Remote Agent Security

General:

1. All data from Google Security Operations to Publisher and to the agent is encrypted:
2. Data is signed by the agent.
3. All agents have a unique app key, and the Publisher has an allow list of agents that can communicate with it. No other agent can communicate with the Publisher.
4. All communication is one-sided. Google SecOps and Agents have no entry port so the publisher cannot initiate communication unless it was polled by either Google SecOps or an Agent.
5. All data is deleted from agent publisher after a configurable period of time (3 days by default).
6. Penetration testing has been performed on both the Publisher and the Agent.

Collecting tasks from an agent:

1. Google SecOps server publishes remote tasks and pushes it to the publisher.
2. Agent polls for new tasks and collects the new task from the publisher.
3. The new task's data is collected by the agent and pushed to the publisher.
4. Google SecOps server polls the publisher for new data and pulls the new task data to Google SecOps.

Encryption flow:

The symmetric key is generated for each job.
Google SecOps holds the private key and the Agent holds the public key. The Publisher has no key and only transforms encrypted data.

Jobs polling:
The Remote Agent performs polling every 5 seconds (to get all pending jobs).
The job details are removed after execution.