Remote Agent Security

General:

1. All data from Google Security Operations to Publisher and to the agent is encrypted:
2. Data is signed by the agent.
3. All agents have a unique app key, and the Publisher has an allow list of agents that can communicate with it. No other agent can communicate with the Publisher.
4. All communication is one-sided. Google Security Operations and Agents have no entry port so the publisher cannot initiate communication unless it was polled by either Google Security Operations or an Agent.
5. All data is deleted from agent publisher after a configurable period of time (3 days by default).
6. Penetration testing has been performed on both the Publisher and the Agent.

Collecting tasks from an agent:

1. Google Security Operations server publishes remote tasks and pushes it to the publisher.
2. Agent polls for new tasks and collects the new task from the publisher.
3. The new task's data is collected by the agent and pushed to the publisher.
4. Google Security Operations server polls the publisher for new data and pulls the new task data to Google Security Operations.

Encryption flow:

The symmetric key is generated for each job.
Google Security Operations holds the private key and the Agent holds the public key. The Publisher has no key and only transforms encrypted data.

Jobs polling:
The Remote Agent performs polling every 5 seconds (to get all pending jobs).
The job details are removed after execution.