Recapping Google Next '17: Making Security Seamless
In a world in which not a day goes by without another massive data breach or government hacking revelation, it was noteworthy to see how much Google emphasized security at its Next ’17 cloud conference this month, making it an ever-present theme throughout its keynotes and product announcements. From the physical security of its data centers to its custom Titan TPM chip and its army of security engineers on through its customer-facing solutions like instant two factor authentication, new testing tools and its new DLP API, Google made security, specifically seamless security, a center point of its conference.
Cybersecurity starts with physical security and Google appears to have made heavy investments here. In addition to the myriad surveillance cameras, motion sensors and iris scanners Google has previously touted (along with metal detectors to ensure equipment does not leave the data center floor without authorization), Google added that a single one of its data centers employs more than 175 physical security guards. This is on top of the more than 700 security engineers employed by the company to secure its products and networks.
Servers in its data centers are stripped to the bare number of essential parts, both to reduce cost and power/cooling requirements, but also to minimize the number of potential physical attack vectors, such as rogue chipsets. In an email, Google noted that it purpose-builds its own hardware systems both to ensure maximal performance and to “guarantee the heritage” of its equipment, offering it full visibility into its global supply chain and where each piece of each of its systems came from and the hands it passed through.
To add even greater physical security to its systems, Google unveiled at Next a custom Google-designed Trusted Platform Module called Titan. While the company revealed few details about the chip’s technical specifications, it responded by email that “Titan authenticates software installed on hardware, including BIOS software. It sits between ROM and RAM and authenticates each boot-up and each new BIOS install. Titan contains a Random number generator, Crypto engine and Monotonic counter. The latter makes log tampering evident. Each Titan chip is fused with an inventory tracker number.”
Of course, even the most hardened data center infrastructure can be undone by user complacence (using the same password across many sites), sloppiness (simplistic passwords), ignorance (blindly handing passwords over in a phishing attack) and error (typing a password in the wrong box and mistakenly posting it to Twitter). Just as it has expended immense effort physically securing its data centers, Google has also invested heavily in securing the connection between its own employees and those data centers. While even some of the biggest Silicon Valley companies still rely on VPNs to connect remote employee laptops to the corporate network and make them “trusted” nodes, Google has gone entirely the opposite direction, treating networks as untrusted and focusing instead on authenticating users at the application level through efforts like BeyondCorp (the externalization of its own zero trust network model). Tools like Cloud Identity-Aware Proxy make it relatively trivial for corporate administrators to build applications that trust users rather than networks.
continued at link