Google has published a document explaining the security of your cloud infrastructureboth for your own operations and for use by the public. The report dates from last Friday, and it describes six layers of security and reveals some interesting facts about the operations of the Great G.
Perhaps the most interesting of them all is that design their own chips, including one of “hardware security that is currently being deployed on both servers and peripherals.” These chips allow the company to securely identify and authenticate Google devices on a physical level.
Said chip works along with cryptographic signatures used in “low-level components” such as the BIOS, the bootloader, the kernel, and a base image of an operating system. Signatures can be validated during each boot or update, and the components are controlled directly by Google.
As reported, Google also hosts some third-party data centers on their servers. This may be part of a strategy by the search engine company to further publicize its physical security layers, which include “standalone biometric identification systems, cameras and metal detectors.”
‘Sgroogled.com’: When MICROSOFT Launched ANTI-GOOGLE Ads
This is how Google treats hard drives
The document also explains that the ecosystem of applications and services encrypts data before writing to disk, making it difficult for any malicious firmware to access the data. This works interchangeably on “HDDs and SSDs”, and they keep an exhaustive control of their life cycle.
When this ends, any unit goes through a multi-step cleaning process which includes two independent verifications. Those that cannot be safely deleted are physically destroyed on Google’s premises.
More information in the report describes the security process for customers, which begins with universal two-step authentication and then scans company employee devices to ensure customer operating system images are up-to-date with security patches, as well as to control which applications can be installed.
Careful code review processes
It also explains the code review process, content in manual and automated techniques, through which the Big G detects bugs in which its developers write. Those who review it manually are “led by a team that includes experts in web security, cryptography, and operating system security. Reviews can also result in new security library features.”
Google source code is kept in a central repository with old and current versions of the service, which can be audited. The infrastructure can be configured to require that the binaries of a service be compiled to be reviewed, checked and tested.
These code reviews after are inspected and approved by at least one engineer who is not the author of the code, and the system requires that modifications to the code be approved by the owners of that system. These requirements limit anyone’s ability to make malicious changes to the source code, as well as to provide a forensic trail from a service to its source.
Virtual machines within the infrastructure
The document details the use of virtual machines, specifically a custom version of the KVM hypervisor. In fact, Google claims that “the majority of bug fixes are for the Linux KVM hypervisor.” Google’s cloud services rely on the same security measures, as stated.
There is also an explanation of the identity and access management service that the company uses internally, in addition to not relying on “internal network segmentation or firewalling” as its main security mechanisms.
Via | Google
Image | Google
In Genbeta | Google security engineer says working on antivirus is a waste of time