Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security //

Google

1/18/2017
12:58 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Curt Franklin
50%
50%

Google Security Lessons for IT

Google released a new paper on their infrastructure security: What's in it for IT managers looking for security help?

On matters of computing infrastructure, when Google talks, people listen. Because, you know, they have a lot of it. And when they speak on matters of infrastructure security, people tend to listen closely, not just for details of Google's security, but for details of how that security will have an impact on Google customers.

That's why a recent document, Google Infrastructure Security Design Overview, is getting so much attention around the Internet. It's important to note that this is not a multi-hundred-page detailed recipe for how to duplicate (or defeat) Google's security. This is, instead, a look at the broad principles and brush strokes that define the security at Google. Nevertheless, those interested in security will want to read the whole thing because there are several points that bear closer scrutiny from IT professionals.

While many pieces of the Google infrastructure security plan fall into the "common sense" category, three of the broad strokes seem less recognized among IT professionals. These three could be worth visiting even for those who lack the time or interest to read through the entire document.

Google's security plan is thorough in both scope and depth. The scope is dealt with in the first major point, the depth in the next two.

  • Security begins outside the door -- Google makes a rather big deal about the way in which they start taking secuirty seriously before the hardware hits the data center's raised floor. Their servers are built for them, to their own specifications, by carefully vetted manufacturing partners, so there's no chance of malware coming in the door in a 1U box. And they're just as careful with the employees, partners and contractors who have access to those data centers. The IT infrastructure extends to the physical infrastructure and a very broad perimeter.

 

  • Encryption is everywhere -- Security professionals frequently debate precisely which information should be encrypted, but Google takes an expansive view of encryption, providing multiple layers of encryption for many customers. In addition to the storage- and application-layer encryption that Google offers its customers, according to the document, "We enable hardware encryption support in our hard drives and SSDs and meticulously track each drive through its lifecycle." So the data is encrypted both at rest and in motion between applications and storage, and between the Internet and applications. Within the infrastructure, RPC traffic is also encrypted to make it more difficult for an attacker to hijack procedure calls and inter-process commands.

 

 

  • People and process are critical -- Yes, everyone gives lip service to the three legs of IT (and IT security); people, process and technology. But in practice, technology often gets the most attention because it's the easiest to tackle. In the document, Google describes a philosophy of constantly reviewing access permissions to make sure that each employee has the least privilege required to do their job. They also aggressively monitor employee activity to check for files, processes and applications accessed. The employee focus is one that begins with hiring and extends throughout the time that the employee has access to any part of the infrastructure.

 

Google is far from the only cloud service provider that gives glimpses into their security philosophy and processes. Amazon Web Services has a white paper on security processes and Microsoft Azure has a group of web pages on security. It's notable that so many similarities exist between the different documents -- and that so many of the policies and practices are adaptable for even very small companies and user populations.

— Curtis Franklin, Security Editor, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...
CVE-2021-41185
PUBLISHED: 2021-10-26
Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may...