What Google Can Teach Us about Security
How secure can a company be? In a world where the incoming US government’s ‘cyber czar’ finds himself the victim of hackers, there’s a feeling that companies are going to find it increasingly impossible to keep themselves secure.
And that’s a major problem for large organizations who have to demonstrate to millions of customers that their own private data is going to be safeguarded. The likes of Facebook and Google have millions of customers placing a lot of trust in the companies’ systems.
Google has taken the interesting step of revealing exactly how its own protection works. The company has published a document, Google Infrastructure Security Design Overview, which sets out the core principles the company has adopted to keep itself secure.
Google’s measures include the design and control of its own data centers, using customized servers built on customized silicon (including security ASICs), different cryptographic levels, access management of end user data and many other techniques.
It’s a vital document as it demonstrates clearly how seriously cloud providers are taking security. There are still potential cloud customers who are wary of choosing cloud and Google’s initiative shows the steps that cloud providers (and Amazon or Microsoft could probably publish something very similar) are taking.
As Dublin-based security consultant Brian Honan pointed out, the Google document offers great reassurance to anyone wishing to choose the company’s cloud services.
“Google is building the road to allow you to drive the car,” he said.
Lessons for the Enterprise
But does the Google structure offer any other lessons? Can average-sized businesses learn anything from the Google approach? It’s easy enough for the likes of these giant corporate to spend millions but can an average mid-sized business replicate the Google way? And, while they’re not able to design their own silicon, what could these companies do in order to come close to Google’s level of security.
According to David Cartwright, chief security officer with telecoms provider The JT Group, many of the policies that Google is adopting are tactics that most medium-sized (and larger) organizations could adopt. Cartwright is responsible for security across different companies within the group and is impressed with the thoroughness of Google’s approach.
Cartwright said that Google’s emphasis on “Defense in Depth” is an illustration of how security can be designed in layers, taking into account all the different ways in which a system could be attacked.
He said that in some cases, Google takes this to extremes. For instance, “they use application-level encryption to protect against malicious hard disk firmware,” he noted. This means “the application encrypts the data prior to writing it to disk, so the disk controller never sees an unencrypted version.”
Cartwright said there were many other areas that other companies could adopt. He highlighted a few in particular; Application layer security is called out specifically. “This is often missed. How many apps are there out there where the front-end website connects to the back-end SQL Server database using the sysadmin credentials?” he asked. This is something that any company could do: Sure, it would require an extra element of initial work, but it’s adding an additional security layer.
Then there’s the approach to named users, something that would help immensely with troubleshooting. “Engineers have unique, named identities so that access can be controlled and logged with confidence and so there’s an audit trail for forensic analysis,” said Cartwright. “Google also automates all security patches — too many companies say they don’t have the manpower to keep everything updated.”
The Red Team approach to stress-testing is also something that any company could (and should) do. Honan said that this is open to all businesses and if they don’t have the resources on the ground, a third-party organization could certainly test the structure.
Even when Google does something particularly funky, such as the customized security ASIC, it provides guidance for other companies. While the average firm can’t do this, it can implement similar techniques at low level to ensure security (eg. BitLocker on Windows machines prevents access to onboard disks when booted from a non-approved disk).
Cartwright said that one thing that the document is light on is training. Is it taken for granted that all Google employees are security aware and require additional training? It’s probably a reasonable assumption but the average company would certainly need to implement a high degree of training for additional security.
Honan said that there are other measures for companies to follow — the Cloud Security Alliance, the National Institute of Standards and Technology, and SANS Institute all offer guidelines for best practice when it comes to cloud implementation but all companies will find something worthwhile in the Google document: these are processes that are some of the best in the business and will contribute greatly to levels of security.
Feature image via Pixabay.