Google has released a paper explaining the security of its cloud infrastructure, both for its own operations and for public use. The report comes Friday, describing six layers of security and revealing some interesting facts about the operations of the Gran G.
Perhaps the most interesting of them all is that they design their own chips , including one of “hardware security currently being deployed on both servers and peripherals.” These chips allow the company to securely identify and authenticate Google devices on a physical level.
The chip works in conjunction with cryptographic signatures used in “low-level components” such as BIOS, bootloader, kernel, and a base image of an operating system. The signatures can be validated during each boot or upgrade, and the components are controlled by Google directly.
According to the report, Google also hosts some third-party data centers on its servers. This may be part of a search company’s strategy to give more publicity to its layers of physical security, including “independent biometric identification systems, cameras and metal detectors.”
This is how Google treats hard drives
The document also explains that the ecosystem of applications and services encrypts the data before writing them to the disk , making it difficult for any malicious firmware to access the data. This works indistinctly on “HDDs and SSDs”, and they carry out comprehensive lifecycle control.
When it ends, any unit goes through a multi-step cleanup process that includes two independent checks. Those that can not be deleted securely are physically destroyed on Google’s premises.
More information contained in the report describes the security process for customers, which begins with universal two-step authentication and then scans the employees’ corporate devices to ensure that the Clietnes operating system images are up to date with The security patches, as well as to control the applications that can be installed.
Careful Code Review Processes
It also explains the process of code review , contained in manual and automated techniques, through which the Great G detects bugs in which its developers write. Those who manually review it are “managed by a team that includes experts in web security, cryptography, and operating system security. Reviews can also result in new security library features.”
Google source code is stored in a central repository with both old and current versions of the service, which can be audited. The infrastructure can be configured to require the binaries of a service to be compiled for review, testing, and testing.
These code revisions are then inspected and approved by at least one engineer who is not the author of the code, and the system requires that code modifications be approved by the owners of that system. These requirements limit the ability of any person to make malicious changes to the source code, as well as to provide a forensic trail of a service to its source.
Virtual machines within the infrastructure
The document details the use of virtual machines , specifically a customized version of the KVM hypervisor. In fact, Google claims that “most code postings for bug fixes are for the Linux KVM hypervisor.” Google cloud services rely on the same security measures, as collected.
There is also an explanation of the identity and access management service that the company uses internally, as well as not relying on “internal network segmentation or firewalling” as its main security mechanisms.
