The Google cloud: security still a watchword

The Google cloud: security still a watchword
The Google cloud: security still a watchword

It's been something of a bad year for Google, which has come under fire from several quarters, most notably for its monolithic approach to harvesting of user data - if former NSA whistle blower Edward Snowden is to be believed.

As a result, there were more than few interested pairs of eyes on Dr. Peter Dickman on Tuesday this week, when he presented at the Infosecurity Europe show on the subject of `Securing and protecting user information online.'

Perhaps the biggest surprised from Dr. Dickman's presentation was the fact that Google treats each of its data centres as one giant server as far as the Googleplex - the Google cloud resource - is concerned. This is, he told his audience, an important distinction when comparing Google's cloud resources to those of the competition. The reason for this, he explained, is that Google's servers and data centres are treated as a single entity from a network perspective.

"This means we can consolidate load. We use all of our technology as a giant flexible cloud," he said. Thanks to this approach, he says, Google can put lots of services on the Google cloud resource, even to the extent of running SaaS, IaaS and PaaS environments within the same data centre. Of course, he adds, from the user's perspective, the Google cloud appears quite differently, as all they see is a Web browser window on the given resource they are using. 

"This starts to get interesting from a security perspective, as we have to be a responsible steward for the data—this is how global public clouds work. Having said this, I don't believe there are new security problems due to the use of the cloud," he said.

Dr. Dickman asked the rhetorical question whether any cloud operators or IT users would consider `starting again' with their cloud security planning, if they were offered the opportunity. Whilst Google does not have the luxury of this option, he went on to say, the IT giant's approach to security is that it can never presume that any of its users - free or paid - have actually been through a security 101 course.

"Let's take the example of a new computer user in an African village who has never used the Internet before. If we presume this, then the connection that the user has to the Web needs to be as secure as possible," he said. Even against this backdrop, Dr. Dickman points out, there is still a risk that the content the user is uploading, downloading or accessing may be malicious, so there is a clear imperative for Google to build high levels of background security into its cloud resources. There are, he adds, a billion Google users that make use of the company's shared business security browser program.

"What's interesting to note is that, because Google's IT resources are so vast, we actually gain a number of unexpected results from having a pervasive security programme for our data centres. For example, one of our data centres in the US has a local alligator that helps to defend the IT systems against attackers," he quipped. 

Dr. Dickman also addressed the staffing issue—determining if someone is attacking your system from within. This means, he told his audience, that you must design your IT infrastructure on the basis that each element of the system cannot trust the other elements.

And this even before we start to discuss the security risks inherent with operating a multi-tenant data centre.

"The reality is that you should be isolating each resource from the rest of the systems - whether or not the data centre has multiple tenants or not," he said, adding that all data on the Google IT resource is encrypted to high levels of security.

Finally, when an element reaches its end of life, the disk drives need to be shredded electronically and physically, as well as crushed, to prevent any chance of the data being retrieved by third parties at a later stage.