Diane Greene, senior vice president of cloud services at Google Inc., speaks at Cloud Next ’17 in front of an image of the company’s data centers. (David Paul Morris/Bloomberg)
In a world in which not a day goes by without another massive data breach or government hacking revelation, it was noteworthy to see how much Google emphasized security at its Next ’17 cloud conference this month, making it an ever-present theme throughout its keynotes and product announcements. From the physical security of its data centers to its custom Titan TPM chip and its army of security engineers on through its customer-facing solutions like instant two factor authentication, new testing tools and its new DLP API, Google made security, specifically seamless security, a center point of its conference.
Cybersecurity starts with physical security and Google appears to have made heavy investments here. In addition to the myriad surveillance cameras, motion sensors and iris scanners Google has previously touted (along with metal detectors to ensure equipment does not leave the data center floor without authorization), Google added that a single one of its data centers employs more than 175 physical security guards. This is on top of the more than 700 security engineers employed by the company to secure its products and networks.
Servers in its data centers are stripped to the bare number of essential parts, both to reduce cost and power/cooling requirements, but also to minimize the number of potential physical attack vectors, such as rogue chipsets. In an email, Google noted that it purpose-builds its own hardware systems both to ensure maximal performance and to “guarantee the heritage” of its equipment, offering it full visibility into its global supply chain and where each piece of each of its systems came from and the hands it passed through.
To add even greater physical security to its systems, Google unveiled at Next a custom Google-designed Trusted Platform Module called Titan. While the company revealed few details about the chip’s technical specifications, it responded by email that “Titan authenticates software installed on hardware, including BIOS software. It sits between ROM and RAM and authenticates each boot-up and each new BIOS install. Titan contains a Random number generator, Crypto engine and Monotonic counter. The latter makes log tampering evident. Each Titan chip is fused with an inventory tracker number.”
Of course, even the most hardened data center infrastructure can be undone by user complacence (using the same password across many sites), sloppiness (simplistic passwords), ignorance (blindly handing passwords over in a phishing attack) and error (typing a password in the wrong box and mistakenly posting it to Twitter). Just as it has expended immense effort physically securing its data centers, Google has also invested heavily in securing the connection between its own employees and those data centers. While even some of the biggest Silicon Valley companies still rely on VPNs to connect remote employee laptops to the corporate network and make them “trusted” nodes, Google has gone entirely the opposite direction, treating networks as untrusted and focusing instead on authenticating users at the application level through efforts like BeyondCorp (the externalization of its own zero trust network model). Tools like Cloud Identity-Aware Proxy make it relatively trivial for corporate administrators to build applications that trust users rather than networks.
In a glimpse of where it sees enterprise security heading, Google offered that someday soon such applications will increasingly become context-aware and capable of learning the patterns of life of their users’ behavior. Instead of the classic fortress defense in which a blind VPN connection converts an unknown remote laptop into a trusted node on the corporate network with a local IP address and full access to roam at will across the company’s entire network, access will be granted only to the individual services needed and systems will autonomously monitor their users and look for out-of-the-ordinary behavior, flagging and even terminating user access before harm is done. A budget administrator in Seattle who works 9-5 weekdays in her office processing reconciliation spreadsheets who suddenly logs in on a Saturday from an internet café in Beijing and attempts to download circuit board designs from the engineering file server should result in an instant account freeze, not a postmortem warning to the security team that the company’s crown jewels left the building over the weekend. While a number of advanced behavioral security tools exist today, Google appears to be working on integrating such capability more seamlessly into the development workflow for its cloud platform, essentially making such advanced security the default enterprise norm, rather than a news-worthy exception.
Building on this, countless Data Loss Prevention (DLP) offerings exist, but Google has focused on making DLP a completely seamless extension of its existing G Suite interface. A company can set filters to prevent, for example, social security numbers from being sent by email, scanning both inbound and outbound traffic and both message bodies and attachments.
Making DLP seamless and automatic is critical to ensuring it is widely used. At one university I worked at, an academic administrator accidently emailed a spreadsheet containing sensitive PII to a central public mailing list that instantly distributed it to a large group of unauthorized people. Due to its primitive email system the university could not even recall the message – the best it could do was send a follow-up email alerting everyone that the previous attachment contained sensitive information and asking if they would be good enough to delete it (though this itself did even more damage as everyone went back to look at the email generating all the fuss). As a reaction to this incident and several other episodes, the institution dispatched IT personnel to fan out across portions of campus and run a software program on each university computer that scanned the local hard drive for any sensitive information that the user would then be asked to either delete or justify why they needed to retain that information locally. It was a laudable idea, but the software was nothing more than a set of basic pattern matches that generated such a high false positive rate (flagging almost any 16-digit number as a credit card number) that it was quickly abandoned. It also operated solely on text, meaning it could not peer inside the reams of scanned social security cards, birth certificates, passports and other sensitive documents lurking on secretarial desktops.
Google’s DLP offering appeared far more robust in demonstrations at Next, integrating best practices such as actually verifying that a given 16-digit number is a valid credit card sequence, rather than blindly flagging any 16-digit number. Moreover, it appeared fully integrated with G Suite, with one demonstration showing a well-meaning user attempting to email a credit card number to another before being automatically blocked.
To expand this beyond productivity software, Google has opened up its DLP system as a cloud API called, appropriately, Data Loss Prevention API that accepts both text and imagery and supports everything from email addresses to driver’s license numbers to taxpayer reference IDs to passport numbers. One demo at Next showed a hypothetical customer chat application in which a customer attached a scan of their social security card. By integrating the DLP API into the chat application, at the end of the session the system automatically redacted all of the sensitive PII, including OCR’ing the scanned social security card, recognizing that it contained the user’s social and replacing the image with a redacted version that blacked out the sensitive number. The final version of the chat session that was sent for records archival contained this fully redacted version with all sensitive information removed, all with just a single API call. While DLP is far from a new technology, Google’s transparent support for image OCR and redaction and its seamless integration with other Google technologies like G Suite makes it nearly impossible for regulated companies not to finally adopt DLP.
On the other end of the spectrum, Google offers its Vault system, which supports regulatory archival, legal holds, ediscovery, audit reports and so on. Again, archival and ediscovery software is old hat, but by integrating it seamlessly into its cloud offerings and making it a fully managed offering, Google lowers the bar to the point that companies no longer have an argument for not adopting it.
For companies that want to move beyond the limited protection of passwords, Google offers seamless 2-factor authentication across its product line, including G Suite. It is amazing to see just how few organizations are using 2-factor authentication in 2017 and how even in those companies that have adopted it, many have found ways to make it so cumbersome and so intolerable that employees frequently adopt workflows that defeat many of its protections. Instead, Google has made 2-factor nearly seamless for both administrators and users and offers a range of options from text messages to hardware USB keys. A company that wants to deploy 2-factor authentication across its entire employee base to secure email, file servers, apps, developer access, etc essentially flips a switch to instantly deploy secure login across the entire enterprise, with all of the intricate management handled by Google.
For developers, Google previewed more seamless integration of its open source “Firing Range” tool. While Firing Range has been available for several years as an open source offering, Google demoed one-click access from within a user’s cloud console, allowing developers to build an app and simply click a single button to run it through a security triage. Google has world class security tools including some of the best “fuzzing” tools in the business and, while the company did not make any announcements about further releases, it would seem at the least that if its current trajectory holds we can likely expect it to make more of its security testing tools seamlessly available to developers. In fact, this is something I have talked with cloud vendors over the years about – of making basic security scanning a simple one-click affair so that even non-security-conscious developers are at least encouraged to patch the most common vulnerabilities that plague web applications.
Putting this all together, Google made seamless security a central theme of Next this year, emphasizing both the immense investments it has made to physically secure its own data centers, but also, in following its trend of externalization, releasing more and more of its own security innovations to the outside world in the form of services and APIs. From its custom-designed Titan TPM and closed supply chains to its instant 2-factor authentication and IAP and DLP APIs, Google seems to be moving aggressively both to tout its impressive security posture and to help enterprises improve their own. Few companies can afford to maintain a staff of 700 security engineers or control their entire supply chain or fundamentally rearchitect how security is done and thus Google is making the proposition that by moving a company’s data center into the cloud, you’re not just gaining the benefit of the cloud, you’re gaining the benefit of Google-class security for your company. Of course, as any company knows, when security intrudes on user experience, users find a way to circumvent even the best security systems. Thus, it was noteworthy that the unifying thread bringing together all of Google’s security announcements and discussions at Next was the company’s focus on making all of this security truly seamless. At the end of the day if we can move security from a regulatory afterthought to a seamless built-in experience that users don’t even realize is there until it steps in to protect them, then perhaps we can finally turn the tide against at least the most common cyber vulnerabilities and increase the cost of cyberattacks to the point where they become the exception rather than the daily (or even hourly) norm.