Google Infrastructure Security Design Overview

[Posted January 14, 2017 by jake]

Google has posted an overview of its infrastructure security. It includes information about low-level details, such as physical security and secure boot, encryption of data at rest as well as communications between services and to users, keeping employee devices and credentials safe, and more. Undoubtedly there are lessons here for many different organizations. "This document gives an overview of how security is designed into Google’s technical infrastructure. This global scale infrastructure is designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators. Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform."

Great to see security assurance cases

Posted Jan 15, 2017 14:09 UTC (Sun) by david.a.wheeler (subscriber, #72896) [Link]

This is great to see. For those who don't know, this is an "assurance case" (definition: "a body of evidence organized into an argument demonstrating that some claim about a system holds, i.e., is assured")

I'm glad to see more assurance cases. You can't just do one thing and have a secure system. And if you want people to trust you, you need to give them a reason to trust.

The CII best practices badge also has an assurance case (and if you want to help us make things better, let us know!).

such secure, much assurance

Posted Jan 16, 2017 10:55 UTC (Mon) by alkadim (guest, #104623) [Link] (1 responses)

Google must be the most secure PRISM provider! Wow!

such secure, much assurance

Posted Jan 16, 2017 12:58 UTC (Mon) by ebirdie (guest, #512) [Link]

Hah! Take your pick: Prism (disambiguation). But you have a point I was about to comment, if we have a common in PRISM as a surveillance program - or surveillance service provider, as you incline your readers to conclude.

This spec only goes half way as an overview of technical security design. What is left without answer, how Google fits together its business in harvesting information from its users and customer, whether they are directly paying users and customer or not?

From the chapter Conclusion of the overview:

"We have described how the Google infrastructure is designed to build, deploy and operate services securely at internet scale. This includes both consumer services such as Gmail and our enterprise services."

I find it this way. Google does not offer much as an alternative to Microsoft or to Sony, just to name a few. They are all heavily inclined to provide services to 3rd (unknown) parties by collecting information from their users and customers alike.

I have a dislike to this business model, but nevertheless accepted Sony's agreement to do so from unwrapped Christmast gift of my son. Just instructed my son not to connect his PS4 to network for the time being until he starts to require PSN. We know Sony had its troubles with its PRISM, eh, excuse me, PSN service as technical troubles, but we know nothing, how much they actually collect and to whom they sell or (unknowingly) give the collected data. As I afore named another software and service giant from which I have collected a perception that they hold quite a big cap between what say to collect and what they have caught up to collect.