At the center of the Google security model is our Information Security Team consisting of top experts in information, application, and network security. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Google’s security policies. Their notable achievements include: discovering the Heartbleed vulnerability, starting a reward program for reporting software security issues, and implementing an “SSL by default” policy at Google.
Google data centers feature a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.
Our data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. Fewer than one percent of Googlers will ever set foot in one of our data centers.
At Google, we run tens of thousands of identical, custom-built servers. We’ve built everything from hardware and networking to the custom Linux software stack with security in mind. Homogeneity, combined with ownership of the entire stack, greatly reduces our security footprint and allows us to react to threats faster.
The only way to protect the boot process of a server is to secure it with an entity that can be trusted to always behave in an expected manner. Google has purpose-built a security chip called Titan to provide this root of trust. Titan enables the verification of the system firmware and software components, and establishes a strong, hardware-rooted system identity.
Google has controls and practices to protect the security of customer information. The layers of the Google application and storage stack require that requests coming from other components are authenticated and authorized. Access by production application administrative engineers to production environments is also controlled. A centralized group and role management system is used to define and control engineers’ access to production services, using a security protocol that authenticates engineers through the use of short-lived personal public key certificates; issuance of personal certificates is in turn guarded by two-factor authentication.
When retired from Google’s systems, hard disks containing customer information are subjected to a data destruction process before leaving Google’s premises. First, disks are logically wiped by authorized individuals using a process approved by the Google Security Team. Then, another authorized individual performs a second inspection to confirm that the disk has been successfully wiped. These erase results are logged by the drive’s serial number for tracking. Finally, the erased drive is released to inventory for reuse and redeployment. If the drive cannot be erased due to hardware failure, it is securely stored until it can be physically destroyed. Each facility is audited on a weekly basis to monitor compliance with the disk erase policy.
All products at Google, including Cloud Platform, are built with security as a core design and development requirement. Furthermore, Google’s site reliability engineering teams oversee operations of the platform systems to ensure high availability, and prevent abuse of platform resources. Product specific security features are described in each product’s documentation, but all subscribe to certain platform-wide capabilities.
Secured Service APIs and Authenticated Access
All services are managed through a secured global API gateway infrastructure. This API-serving infrastructure is only accessible over encrypted SSL/TLS channels, and every request must include a time-limited authentication token generated via human login or private key-based secrets through the authentication system described above.
All access to Google Cloud Platform resources is regulated through the same robust authenticated infrastructure that powers other Google services. This means that you can use existing Google accounts, or set up a regulated Google managed domain. Features available when you are managing users include password policy, enforced 2-factor authentication, and new innovation for authentication enforcement in the form of hardware security keys.
Cloud Platform services always encrypt customer content that is stored at rest, with a few minor exceptions. Encryption is automatic, and no customer action is required. One or more encryption mechanisms are used. For example, any new data stored in persistent disks is encrypted under the 256-bit Advanced Encryption Standard (AES-256), and each encryption key is itself encrypted with a regularly rotated set of master keys. The same encryption and key management policies, cryptographic libraries, and root of trust used for your data in Google Cloud Platform are used by many of Google’s production services, including Gmail and Google’s own corporate data.
Because it’s linked to most ISPs in the world, Google’s global network helps to improve the security of data in transit by limiting hops across the public Internet. Cloud Interconnect and managed VPN allow you to create encrypted channels between your private IP environment on premises and Google’s network. This allows you to keep instances completely disconnected from the public internet while still reachable from your own private infrastructure.
Google intrusion detection involves tightly controlling the size and make-up of Google’s attack surface through preventative measures, employing intelligent detection controls at data entry points, and employing technologies that automatically remedy certain dangerous situations.
Cloud Security Scanner helps App Engine developers identify the most common vulnerabilities, specifically cross-site scripting (XSS) and mixed content, in their web applications.
Compliance and Certifications
Cloud Platform and Google infrastructure is certified for a growing number of compliance standards and controls, and undergoes several independent third party audits to test for data safety, privacy, and security. Read more about the specific certifications on our compliance page.
Keeping Your Cloud Platform Projects Secure
Google is committed to doing its part in keeping your projects secure, but security is a shared responsibility. We’ve provided capabilities you can use to keep your project secure.
Operating System and Application Patches
Google Compute Engine and Google Container Engine are powered by virtual machines (VM). If you use these technologies in your projects, it is your responsibility to keep the VM operating system and applications up to date with the latest security patches. Google maintains security and patching of the host OS environments.
User and Credential Management
Google Cloud Platform enables you to set user permissions at the project level. Provide team members with least privileged access.
Network Firewall Rule Maintenance
By default, all incoming traffic from outside a network is blocked and no packet is allowed into a VM instance without explicit firewall rules. To allow incoming network traffic, you need to set up firewalls to permit these connections. This approach to network permissions allows you to specify the origin and type of traffic permitted to reach your compute instances.
If you plan to evaluate the security of your Cloud Platform infrastructure with penetration testing, you are not required to contact us to begin testing. You will have to abide by the Cloud Platform Acceptable Use Policy and the Terms of Service and ensure that your tests only affect your projects (and not other customers’ applications). If a vulnerability is found, please report it via the Vulnerability Reward Program.
Sensitive Data Management
Data has different degrees of sensitivity. Cloud Platform provides the fundamental
capabilities needed to build secure applications; however, it is your responsibility
to enforce the appropriate movement and access to this data at the level of your
application. This includes preventing your end users from sharing critical
information outside of your corporate network / public cloud infrastructure (i.e.,
data loss prevention) and ensuring you keep data that could identify a specific
individual safe (i.e., personally identifiable information). See
Data Loss Prevention for more details.
Logging and Monitoring
Cloud Platform provides tools, such as Google Cloud Logging and Google Cloud Monitoring, that make it easy to collect and analyze request logs and monitor the availability of your infrastructure services (e.g., VM instances). These tools also make it easy for you to create custom dashboards and set alerts when issues occur.