Cloud computing is the basis for the digital transformation of many companies that appreciate the possibility of shifting responsibility for selected areas to the supplier, e.g. issues with scaling and maintaining the environment. However, easy access to resources requires careful security management. Experience and a specialized approach to the process of designing services based on security principles strengthen Google’s position among the leaders of cloud providers. This approach is particularly evident in creating their own commercial services (Gmail etc.) as well as in building enterprise solutions based on GCP and GSuite, using infrastructure on a global scale. In this way, it provides a well-secured structure for its operational activities, data centres, customer data, organizational structure, recruitment processes and user support.
Google Security Culture
Google takes care of every aspect of security. Therefore, it has implemented patterns that translate into the work culture. The influence of this philosophy is visible, among others in the recruitment and hiring process, during which the candidate is verified not only in terms of competence but also if local labour law or statutory provisions allow, Google can verify the criminal record of a future employee. Another aspect is the mandatory security training for all employees that take place periodically. Importantly, the knowledge of security engineers and teams is updated with new threats, attack patterns, mitigation techniques, etc.
Speaking of teams – Google has set up specialized, separate departments for security, privacy, internal audit and compliance.
The security team is involved in monitoring suspicious network activities, conducting routine security assessments, and engaging external experts for regular security assessments. It is worth mentioning Project Zero (a team of researchers appointed by Google), which aims to prevent targeted attacks by reporting bugs to software providers and placing them in an external database.
The privacy team takes care of the services Google launches. It focuses on project documentation and code reviews to ensure that privacy requirements are met. Therefore, all services comply with the strictest legal requirements.
The internal audit and compliance team reviews Google’s compliance with laws and regulations around the world. When new auditing standards are created, the team determines what controls, processes and systems are needed to meet them.
In addition, Google actively participates in the life of the security research community. Google Vulnerability Reward (VRP) was created especially for this purpose, which encourages researchers to report problems related to security design and implementation.
Creating attack-resistant and secure solutions is an integral part of Google’s operations. The scope of operational activities includes such activities as:
- vulnerability management
- actions to prevent malware attacks
- actions to prevent malware attacks
- incident management
Armed with technology
Google Cloud operates on a specially designed and built technology platform to ensure the highest level of security. For this purpose, dedicated servers, a dedicated operating system and geographically dispersed data centres (divided into regions and zones). Google, guided by the principle of “defense in depth”, has created a resistant and highly available IT infrastructure that can be managed more securely and easily than traditional technologies.
Let’s return to data centres located in Regions and Zones. GCP services are available in over 200+ countries around the world, in 24 Regions, 73 Zones and 144 coastal locations.
The most modern data centres are located in the regions. Their security is based on a layered security model, which includes custom electronic access cards, alarms, vehicle access barriers, perimeter fences, metal detectors and biometric security. In addition, to be able to operate 24/7, data centres have backup and alternative power sources (including generators). Google also works in accordance with the principles of sustainable development and care for the environment when designing and building its own facilities. Providing secure infrastructure, GCP centres have ISO 50001 certification, which is associated with effective energy management. It is noteworthy that Google designs and manufactures equipment itself, including energy-efficient servers and network devices that do not contain components that increase the risk of security vulnerabilities. In addition, a hardware audit is carried out, during which the old equipment is replaced with a new version, and the old elements are destroyed and subject to internal recycling according to the established procedure. What’s more, Google has created a network of its own optical fibres, public optical fibres and submarine cables that allow the provision of services with high availability and low latency worldwide. Which confirms the availability of Gmail at ~99,984%.
Transparency, compliance and access to data
For the sake of security, a Transparency Report has been created, which aims to verify the transparency of actions taken by state authorities and enterprises and their impact on security and data protection as well as access to information by users. In addition to the report, there are a number of certificates, approvals and compliance reports. A special set of available solutions allows easy adjustment to laws, regulations and legal frameworks. Thanks to the transparency of the tool, you can easily check the legal provisions and requirements that a designed application must meet in terms of security in a given region. The data of both users and clients are isolated, despite the fact that they are stored on one server. In addition, access to data is available to a selected group of employees who have a number of procedures and special access rules based on their duties and adapted to their professional role and function.
In summary, data protection is the most important aspect when designing infrastructure based on GCP. By collaborating with the community and developing products based on best security practices, Google can offer a level of security that’s satisfactory. Thanks to properly developed procedures and contracts – it is certain that the data stored in the Google cloud is secure, control over them as well as their management and processing are maintained.
If you plan to move to Google Cloud Platform, take advantage of the latest solutions and increase the level of security of your infrastructure – write an email to firstname.lastname@example.org and we will prepare a tailored offer to your needs!