Your browser is incompatible with this site. Upgrade to a different browser like Google Chrome or Mozilla Firefox to experience this site.

Google Cloud Platform Security: A Data Fortress

Date:: June 26, 2018
Author:: Brian Eiler

This is part one of a three-part series discussing Google Cloud Platform. Part I discusses GCP security infrastructure.

With companies like Apple, Netflix, Evernote, and Spotify moving at least part of their business to Google Cloud Platform (GCP), you may wonder what makes GCP so attractive. Despite Google’s late entrance to the public cloud business in 2011, their long-running experience with high-demand services, such as Google Search, Gmail, and Google Maps, built on their custom-made infrastructure, proves that they can provide world-class products that we all depend on. Google Cloud Platform expands on their previous services, but the backbone of those products, and the company philosophy, is to ensure data security.

Google takes security to a whole new level thanks to their years of experience as one of the most popular targets on the internet for would-be hackers and denial of service bots. This led Google to build a sophisticated security infrastructure the likes of which few companies or organizations can claim. Google approaches security holistically and involves everything from the physical data centers, to the data pipelines between them, down to the training of each employee that is responsible for managing the infrastructure.

Let’s examine that security infrastructure piece by piece and see how Google has constructed a true data fortress.

The Human Element

If your employees don't understand or respect security it's useless. Since the best way to combat ignorance is education, Google employees receive extensive training in security issues beginning with their first day on the job. Google continues to reinforce their "security culture" through training and security conferences.¹

To further alleviate the insider threat, Google provides Access Transparency, which allows you to see, in real-time logs, how GCP administrators access your content, including during support events that you initiate. It integrates with StackDriver, enabling you to incorporate the GCP administrator monitoring access into your regular monitoring regiment. It also includes further data protection controls to limit Google's ability to access your data, except when necessary to fill their contractual obligations to you. Google already pledges to stay out of your data, but it is reassuring that there are controls in place for you to trust and verify.

Physical Security

Physical security takes on many forms from locks to redundancies. Their data centers incorporate the most advanced security features like multi-factor authentication, including biometrics for anyone with access to the data center floor. Highly-trained and well-vetted security guards protect the data centers. Power is redundant, coming from at least two equal sources with generators for backup. Cooling systems prevent overheating that could cause hardware failures and fire detection and suppression systems avert fire losses. Additionally, they use the greenest technologies available to reduce their power consumption and rely less upon the grid.

Google custom-designs and manufactures all hardware to limit vulnerabilities that exist on publicly available hardware. They also customized the OS, based on Linux, for the most secure, fault-tolerant environment possible, while still allowing flexibility for meeting customer demands. Custom software continuously monitors the system for modifications and reverts it to the standard image if a change that differs from the standard is detected, essentially keeping itself running without compromise.

Google closely tracks all hardware to ensure that no unauthorized individual can remove data from Google facilities. They use a multi-stage process first to ensure that data is extracted from old or malfunctioning drives, and then to ensure that the drives are securely destroyed before the fragments are recycled.

Network Security

The Google network is expansive and stretches around the globe. Google links to more Internet Service Providers (ISP) than any other company in the world. This means that not only is your latency reduced due to the reduction in network hops, but there are also fewer places to intercept your traffic before it reaches the Google network. They can do this because Google has a substantial private backbone running between their data centers for better performance and security.² They also consistently expand their network through investments in fiber optic cables, including trans-oceanic ones, and data centers to increase the availability and decrease the latency on the network.

Google makes operational security part of their day-to-day operations. They have systems that continuously scan for vulnerabilities and help mitigate them. Google works with other organizations to find possible sources of malware and wards users away from those sites. They also actively monitor traffic for security threats and have processes in place to automatically manage and mitigate security incidents to minimize damage.

Data Security

Google protects all data at rest and in transit. At rest, it is physically secured in their fortress-like data centers using drive locking and full disk encryption. In transit, data is secured using strong encryption via protocols such as TLS and SSL. Other encryption mechanisms are available, like IPsec VPNs, for specific types of workloads. Redundancy in most aspects of their infrastructure as well as maintaining multiple regions throughout the globe also contribute to security, while making the network reliable and flexible, allowing customers to build highly available systems.

Data sovereignty is always a concern when outsourcing your IT systems. Google promises that the data you put into their cloud remains your data. They do not own it or scan it for advertising potential, and you maintain total control over your data. If you withdraw your data from their systems, it will be permanently deleted within 180 days, and they even give you free tools to help you move the data.

Identity and Access Control

Network and server security is great, but how do you control access to your data once it is in GCP? You have several choices. Cloud Identity, an Identity as a service (IDaaS) platform, allows you to control all of your employee identities for GCP, other cloud providers, and your own on-premises data centers with a single sign-on. It enables device management and helps control user access as a person enters, changes roles, or leaves your organization with multiple options for security levels based on your needs.

To add more detailed control over who can access data, Google offers Cloud Identity and Access Management (IAM). This Enterprise-Grade service allows you to map users to groups and grant permissions using Role-based Access Controls. Cloud IAM also enables you to quickly adjust your user security needs from the GCP Console or the APIs, and it is free for all GCP subscribers.

Cloud Identity-Aware Proxy lets your users authenticate to your custom applications using the same logon credentials they would use to manage GCP services or other Gsuite products. This gives the users a more seamless and faster user experience than a VPN, while ensuring that only authorized employees have access to specific apps. This service is also free to GCP subscribers.

Data Loss Prevention and other Tools

If your company handles sensitive information, such as credit card numbers, you might also consider implementing Cloud Data Loss Prevention API. This HTTP REST API can be used inside and outside your network on devices or browsers. It actively seeks sensitive information, identifies it, and redacts it before it is written to disk, limiting the amount of data you have to secure. It can also warn customers that their data is about to be saved and determines the appropriate storage needed for the type of data. It offers pay-as-you-go pricing, so you only pay for as much as you need.

The Cloud Security Command Center, currently in Alpha, provides more options for managing security. It helps identify security threats through constant scanning and analysis of your systems and can notify your security team in real time about any threats that may arise. If your business uses App Engine apps, you can also use Cloud Security Scanner to scan for vulnerabilities in XSS, Flash injection, mixed content, and insecure JavaScript libraries automatically.

Conclusion

As you’ve seen, Google Cloud Platform security is robust and designed like a fortress for your data. Though high security often comes with a high price tag, GCP is cost-competitive, often beating their competitors. Many of the features described here are provided at no charge to GCP subscribers. Some of the paid services have a free trial period, or even a usage threshold below which the service is free. After all, the best security in the world isn’t helpful if people don’t use it.

If you’re looking for a way to become more familiar with all these products and services, Global knowledge has the answer. We offer numerous courses on Google Cloud Platform that can provide you with the skills you need to improve your business by moving your workloads to the cloud.

Additionally, you may want to consider pursuing our Google Cloud Learning Path to become either a Google Certified Professional Data Engineer or Google Certified Professional Cloud Architect.

Eve Eiler contributed to this post.

• Architecting with Google Cloud Platform: Infrastructure

• Architecting with Google Cloud Platform: Design and Process