancouverNinja:

        Any Windows 10 S devices available for sale today?

        Just a bit early to be crowing about how Windows 10 S has killed off Chrome OS.

        • VancouverNinja

          In reply to hrlngrv:

          I thought I was being fair to that point "...doesn't make sense going forward" its a matter of months not years here. It hasn't killed it off yet but it is an illogical move now for the majority of enterprises with Windows based networks. Chromebooks has always been a platform looking for a home but the majority of customers never asked for it. Just like MS has exited the current smart phone category, Google too (whether they like it or not) is now holding a tech item that is out of step and not in demand. It solves nothing better than the incumbent OS system. The tables turned here very fast but it actually took MS years of work to put the proper solution together. They deserve credit for that.

          • Jack Smith

            In reply to VancouverNinja:

            I could NOT disagree more. I have been moving our kids to CBs the last couple years and could not be happier.

            I am also the house admin and these machines are a dream. But then the kids get an incredible computer for dirt. Lately been buying refurb Acer 14s for $200. These are all aluminum, super thin, and look like a Mac. But then they have fantastic displays, super and I mean unheard of battery life, peppy performance, etc.

            I have a HUGE family as in 8 kids and CBs are simply perfect. You just can NOT buy a cheap Windows box as they are just not very useable. The key is ChromeOS is so much more efficient.

            The reason, if technical, was explained by one of the actual and current Windows OS (kernel) developers.

            "I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why."


        • jean

          In reply to hrlngrv:
          all Windows 10 devices are also Windows 10S devices ... you won't nemefit from reduced prices due to lower OS cost though

  15. Ted O'Hayer

    This is also happening in the server space, CoreOS Container Linux is a server version of ChromeOS. The purpose is you should never have to worry about the OS underneath, and only worry about shipping containers as part of a CI process, where they can be automatically audited.

Leave a Reply