Google's security policies cover account data, corporate services, networks, change management, incident response, and data centers. All procedures are systematically challenged and updated. All persons employed by Google must comply with these policies. They are also given advice on security policies such as the safe use of the Internet and how to act when working from remote locations. Guidance is also provided on how to handle sensitive data. Special attention is given to emerging technologies such as the safe use of mobile devices and peer-to-peer software. All these documents are written with simplicity in mind, knowing that advice is only effective when the documents are actually read.
The Information Security Team is a full-time team comprised of world's best experts in information application and network security. The team is part of the Google Software Engineering and Operation organizations. It is in charge of maintaining Google's perimeter defense systems. They develop security processes and build security infrastructure. They play a key role in elaborating the company's security and standards.
More specifically, members of this team are involved in the following activities:
- They conduct security design and perform code reviews
- They monitor suspicious activity on Google's networks
- They provide training to employees on complying with security rules, especially in secure programming
- They help discover vulnerabilities and ensure that they are remediated quickly
- They participate in various works in the security community outside of Google
Besides the Information Security Team, there are also Global Compliance teams in charge of ensuring statutory and regulatory compliance worldwide.
Still another team is dedicated to physical security. Physical security of datacenters relies both on the strict confidentiality of their exact location and on the complex biometric tests that qualified personnel must undergo. Buildings are all unmarked to protect them from prying eyes.
People who are not Google employees have only very limited access to datacenters. Intrusion tests are performed routinely to detect any possible failures in the procedures.
All procedures implemented at Google comply with the most stringent requirements of an SAS 70 type II2 audit.
Security of customer data is of course essential and Google has extensive controls and processes to protect it. Google Apps run in a multi-tenant and distributed environment. Customer data is distributed across a large number of computers using clustered databases. Google uses a distributed file system (GFS) that was developed in house. The data is replicated on many systems for reliability. Files are given names that are generated randomly. They are thus not interpretable by humans.
Requests from one service to another service are systematically authenticated and authorized. Administrative access to production applications by operations engineers is similarly controlled. Role and group management for engineers is performed in a centralized way. Access to production services or accounts is provided on an as-needed basis only.
When a Google Apps user or an administrator erases a message or account, this data is deleted from all active servers and all replication servers. Pointers to the data are removed and the dereferenced data will eventually be overwritten by new data over time. When disks are being replaced, they are first erased, then this erasure is checked by two independent individuals. Each disk that was erased is tracked by its serial number.
The hiring process at Google takes security into account. Whenever possible, Google conducts criminal, credit, immigration, and security checks on people being hired. All employees are provided with security training. More in-depth security training is provided depending on the employee's role or position. There are confidential reporting mechanisms to ensure that employees may report any kind of security violation when they witness them.
Mechanisms used to protect Google's data centers vary depending on their geographic location, because risks are obviously not the same everywhere. Security measures follow well-accepted best practices, among which: access cards designed by Google, cameras, alarm systems, and security guards. The data center buildings where systems are installed are physically separated from areas to which the public has access. Cameras monitor suspicious activity and facilities are systematically patrolled by security guards.
Activity is monitored by HR cameras and is kept for later viewing, should it become necessary.
Access to data centers is restricted according to the role of visitors, not on their hierarchical position. As a consequence, even the most senior executives at Google are not granted access to the data centers.
Data centers are designed for resiliency and redundancy to minimize single points of failure. Electrical systems are redundant, too.
Google's strategy against malware relies on both manual and automated scanners that browse websites that could be a threat by propagating malware or organizing phishing. The blacklist of sites produced by this process has been integrated by most recent browsers. Multiple anti-virus engines are used to protect Gmail. This aspect of security will be discussed in detail in Chapter 5, Security Tools of this book.
Internal traffic is analyzed for suspicious behavior that could be generated by botnet connections. Any kind of unusual behavior is traced by a proprietary correlation system.
When a vulnerability requiring a fix has been discovered by the Security Team, it is logged, prioritized, and assigned to an individual who will be responsible for its resolution.
The Google Security Team is available 24x7 to all employees, to help solve any security issue that may occur. Events that could impact customers are given highest priority.
Each employee is given a unique ID and account by the HR department upon hiring, with a predefined set of privileges. This unique account is used for all systems at Google. Systems require strong authentication wherever a password is needed. This mechanism uses one-time password generators. Each employee is granted a minimal set of privileges that can be augmented only by following a formal process that requires approval from the system owner, manager or other managers. These approvals are managed by dedicated workflow tools that record all changes that were made.
This is a policy that concerns the lifecycle of any software project. Design, development, and deployment of software benefits from two in-house consulting services:
- Security Design Reviews are design-level evaluation of a project's potential security issues
- Implementation Security Reviews are implementation-level reviews meant to assess robustness against security threats
Security Consulting is an ongoing consultation on security risks for a given project.
The development process satisfies the following requirements:
To minimize service interruption in the case of natural disaster or hardware failure, Google implements a disaster recovery program in all its data centers. This includes, in particular, the following measures:
- Data is systematically backed up and replicated across multiple systems and also to a secondary data center
- The data centers are geographically distributed to maintain service continuity in the event of a disaster
In addition, Google has a business continuity plan for its headquarters in California. It assumes that people and services may be unavailable for up to 30 days.
Regarding third-party requests for user information, Google follows the standard legal processes. If the request is considered valid by Google's Legal team reviews, the user or the organization whose information is required is notified unless prohibited by law.
Google adheres to the US Safe Harbor Privacy Principles and has obtained a SAS 70 Type II certification.