Let us start
Data Security is a primary design consideration for all of Google’s infrastructure, products and personnel operations. The collaboration of Google with the security research community enables them to address vulnerabilities quickly or prevent them entirely.
22% said that their cybersecurity team spends most of its time addressing high priority/emergency issues and not enough time on strategy and process improvement.
Organizations have typically turned to the public cloud for cost reductions, or to increase the ability of private data centres. However, organizations are now looking for security primarily at the public cloud, realizing that Cloud providers deliver secure infrastructure. It was thus helping them invest more in people and processes.
Google Infrastructure Security Layers
We will now discuss the Google Infrastructure Security Layers, which supports both the enterprise and the consumer. Enterprise services include G suite and Google Cloud Platform.
Secure Low-Level Infrastructure
Within this segment, we explain how we protect the lowest levels of our networks, from the physical premises to the purpose-built hardware within the data centres to the low-level software stack operating on any device.
Security of Physical Premises
Google uses multiple physical security layers to protect data centre floors and use technologies like biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems
Hardware Design and Provenance
A data centre for Google is composed of many server machines connected to a local network. Google custom-designs the server boards and the networking equipment.
Secure Boot Stack and Machine Identity
Google server machines use a variety of technologies like BIOS, bootloader, kernel, and base operating system image to ensure that booting of the correct software stack.
Secure Service Deployment
Let us describe how the hardware and software helps to ensure that a service is deployed securely on our infrastructure
Service Identity, Integrity, and Isolation
For inter-service communication, google uses cryptographic authentication and authorization at the application layer. This provides robust and abstraction-level access control and granularity that administrators and services naturally understand.
Inter-Service Access Management
The owner of a service can use access management features provided by the infrastructure to specify precisely which other services can communicate with it. And the Inter-Service Communication is Encrypted.
Secure Data Storage
Google implement secure data storage on the infrastructure
Encryption at Rest
Google’s infrastructure provides a wide range of storage services, including Bigtable and Spanner, as well as an essential management service.
Deletion of Data
Deletion of Google data most often starts with marking specific data as “deletion scheduled” rather than deleting the data.
Secure Internet Communication
Google isolates infrastructure from the Internet into a private IP space such that additional security such as a denial of service defences (DoS) threats can be enforced more effectively by directly exposing a subset of machines specifically to external internet traffic.
Google Front End Service
If a service intends to be made available on the Internet, it can register itself with the Google Front End (GFE) infrastructure service.
Denial of Service (DoS) Protection
Google’s overwhelming scale of infrastructure allows Google to easily handle loads of DoS threats. That being said, Google has multi-tier, multi-layer DoS safeguards that further reduce the risk of any DoS effect on a GFE operation.
The next layer of defence after DoS protection comes from google’s central identity service. This service usually manifests to end-users as the Google login page.
The last but not the least google operates the infrastructure securely from their employees’ machines and credentials. Google defends against threats to the infrastructure from both insiders and external actors.
Safe Software Development
Google has a high emphasis on the secure environment for development; as a result, use manual security reviews and in-depth design and implementation reviews for the riskiest features.
Taken from Article, The Complete Guide to Application Security
Keeping Employee Devices and Credentials Safe
Google makes considerable investment to protect the equipment and credentials of their employees from compromise and also to monitor activities to identify potential compromises or illicit insider activity.
How is the Google Cloud Platform (GCP) secured?
In this section, let us find out how GCP, public cloud infrastructure, benefits from underlying infrastructure security. For a better understanding of the infrastructure and how it provides service-specific security improvements that we build on top of the infrastructure to GCP lets take the example of Google Compute Engine.
Compute Engine allows customers to run their virtual machines on the infrastructure of Google. The compute Engine consists of management control plane and the virtual machines. So let’s get started.
- The Compute Engine control plane exposes its API via the GFE, leveraging infrastructure security features such as Denial of Service ( DoS) protection and centrally managed support for SSL / TLS.
- End-user authentication to the Compute Engine control plane API is performed through Google’s centralized identity service providing security features such as hijacking detection. Authorization is done using the central IAM service in the cloud.
- The network traffic for the control plane, from the GFEs to the first service behind it and from other control plane networks, is properly authenticated and protected by the system as it passes from one data centre to another
- Compute Engine persistent disks are encrypted at-rest using keys that are protected by the key management system for the central infrastructure.
- The isolation provided to the VMs is based on hardware virtualization using the open-source Kernel-based Virtual Machine Stack.
- Compute Engine’s use of customer data obey the GCP use of customer data policy, Google does not access or use customer data, except when required to provide services to customers.
Google Security Checklist
- Require 2-Step Verification for admin accounts
- Enforce 2-Step Verification for users
- Don’t use a super admin account for daily activities
- Don’t remain signed in to an idle super admin account
- Set up admin email alerts
- Review the admin audit log
- Add recovery options to admin accounts
- Enrol a spare security key
- Save the backup codes
- Use unique passwords
- Prevent password reuse with password alert
- Regularly review activity reports and alerts
- Know and approve which third-party can access G Suite core services
- Create a Whitelist of trusted apps
- Limit external calendar sharing
- Set up underlying Chrome OS and Chrome Browser policy
- Warn the users when chatting outside their domain
- Don’t automatically share the contact information
- Validate email with SPF, DKIM, and DMARC
- Disable the “Do not require sender authentication” setting for spam policies.
- Prevent automatic forwarding the incoming mail
- Enable comprehensive mail storage
- Enable additional attachment protection
- Enable enhanced pre-delivery message scanning
- Enable additional attachment protection
- Limit group creation to admins
- Set up the private access to groups
- Enforce mobile password requirements (reduce risk if the device is lost)
- Encrypt data on mobile devices
- Enable mobile inactivity reports
- Disable location history
- Disable access to offline docs
- Do not permit users to establish add-ons for Docs from the add-on store
You may also like to read