Image Alt

Securing Endpoints with Zero Trust

Step Ahead defines the security posture of an organization’s computing assets such as desktops, laptops and mobile devices as well as IoT devices by endpoint verification and securing the same.

Endpoint Verification allows you, as an admin or security operations professional, to build an inventory of devices that are accessing your organization’s data. Endpoint Verification also provides critical device trust and security-based access control as a part of the Context-Aware Access solution.

The device inventory Endpoint Verification provides valuable information that can be used to maintain security. When paired with Context-Aware Access offerings, Endpoint Verification helps enforce fine-grained access control on your Google Cloud resources.

How Endpoint Verification works?

Endpoint Verification consists of a Chrome extension, although a native helper app is also required for Linux devices and for Mac and Windows devices not using Chrome 80 or higher. Chrome OS devices only require the Chrome extension.

Once enabled through the G Suite Google Admin console, you can deploy the Endpoint Verification Chrome extension to corporate devices. Employees can also install it on their unmanaged, personal devices. This extension gathers and reports device information, constantly syncing with Google Cloud.

Using the details collected from the Chrome extension, Endpoint Verification creates an inventory of devices running Chrome OS and Chrome Browser that access your organization’s data. For example, once an employee installs the Endpoint Verification extension, Endpoint Verification populates information about the device the employee used to access Google Cloud resources. As an admin, you can review information including encryption status, OS, and user details.

Collected device information

The following table describes the properties and attributes collected from the devices accessing corporate resources.

Device properties

Device compliance

Property name : Name, Email

Description : The user’s name, email ID and aliases

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

User Details

Property name : Status

Description : Device’s management status: Approved or unknown

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Policy Profile

Property name : First sync

Description : Date and time the user first synchronized corporate data on the device

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Property name : Last sync

Description : Date and time of the most recent sync

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Property name : Device password status

Description : Whether the device has a screen lock password
Note: This property doesn’t report whether the device has any other type of password (such as a firmware password for Mac).

Supported devices :

● Mac (managed devices only)
● Windows
● Linux (supported window managers only):
○ Gnome
○ Cinnamon

Property name : Encryption status

Description : Whether the device is encrypted

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Device properties

Property name : Device ID

Description : Unique number associated with the user’s device.

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Property name : Serial number

Description : Serial number of the device

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Property name : Type

Description : Make of device

● Mac
● Chrome OS
● Windows
● Linux

Property name : OS

Description : Name of the operating system

Supported devices :

● Mac
● Chrome OS
● Windows
● Linux

Context-Aware Access

Endpoint Verification is a part of the Context-Aware Access approach to securing Google Cloud, on-premises apps and resources, and Google Workspace apps. The attributes Endpoint Verification collects can be used by Access Context Manager to control access to Google Cloud and Google Workspace resources.

Context-Aware Access

Access Context Manager references the device attributes gathered by Endpoint Verification to enforce fine grained access control with access levels. You can also tag individual devices and mark company-owned devices. Manual device tagging is enforced by creating a device access level that requires device approval. Company-owned devices are enforced by creating a device access level that requires company-owned devices.