安全

Qwiklabs-Courses
13 Dec 202205:41

Summary

TLDRGoogle prioritizes security across its services, with nine boasting over a billion users. Their security infrastructure is layered, starting with custom-designed hardware and secure boot processes in data centers with stringent physical access controls. They encrypt inter-service communication and enhance user identity verification. Storage services apply encryption at rest, while internet-facing services use Google Front End for secure TLS connections and DoS protection. Operational security includes intrusion detection, insider risk reduction, mandatory U2F for employees, and strict software development practices, including a Vulnerability Rewards Program.

Takeaways

  • 🔐 Google prioritizes security with nine of its services having over one billion users, ensuring robust security measures are in place.
  • 🏢 The security infrastructure at Google is layered, starting from physical data center security to operational security processes.
  • 🛠️ Google designs custom hardware including server boards, networking equipment, and a hardware security chip for enhanced security.
  • 🔑 A secure boot stack is used on Google servers, incorporating cryptographic signatures for the BIOS, bootloader, kernel, and OS image.
  • 🏛️ Google's data centers are designed with multiple physical security layers, and access is highly restricted to a select few employees.
  • 🔒 Service deployment layer features encryption of inter-service communication, ensuring privacy and integrity across Google's infrastructure.
  • 👤 Google's identity service goes beyond basic authentication, challenging users based on risk factors and supporting U2F for secondary authentication.
  • 💾 Storage services layer includes encryption at rest, with centrally managed keys and hardware encryption support for drives and SSDs.
  • 🌐 Internet communication layer involves Google Front End service for secure TLS connections and protection against Denial of Service attacks.
  • 🛡️ Google's Operational security layer includes intrusion detection, insider risk reduction, mandatory U2F for employees, and stringent software development practices.
  • 💰 Google offers a Vulnerability Rewards Program, incentivizing the discovery and disclosure of security bugs in their infrastructure.

Q & A

  • What is the significance of security in Google’s infrastructure?

    -Security is a top priority for Google, especially given that nine of its services have over a billion users each. This focus on security is reflected in every aspect of its infrastructure, from the physical data centers to the software and hardware design.

  • How does Google ensure the physical security of its data centers?

    -Google designs and builds its own data centers, incorporating multiple layers of physical security protections. Access to these data centers is highly restricted to a small number of employees, and even in third-party data centers, Google implements additional physical security measures.

  • What role do custom-designed hardware and chips play in Google’s security strategy?

    -Google custom-designs its server boards, networking equipment, and hardware security chips. These custom components enhance security by ensuring that hardware is optimized for Google’s specific needs and is less vulnerable to external threats.

  • What is the purpose of Google’s secure boot stack?

    -The secure boot stack ensures that Google’s server machines are booting the correct software stack by using technologies like cryptographic signatures over the BIOS, bootloader, kernel, and base operating system image.

  • How does Google secure inter-service communication within its infrastructure?

    -Google secures inter-service communication by providing cryptographic privacy and integrity for remote procedure call (RPC) data on the network. All infrastructure RPC traffic that goes between data centers is automatically encrypted, and Google is deploying hardware cryptographic accelerators to extend this encryption to all infrastructure RPC traffic inside its data centers.

  • What features does Google’s central identity service provide to enhance user security?

    -Google’s central identity service goes beyond simple username and password authentication by challenging users based on risk factors like device and location. It also supports secondary authentication factors, including devices based on the Universal 2nd Factor (U2F) standard.

  • How does Google implement encryption at rest for its storage services?

    -Google applies encryption at rest using centrally managed keys at the storage services layer. Additionally, Google enables hardware encryption support in hard drives and SSDs to further secure stored data.

  • What is the Google Front End (GFE), and how does it contribute to internet communication security?

    -The Google Front End (GFE) is an infrastructure service that ensures all TLS connections are ended using a public-private key pair and an X.509 certificate from a Certified Authority (CA). It also applies protections against Denial of Service (DoS) attacks, contributing to the security of Google services available on the internet.

  • How does Google detect and respond to potential security incidents?

    -Google uses rules and machine intelligence for intrusion detection, providing operational security teams with warnings of possible incidents. Additionally, Google conducts Red Team exercises to improve the effectiveness of its detection and response mechanisms.

  • What measures does Google take to reduce insider risk within its infrastructure?

    -Google limits and actively monitors the activities of employees with administrative access. It also requires the use of U2F-compatible Security Keys for employee accounts to guard against phishing attacks.

Outlines

00:00

🔐 Google's Multi-Layered Security Infrastructure

Google prioritizes security across its services, with nine of them boasting over a billion users each. The security infrastructure is layered, starting with the physical security of data centers, which are custom-designed and built by Google, ensuring only a select few employees have access. Google also uses custom hardware, including a hardware security chip, and implements a secure boot stack with cryptographic signatures to prevent unauthorized software execution. The Service deployment layer focuses on encrypting inter-service communication, with Google's infrastructure automatically encrypting all RPC traffic. The User identity layer enhances security with intelligent challenges and secondary factors like U2F. Storage services are secured with encryption at rest, and internet communication is safeguarded with Google Front End's TLS connections and DoS protection. The Operational security layer includes intrusion detection, insider risk reduction, mandatory U2F for employees, and stringent software development practices, such as central source control and a Vulnerability Rewards Program.

05:02

🛠️ Robust Software Development Practices at Google

Google enforces rigorous software development practices to bolster security. Central source control is mandatory, and all new code undergoes a two-party review process to ensure quality and safety. Developers have access to libraries designed to prevent common security vulnerabilities. Additionally, Google operates a Vulnerability Rewards Program, where it offers compensation for discovering and reporting bugs in its infrastructure or applications. These practices contribute to the robust security posture of Google's services and infrastructure.

Mindmap

Keywords

💡Security Infrastructure

Security infrastructure refers to the comprehensive framework of policies, procedures, and technologies that an organization like Google implements to protect its data, systems, and networks from unauthorized access, breaches, and cyber threats. In the context of the video, Google's security infrastructure is described as having progressive layers, starting from the physical security of data centers to operational security processes. This infrastructure is designed to ensure the safety of customer data and maintain the integrity of Google's services.

💡Hardware Security

Hardware security pertains to the measures taken to protect the physical components of a system, such as servers and networking equipment, from tampering and unauthorized access. Google's approach to hardware security includes custom-designed server boards and networking equipment, as well as the use of custom chips like a hardware security chip. These measures are crucial for preventing unauthorized access to the hardware that underlies Google's services.

💡Secure Boot Stack

A secure boot stack is a sequence of boot processes that are verified through cryptographic signatures to ensure that the system boots with the correct and untampered software. Google uses this technology to ensure the integrity of the software stack, including the BIOS, bootloader, kernel, and base operating system image. This is a critical component of Google's security infrastructure, as it prevents the execution of malicious code during the boot process.

💡Premises Security

Premises security involves the physical security measures taken to protect a facility, such as data centers, from unauthorized access and potential threats. Google designs and builds its own data centers with multiple layers of physical security, limiting access to a select few employees. This ensures that the physical location where data is stored and processed is well-protected against intrusions.

💡Service Deployment

Service deployment in the context of Google's infrastructure refers to the process of deploying and managing services across their network. A key feature of this layer is the encryption of inter-service communication, ensuring that data transmitted between Google's services is protected both within and outside of Google's data centers. This is crucial for maintaining the privacy and integrity of data as it moves across the infrastructure.

💡User Identity

User identity in the video script relates to the methods and processes Google uses to authenticate users and protect their accounts. Google's central identity service goes beyond simple username and password authentication, employing risk-based challenges and supporting secondary factors like Universal 2nd Factor (U2F) for enhanced security. This layer is essential for verifying the identity of users and protecting their access to Google's services.

💡Encryption at Rest

Encryption at rest is the process of encrypting data when it is stored on a physical or digital medium. Google applies encryption using centrally managed keys at the storage services layer, ensuring that data at rest is protected from unauthorized access. This is an important aspect of data security, as it safeguards data even when it is not actively being used or transmitted.

💡Google Front End (GFE)

The Google Front End (GFE) is an infrastructure service that manages the connections for Google services available on the internet. It ensures that all TLS connections are secured using public-private key pairs and X.509 certificates from a Certified Authority (CA), following best practices for security. The GFE also provides protection against Denial of Service (DoS) attacks, which is critical for maintaining the availability and integrity of Google's online services.

💡Denial of Service (DoS) Protection

Denial of Service (DoS) protection refers to the measures taken to prevent and mitigate attacks that aim to disrupt the normal functioning of a service by overwhelming it with traffic. Google's infrastructure is designed to absorb many DoS attacks due to its scale, and it also employs multi-tier, multi-layer protections to reduce the risk of any service disruption. This is a key aspect of operational security, ensuring the continuous availability of Google's services.

💡Operational Security

Operational security encompasses the practices and procedures that are in place to protect an organization's operations from internal and external threats. Google's operational security layer includes features like intrusion detection, reducing insider risk, employee use of U2F-compatible Security Keys, and stringent software development practices. These measures are designed to protect Google's infrastructure and services from a wide range of security threats and vulnerabilities.

💡Vulnerability Rewards Program

The Vulnerability Rewards Program is an initiative by Google to encourage external researchers and security experts to discover and report security vulnerabilities in their infrastructure or applications. By offering financial rewards, Google incentivizes the security community to help improve the overall security posture of their services. This program is a part of Google's broader approach to operational security, demonstrating their commitment to proactively identifying and addressing potential security issues.

Highlights

Nine of Google’s services have more than one billion users each, emphasizing the importance of security.

Google Cloud and Google services run on infrastructure with a pervasive design for security.

Security infrastructure at Google is explained in progressive layers, starting from physical security.

Google custom-designs server boards, networking equipment, and hardware security chips for data centers.

Google uses secure boot stack technologies, including cryptographic signatures over BIOS, bootloader, kernel, and OS image.

Premises security includes Google-designed data centers with multiple layers of physical security protections.

Access to Google data centers is limited to a very small number of employees, ensuring tight control.

Google ensures Google-controlled physical security measures in third-party data centers.

Encryption of inter-service communication is a key feature in the Service deployment layer.

Google’s infrastructure automatically encrypts all RPC traffic between data centers.

Google login page goes beyond username and password, challenging users based on risk factors.

Users can employ secondary factors like U2F for signing in, enhancing security.

Encryption at rest is applied in storage services with centrally managed keys and hardware encryption support.

Google Front End ensures all TLS connections use public-private key pairs and X.509 certificates from a CA.

Google’s infrastructure can absorb many DoS attacks due to its scale and has multi-tier DoS protections.

Operational security includes intrusion detection with rules and machine intelligence.

Google limits and actively monitors the activities of employees with administrative access.

Employee accounts require use of U2F-compatible Security Keys to guard against phishing attacks.

Google enforces stringent software development practices, including central source control and two-party review of new code.

Google runs a Vulnerability Rewards Program, paying for the discovery and reporting of bugs in infrastructure or applications.

Transcripts

play00:00

Nine of Google’s services have more than one billion users each, and so you can be

play00:04

assured that security is always on the minds of Google's employees.

play00:08

Design for security is prevalent throughout the infrastructure that Google Cloud and Google

play00:13

services run on.

play00:15

Let's talk about a few ways Google works to keep customers' data safe.

play00:20

The security infrastructure can be explained in progressive layers, starting from the physical

play00:25

security of our data centers, continuing on to how the hardware and software that underlie

play00:29

the infrastructure are secured, and finally, describing the technical constraints and processes

play00:35

in place to support operational security.

play00:39

We begin with the Hardware infrastructure layer which comprises three key security features:

play00:46

The first is hardware design and provenance.

play00:49

Both the server boards and the networking equipment in Google data centers are custom-designed

play00:54

by Google.

play00:56

Google also designs custom chips, including a hardware security chip that's currently

play01:01

being deployed on both servers and peripherals.

play01:05

The next feature is a secure boot stack.

play01:09

Google server machines use a variety of technologies to ensure that they are booting the correct

play01:14

software stack, such as cryptographic signatures over the BIOS, bootloader, kernel, and base

play01:19

operating system image.

play01:23

This layer's final feature is premises security.

play01:27

Google designs and builds its own data centers, which incorporate multiple layers of physical

play01:31

security protections.

play01:34

Access to these data centers is limited to only a very small number of Google employees.

play01:40

Google additionally hosts some servers in third-party data centers, where we ensure

play01:44

that there are Google-controlled physical security measures on top of the security layers

play01:47

provided by the data center operator.

play01:51

Next is the Service deployment layer, where the key feature is encryption of inter-service

play01:55

communication.

play01:57

Google’s infrastructure provides cryptographic privacy and integrity for remote procedure

play02:01

call (“RPC”) data on the network.

play02:05

Google’s services communicate with each other using RPC calls.

play02:08

The infrastructure automatically encrypts all infrastructure RPC traffic that goes between

play02:14

data centers.

play02:17

Google has started to deploy hardware cryptographic accelerators that will allow it to extend

play02:21

this default encryption to all infrastructure RPC traffic inside Google data centers.

play02:28

Then we have the User identity layer.

play02:31

Google’s central identity service, which usually manifests to end users as the Google

play02:36

login page, goes beyond asking for a simple username and password.

play02:41

The service also intelligently challenges users for additional information based on

play02:45

risk factors such as whether they have logged in from the same device or a similar location

play02:49

in the past.

play02:51

Users can also employ secondary factors when signing in, including devices based on the

play02:56

Universal 2nd Factor (U2F) open standard.

play03:01

On the Storage services layer we find the encryption at rest security feature.

play03:07

Most applications at Google access physical storage (in other words, “file storage”)

play03:11

indirectly via storage services, and encryption using centrally managed keys is applied at

play03:17

the layer of these storage services.

play03:20

Google also enables hardware encryption support in hard drives and SSDs.

play03:25

The next layer up is the Internet communication layer, and this comprises two key security

play03:31

features.

play03:33

Google services that are being made available on the internet, register themselves with

play03:37

an infrastructure service called the Google Front End, which ensures that all TLS connections

play03:42

are ended using a public-private key pair and an X.509 certificate from a Certified

play03:47

Authority (CA), as well as following best practices such as supporting perfect forward

play03:53

secrecy.

play03:54

The GFE additionally applies protections against Denial of Service attacks.

play04:00

Also provided is Denial of Service (“DoS”) protection.

play04:04

The sheer scale of its infrastructure enables Google to simply absorb many DoS attacks.

play04:09

Google also has multi-tier, multi-layer DoS protections that further reduce the risk of

play04:14

any DoS impact on a service running behind a GFE.

play04:20

The final layer is Google's Operational security layer which provides four key features.

play04:27

First is intrusion detection.

play04:29

Rules and machine intelligence give Google’s operational security teams warnings of possible

play04:34

incidents.

play04:36

Google conducts Red Team exercises to measure and improve the effectiveness of its detection

play04:40

and response mechanisms.

play04:44

Next is reducing insider risk.

play04:46

Google aggressively limits and actively monitors the activities of employees who have been

play04:50

granted administrative access to the infrastructure.

play04:54

Then there’s employee U2F use.

play04:57

To guard against phishing attacks against Google employees, employee accounts require

play05:02

use of U2F-compatible Security Keys.

play05:05

Finally, there are stringent software development practices.

play05:10

Google employs central source control and requires two-party review of new code.

play05:16

Google also provides its developers libraries that prevent them from introducing certain

play05:19

classes of security bugs.

play05:22

Additionally, Google runs a Vulnerability Rewards Program where we pay anyone who is

play05:26

able to discover and inform us of bugs in our infrastructure or applications.

play05:31

You can learn more about Google’s technical-infrastructure security at cloud.google.com/security/security-design.

Browse More Related Video

A Blockchain-Based Identity Verification Concept

Cloudflare IPO Roadshow Video

КАК ЗАЩИТИТЬ ДАННЫЕ | Руководство по основам безопасности

Cloud Computing in 2 Minutes

Encryption Technologies - CompTIA Security+ SY0-701 - 1.4

37. OCR GCSE (J277) 1.4 Preventing vulnerabilities

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Google SecurityData ProtectionEncryptionHardware SecurityIdentity ServiceSecure BootDoS ProtectionOperational SecurityCryptographySecurity Layers