WebProNews

Tag: sysadmin

  • Google’s Innovative Approach to Making Cloud Computing Secure

    Google recently conducted a roundtable of in-house experts discussing how Google uniquely provides a secure platform for businesses to store their data online. Google experts tell the story of how Google invented innovative technology allowing them to keep their customers information and data safe from digital intruders.

    “Information security has become such a hot topic,” stated Eran Feigenbaum, Director of Security for Google Apps. “With the increase in cybercrime, the trends in privacy, the changes in regulations, it’s something that businesses can’t ignore. Enterprises all over the world are concerned about security.”

    Companies around the world are rapidly moving toward cloud computing spurred on by the success of Amazon’s AWS platform. Google has been working hard to catch up especially in regards to large enterprise companies that require an extreme level of security.

    “The move of businesses to cloud computing has really increased,” said Feigenbaum. “Companies see the benefits of lower cost, but also the ability to innovate faster for users to collaborate. But one of the big areas of hesitation is security, right? Companies are not comfortable putting their own data into the cloud.”

    Should Companies be Concerned About Cloud Security?

    “I think we’re seeing a real sea change right now with respect to people understanding that the cloud is more secure than on any on-premise solution,” says Suzanne Frey, Director of Security, Privacy, and Trust at Google. “If you just think about it, mathematically, you’ve
    got all these different on-premise solutions and individual teams trying to do the right thing.”

    Frey says that Google is extremely focused on putting their best talent and expertise on making sure that the Google Cloud solution is secure. “If you take a look at our customer base, we have some of the world’s largest banks. We have some of the most stringent government customers. We’re FedRAMP certified here in the US, and the fact that we can solve for security for all of those customers is a great testimony to our capabilities,” she adds.

    She sees Google as different than other cloud providers. “In addition, we solve for something special,” said Frey. “In talking to our customers, it’s our ability to innovate and to bring new ideas to bear that help enable them to be competitive, productive, and truly novel, and focus on the things that matter to them. That’s part of our really special secret sauce.”

    Frey adds, “I often say to people, at Google, security comes in two forms, it’s both traditional cybersecurity, but it’s also security against technological stagnation.

    Innovation Vs. Security

    Can a cloud provider be too secure at the expense of innovation? “Actually, I like the observation about being too focused on security to the exclusion of innovation,” says Adrian Ludwig, Director of Android Security, in reply to Frey’s observation. “I hadn’t seen that phrased that way. But I think one of the changes that we’ve seen in the mobile space over the last few years is companies have focused first and foremost on innovation–Android being a great example of that– but we’ve tied it to a security model that is how people actually consume applications and services.”

    “So we thought about the web and sandboxing model that was used on the web, and we incorporated that in the way we built application sandboxing,” Ludwid added. “I think a consequence of that is cloud services are becoming more and more important. Most applications that are built for Android, or that are built for mobile, regardless of your mobile platform, are really cloud-based. So I think those two are tied together, because both of them, we’re thinking about innovation first and foremost, and the security has sort
    of unlocked that innovation.”

    The Cloud Has Security Advantages

    “We have a complex set of systems that we’re dealing with today and they get more and more complex over time,” said Tim Willis, Technical Manager of Chrome Security. “We also have adversaries with increasing levels of sophistication. So you’ve got that on one side and on the other side, we’ve got IT managers having to defend their networks. The problem with defense is you need to defend everything incredibly well. Attackers only need to find one hole into your network.”

    Willis adds, “I think that’s where an advantage of moving to the cloud is that you have dedicated teams with robust experience. Some of the people who I work with wrote my textbooks in university and it’s one of those things that I get to work with these experts and that’s all they do. They focus on security, and that’s one of the huge benefits, in my point of view, of moving to the cloud.”

    Safety of the Data that’s Not at Google

    Do cloud providers have a responsibility for data safety when the data leaves the cloud?
    “Safe Browsing would be a good example of something that we can do at very, very large scale, where we actually believe that the right approach is make the entire internet safer.,” says Stephan Somogyi, a Product Manager in Google’s Security and Privacy Engineering Team. “So we build systems that hunt around and find malware and find phishing and then we go and report this.

    “An individual consumer can benefit from this, because their web browser will let them know,” adds Somogyi. “In a cloud environment, enterprises can take advantage of this data as well and keep themselves protected. We take this approach through a number of different areas– certificate transparency being another example– where we’re taking a look at the internet as a whole and finding ways to keep it safe at scale.”

    Google Cloud Security Innovations Moving the Needle

    “For the longest time, we have been talking about sort of two-factor authentication is critically important for most organizations to implement,” said Frey. “Many customers use Google Authenticator and other apps like that to generate a one-time passcode, and those are great. They’re certainly better than nothing, right? However, a hardware-based security key is just quantum leaps ahead in terms of they’re not hackable and they really do protect our customers from phishing in a way that, basically, the one-time passwords do not.”

    “One of those (not so glamorous) things is encryption for me,” said Willis. “It may not seem incredibly innovative, but we’re working really hard to make sure that all of our traffic is encrypted at rest and at transit. One example where we’re being open with that is our HTTPS Transparency Report. Now, you can go to that site and you can see our progress towards our goal of 100% encryption in transit through all of our products.”

    “Again, another example would be working with TLS 1.3.,” added Willis. “That’s the next generation of Transport Layer Security. Now, it may not sound glamorous, but we’re not only
    helping to implement that, we’re helping author the next version. That shows that we’re in the mix and we know what technologies are around the corner.”

    Willis explained that a practical application of that would be Progressive Web Apps. “These are low friction web applications, which are designed to help increase engagement and have an app-like experience for customers and businesses,” he said. “We’ve seen studies how that increases engagement, and it’s fantastic, it’s easy across the board.”

    “Why am I talking about it?” asks Willis. “TLS is actually a hard requirement for those apps. So it’s one of these things where not only are we innovating, we’re making sure that security is baked in from the get-go. I think that’s one huge advantage of Google.”

    “There’s a couple of elements about that that are interesting to me,” said Ludwig. “One of them is it’s not so much that the security itself is innovative, it’s about using an innovative product to make security available.”

    Ludwig says that what they did early on with Android is thinking about the platform stack. “We were like, OK, you need to have a verified boot, and you need to have encryption, and you need to have sandboxing,” he said. “Those are all sort of, I think at this point, almost commodities for an operating system. But one of the things that Google brought to bear was security services. It’s going to be a cloud-connected device and we’re going to make all of those services available, by default, on all of the devices.”

    “We started thinking about, how do you bind services into the operating system itself? We added things like SafetyNet and Verify Apps, where there are effectively hooks in the operating system where we can make sure that we’re adding security dynamically over time.
    And so we can innovate in security even more quickly than we can innovate in the operating system itself,” added Ludwig.

    Interestingly, Ludwig says that most people don’t even realize this about the Google Cloud. “But that’s OK, because they’re safer and they’re happier as a result of it.”

  • Google Says Its “Mission Impossible” Cloud Platform is the Most Secure

    Google Says Its “Mission Impossible” Cloud Platform is the Most Secure

    Neal Mueller, Security and Networking lead for Google Cloud, recently was interviewed about security and other important aspects of using the Google Cloud Platform to host websites, online retailers and other data intensive applications.

    Should I move our online applications to the cloud and is it secure?

    We get that question less and less these days. There are big advantages to moving to the cloud. You get to have all of the scale that you want immediately when you want it. You don’t pay for it when you don’t use it. And you don’t have to worry about the maintenance of the underlying machines. The advantages are so big, in fact, that we seldom get the question of, should I move to the cloud? More often, the question that we get is, how can I move to the cloud safely?

    Where does Google’s responsibility for security begin?

    It’s simple. Google’s responsibility is to control the underlying infrastructure. Your responsibility is to secure the data on top.

    Why use Google as a cloud provider?

    One of the reasons that we talk about a lot is that Google is the right cloud provider for you because we’ve got over 500 security engineers. These are 500 people that are foremost in their fields. They’ve been in peer-reviewed journals, they’re experts at security.

    Let me give you an example of just one team within the 500. It’s called Project Zero. These are forward-facing engineers whose job it is to discover 0-Days, that is, new vulnerabilities, never before seen or disclosed. They discovered Heartbleed, which affects anybody with a browser. It’s a TLS vulnerability. They discovered rowhammer, which affects anybody that has a computer with RAM and they discovered 15 of the last 21 KVM vulnerabilities, which is really important to Google because we use KVM as our chosen hypervisor technology. All of these vulnerabilities, as soon as we discover them, we immediately disclose them so that the world is a safer place thanks to the work of Project Zero.

    Can you tell us more about this?

    Let’s talk about the word provenance. It’s a word in English that means come from. It’s a fundamental tenet of how we think of secure systems. We don’t just buy hardware that’s off the shelf. We return to first principles, figure out what functionality we need from the hardware and which ones we don’t, because functionality that’s included in the hardware off the shelf might introduce vulnerabilities that we don’t want. This leads us in many cases to custom-build secure systems. So we have custom-built ASICs, custom-built servers, custom-built racks, custom-built storage arrays inside custom-built data centers. All of this leads to a much more secure data center.

    Infrastructure security, doesn’t that go beyond hardware?

    Sure. It extends to the people inside that data center, too. These are full-time, badged Googlers that have submitted to a background check and have an array of physical security to make their job easier. We’re talking about stuff that you’ve seen in “Mission Impossible”– biometrics, lasers, vehicle barriers, bollards. All of this is custom-built, also, to make the data center more secure.

    So is this unique to just Google?

    Yeah, it’s unique to Google, but not for long. Part of being Google is giving back to your community. So as part of the Open Compute Project, just last week with Facebook, we released our design for a 48-volt rack. This is a very high-density, highly efficient, highly green rack. And although Google is the only one that can build it, now that everybody has the designs, everybody can build data centers as efficient.

    What other cool stuff is Google Cloud doing?

    What’s next? So with 500 security engineers on staff, there’s a lot that’s up next. But let me tell you about just two things that spring to mind. The first one is BeyondCorp. Here, we have separated ourself from the traditional enterprise security model. Traditional enterprise security has a hard firewall to guard the perimeter. However, we’ve seen what happens with recent breaches– what happens when an adversary gets inside that perimeter. He has relatively unfettered access to the resources inside the internet. What Google does is device authentication which allows our applications to be accessible by the internet, but be just as secure as if they were only accessible by the intranet. We believe that this makes our public cloud more secure.

    What’s the second initiative?

    On Google Cloud Platform, data at rest is encrypted by default. This is a real differentiator for us. We believe it’s good practice and good business. We’ve seen what happens when adversaries get a hold of breached PII and we think that encryption by default is a good preventative measure against that.