As part of the recent InfoSecurity Europe 2014 show in London, we're taking a quick look at the Keynote Presentation by Dr. Peter Dickman, Engineering Manager at Google. Entitled ‘Securing and Protecting User Information Online', this dealt with the security and privacy implications of cloud computing.
Before the show, InfoSecurity Europe's own survey of information security professionals revealed that 49.6 percent of respondents had declared themselves as somewhat less likely, or much less likely, to trust US technology companies with sensitive information. No doubt arising from the Snowden revelations, this is a crucial issue, and Google's take on it was something many people would be keen to hear about.
Dickman first described how Google makes sure its data centers are sited near its users, in politically stable countries, with temperatures favourable for the stability of its servers. Regularity was important. Unlike normal centers, Google treats each of its sites as one giant server, which makes it easier for them to secure and to consolidate load.
With hundreds of millions of users, and relied on by billions of businesses, Google took the attitude that all user data was held in trust, and as a ‘responsible steward' of that data, their most critical duty was to make sure their systems were secure.
This was an issue common to all global public clouds, but while a lot of people were asking how secure were these clouds and whether they presented a lot of new security problems, Dickman was more of the opinion that these were issues that had always existed as problems anyway, it's just that no-one had given them enough attention. The world still faced the same security issues, with the same conflict between usability and security.
The solution was to be rigorous in applying best practice, especially in areas such as authentication, encryption and running hardened operating systems. Specific measures included certificate pinning, pre-loading certificates, and running its own hardened domain name system (DNS). As an example of best practice, he took a quick poll of attendees and berated any who were still not using 2FA with Gmail “You're security professionals after all”.
Multi-tenanted systems, which could well be hosting a competitor's data, were not a weakness, as long as the necessary separation of clients' workloads was applied. After all, Google runs its own company in this cloud, with a £50bn turnover, and were likely to be the premier target.
Along with the physical security of data centres, Google implemented the usual biometric controls, with security staff often laying traps for each other as a defense against insider threats. Active checking was carried out, sometimes by launching attacks against their own systems, while fault tolerance was tested by turning things off to see how the system coped.
Google had made it easy for people to pull their data out of the system if they wanted, and store it on their own server, but then they would face the usual trade-off between making data totally secure, but still making it accessible, and the costs involved. The economies of scale, and higher security, that Google could achieve, usually won over the option of keeping data on the premises. And for extra protection, there was always the resident alligator that had made a home at one of their data centers.