On matters of computing infrastructure, when Google talks, people listen. Because, you know, they have a lot of it. And when they speak on matters of infrastructure security, people tend to listen closely, not just for details of Google's security, but for details of how that security will have an impact on Google customers.
That's why a recent document, Google Infrastructure Security Design Overview, is getting so much attention around the Internet. It's important to note that this is not a multi-hundred-page detailed recipe for how to duplicate (or defeat) Google's security. This is, instead, a look at the broad principles and brush strokes that define the security at Google. Nevertheless, those interested in security will want to read the whole thing because there are several points that bear closer scrutiny from IT professionals.
While many pieces of the Google infrastructure security plan fall into the "common sense" category, three of the broad strokes seem less recognized among IT professionals. These three could be worth visiting even for those who lack the time or interest to read through the entire document.
Google's security plan is thorough in both scope and depth. The scope is dealt with in the first major point, the depth in the next two.
- Security begins outside the door -- Google makes a rather big deal about the way in which they start taking secuirty seriously before the hardware hits the data center's raised floor. Their servers are built for them, to their own specifications, by carefully vetted manufacturing partners, so there's no chance of malware coming in the door in a 1U box. And they're just as careful with the employees, partners and contractors who have access to those data centers. The IT infrastructure extends to the physical infrastructure and a very broad perimeter.
- Encryption is everywhere -- Security professionals frequently debate precisely which information should be encrypted, but Google takes an expansive view of encryption, providing multiple layers of encryption for many customers. In addition to the storage- and application-layer encryption that Google offers its customers, according to the document, "We enable hardware encryption support in our hard drives and SSDs and meticulously track each drive through its lifecycle." So the data is encrypted both at rest and in motion between applications and storage, and between the Internet and applications. Within the infrastructure, RPC traffic is also encrypted to make it more difficult for an attacker to hijack procedure calls and inter-process commands.
- People and process are critical -- Yes, everyone gives lip service to the three legs of IT (and IT security); people, process and technology. But in practice, technology often gets the most attention because it's the easiest to tackle. In the document, Google describes a philosophy of constantly reviewing access permissions to make sure that each employee has the least privilege required to do their job. They also aggressively monitor employee activity to check for files, processes and applications accessed. The employee focus is one that begins with hiring and extends throughout the time that the employee has access to any part of the infrastructure.
Google is far from the only cloud service provider that gives glimpses into their security philosophy and processes. Amazon Web Services has a white paper on security processes and Microsoft Azure has a group of web pages on security. It's notable that so many similarities exist between the different documents -- and that so many of the policies and practices are adaptable for even very small companies and user populations.
— Curtis Franklin, Security Editor, Light Reading