Google Security System - Google Lifted The Veil of Secrecy Over It's InfrastructureUsually companies prefer to keep secret features of its security infrastructure that is there to protect data centers, Polga that disclosing such information could give an attacker an advantage. However, Google representatives are looking at this issue differently. For two reasons. Firstly, the publication of these reports allows potential users to Google Cloud Platform (GCP) to evaluate the safety of services. In the Second, Google experts are confident in their security systems.
The first layer of protection - is a physical security systems that simply do not allow outsiders to get into data centers. This part of the report is similar to an excerpt from the script of the film "Mission Impossible": "We use multiple layers of physical security to protect our data centers. We use technologies such as biometric identification system, metal detectors, cameras, barriers, spanning the passage of vehicles, as well as laser intrusion detection system".
Interesting Fact About : Cradle of The CloudsThe next level of protection - iron. According Docs, Google absolutely does not allow the use of obsolete equipment in their data centers. Moreover, the company uses custom hardware from manufacturers that are pre-tested and validated thorough audit. Google also create their own means of hardware security: "We also create custom chips, including chips, which are hardware security tools that are currently used by our servers and peripheral equipment. These chips allow us to identify and authenticate legitimate devices on Google hardware. "
The third level of protection - cryptography, authentication and authorization systems that provide protection for communications between various Google services (no matter in one data center, they are located or not, all traffic is encrypted, both internal and external). "Google Server machines use various technologies to make sure that they are working with the correct software stack. We use cryptographic signatures for such low-level components such as the BIOS, bootloader, kernel and OS base image. These signatures are validated during each download or update. All components are designed and fully controlled by Google".
Google also pays special attention to protecting the drives and the system is designed to maximize complicate the "life" of potential malicious firmware, and not allow it to access the data. "We use our hardware encryption for hard drives and SSD, and closely monitor each drive lifecycle. Before the encrypted storage device will be charged and physically get out of our supervision, it will take a multi-step purification process that includes two independent reviews. Not past this device cleaning procedure is physically destroyed (shredded), it happens locally. "
In addition, the document describes the security measures that Google uses to protect its source code and find bugs in them. So, code review are divided into checks carried out manually or automatically. Manual code checks "team in which there are experts in the areas of web security, cryptography and security of operating systems." Often, the result of such assays are born fazzery new security library and for subsequent use in other products.
With regard to the source code, to protect them too fit with great responsibility, "Google Source codes are stored in a central repository, where you can conduct an audit of both current and past versions of the services. In addition, the infrastructure can be configured to request a service from a specific binaries, trusted and tested source. Such verification code must be reviewed and approved at least one other engineer, in addition to the code author. Furthermore, the system requires that any modification of code systems have been approved by the owner of the system. These requirements limit the ability of the insider or the offender, not allowing to make harmful changes to the source code, and create a forensic trail that can be traced from the service to its source. "
The document can be found a lot of interesting. For example, it was found that the virtual machines in the cloud Google work with the version of Custom hypervisor KVM. Google Developers even boasted and said that Google employees found most CVE and bugs in the Linux KVM hypervisor.