This is the second post in a three-part series. To read the first post, click here.
We live in a mobile-first world. What have we learned from the security mishaps in the past few years?
The traditional thinking of having walls around everything, putting everything on your secure network, well that doesn’t work anymore.
The reason people did that is because they don’t have infinite budgets, and they said, “Okay, we need to focus on security. The logical place to focus security measures on is the network.”
Google’s philosophy is a bit different.
Big surprise there.
Google’s Philosophy With Securing a Network
Google believes there’s no such thing as a secure network anymore, whether it’s run by a government or a company.
At Google, they assume everything is breached. They assume everything is broken, and that’s the only way to protect yourself.
When we start talking about secure architecture, you can’t just be good at one thing. You have to own the entire stack. And for most companies and organizations, this is far too expensive.
There’s no way you’re going to get budget to do this.
So Google, at the scale that they operate on, literally invest billions of dollars in this. Because they’re investing at this scale, they’re able to do things that other company simply can’t.
Google looks at their data centers, their network, and they secure all the information.
But where do most of the breaches occur?
Hackers haven’t breached a data center. They’ve done social networking, or they’ve installed something on your browser, or on your device. So Google has taken the steps to protect you there as well.
How Google Protects Your Users From Attacks
Firstly, Google has Chrome as a browser.
There’s a version of Chrome called Chrome for Work. You can use it, it’s free.
But Chrome for Work, what makes it different is you can apply up to 280 security policies to Chrome. And you could say, “Well, I could do that with Internet Explorer.”
But Internet Explorer just runs on Windows. Chrome, it runs on Windows, it runs on Macs, runs on Linux, runs on iPhones, runs on Android, runs on all the Chrome devices.
You can now have one set of security policies, and apply it across all your different devices, and have them all act as first-class citizens.
So where are those breaches happening?
It’s that old enemy of ours, the username and the password. And what happens? It’s that thing that you tell your users not to do. You say, “Please don’t use your password on other sites.”
What do they do? Everyone has their favorite password, they reuse it over, and over, and over again.
So at Google, what they’re trying to do is to make the password irrelevant. So we have multi-factor authentication.
The username and password is irrelevant without a code or having a phone nearby which is connecting via Bluetooth or et cetera.
This is the next step to get around that social engineering.
There’s a Chrome extension called Password Watch. It’s a Chrome extension you can require via policy for all your users.
And it takes a portion of your corporate password – a portion of it, not the whole thing. It’s hashed, it’s salted, it’s stored on the browser (not at Google). And what happens is it’s watching what your users are doing.
And if someone tries to reuse your corporate password on another website, it locks the account.
So it’s the end of the night, I’m sleepy, I go to another website. That password’s muscle memory, right? I accidentally put in my corporate password on a different site.
I’m like, oh no, now I need to reset, everything is off now. And now I need to go back and reset all my accounts.
It’s that kind of proactive security you need to use to protect yourself.
Encryption in Transit
As I talked about in Part One of the series, Google has an amazing story on encryption at rest in their data centers.
Encryption in transit at Google, they use a technology called Perfect Forward Secrecy.
It’s stronger than most military-grade VPNs.
Effectively, what this is, is that for every single user, for every single web session, they have a unique set of certificates, hardened to 2048-bit strength.
If you’re using mobile devices, it’s a mobile-first world out there. On Google’s platform, there’s Android for Work. This uses SELinux to create a secure container on the device where you can store your corporate information and manage the device.
But not everybody’s on Android.
So you can do the same thing for the iOS, for the native iOS MDM, MAM APIs.
Again, enforcing things like encryption, data management, that’s all part of our platform. But if you have another third-party solution, Google plays nice with everyone else.
It uses the bits that makes sense for your organization. If you guys have a robust authentication system for your company – Google works with governments and militaries as well – if you want to be able to have a username, a password, a token, a retinal scan, a blood sample, if that’s what you want to do, if you want to manage that, that’s something Google can integrate with all those different systems.
They have lots of customers with great examples.
How do Google’s Products Work in Light of Security?
There’s a product called Google Drive. I’m sure you’ve used it and are familiar with it.
For those who don’t know what it is: it’s a huge, unlimited hard drive in the sky for your data. The only limit is that each file size, the maximum size a file can be, is five terabytes.
So if you have one that’s bigger than that, I’m sorry, not yet. It’ll probably be coming. But you can have as many of those 4.9 terabyte files as you want.
The amazing thing about Google Drive is that it works with all the different file formats, not just Google stuff, Microsoft OpenOffice, Adobe, whatever.
Whatever you have, or just big, big, big files of data, you can upload them here, and it becomes very, very easy to share, and it’s available on different devices.
But the great thing about Drive is that it’s easy to share. And the scary thing about Drive is that it’s easy to share.
I want to be able to control what’s happening to my information. So if you’ve never seen a sharing dialogue within Google Drive, the way that it works is that every single document has strict permissions.
Now with the strict permissions, I can invite individual users within my company to have access to that. And I can have them view it. I can have them edit it. I can have them collaborate it.
And all these things are there, and I can actually put information rights management on it. This is a problem Google has been trying to solve in IT for a long time. So I want IRM. I want to be able to prevent people from copying, downloading, or printing this information.
When you combine IRM with permissions like this, you have real control of your data.
When I want to share a document with you, I send an email. It has a link. I click on the link, and if I decide later that you shouldn’t have access anymore, I remove your access.
That data has never left the cloud, and it’s not available on their device anymore. But let’s say you really want to control who you share it with. So lots of folks say, well, I want to share my information, I want to collaborate, but I want to control the collaboration.
So now Google has said you can whitelist organizations outside of your own who you’d like to collaborate with.
So it’s not just the entire world.
You can limit it to a set of other organizations. So this is having real control of your data. And again, this works within any file format.
How Google Protects You Against Hackers
Scale matters in security more than anything else. If you’re going to scale in any area, you have to scale in security. At Google, they have over 500 full-time engineers working on security all the time.
That’s more the most IT departments. And their guys (as you can imagine) are very, very good, but there are lots of smart people outside of Google.
So they collaborate with the academic research community and the security community. They’re published over 160 white papers on security.
If you don’t believe any of the claims I’m making, Google was the first company to have a bug bounty program.
So if you don’t believe that their security is so good, you’re welcome to try and hack it yourself.
Conduct your own penetration test. You don’t have to call me. If you can find something interesting, Google has money for you. It can make you famous, can give you a swag T-shirt. If you do something really impressive, maybe a job.
This is the proof that’s in the pudding. I was talking with one of the head security guys at Google and he was mentioning that six of their large customers in the last six months conducted penetration tests against Google. With no results.
A government customer for Google in Australia in the military were talking about the security of their network. Google was like, “Well, let’s run a pentest on your network and mine. I know who’s going to come up on top. And this can be part of an evaluation.”
And it’s not being cocky, but it’s saying there’s a difference between perceived security and actual security. And Google is interested in actual security.
Of course, it wouldn’t be any fun for Google just to say, “Come try and hack us” if they didn’t try and hack other people.
So they have a team called Project Zero.
And this is where they’re hacking their friends in Redmond and their friends in Cupertino. Of course they’re nice, not bad guys.
So when Project Zero finds vulnerabilities, they tell them about it. But the only catch is that they only give them 30 days to fix it.
Now for Google, 30 days is a very long time. For some of Google’s competitors, 30 days is not near enough. And if they don’t fix it, Google shames them publicly about their security vulnerabilities, and releases it to the press.
So that entices the companies to do the right thing.
And the reason that they do this is not to be mean. It’s their philosophy that if the cloud is not secure for everyone, then it’s secure for no one.
So we’re all better off working together. Now the way in which Google runs their infrastructure, it makes them very agile with security.
And when I’m talking about agility, you could think about a zero-day attack.
So if there’s a new zero-day attack, what do you have to do today? Well, it has to come out, and it has to be discovered. After it’s discovered, you’re going to go and work with your AV vendor.
You’re going to say, please give me a fix. They’re going to develop a fix. They’re going to give it to you. Then you’re going to have to distribute it. You’re going to have to install it. You’re going to have to go through all this. How many days have passed already?
But you’ve already been taken. The Chinese are in and out.
Since Google is the world’s largest email provider (with over 900,000 active accounts), they have to be ready for zero-day attacks.
With AV and vulnerability scanning, Google has multiple layers. In addition to that, there’s a company out there called VirusTotal. That’s a Google company. Their sole reason for existing is to facilitate the identification and addressing of malware and threats.
Now in that same zero-day attack scenario, there’s a new zero-day attack, it attacks a Gmail user in Mumbai. Not only can Google protect that one user in Mumbai, they then immediately protect all other 900 million accounts in real time.
This is the speed you have to move that to stay ahead in today’s world.
And Google can actually prevent incidents now before they even happen.
You guys heard about the Heartbleed SSL vulnerability? That was a big one last year. The POODLE SSL exploit? Google discovered all of those.
So before they were even announced, Google were patched and fixed for those vulnerabilities over their entire platform, network, and user base.
Google’s not always going to be the first one to find a bug. But because of the way that they run their infrastructure, when it’s fixed once, it’s fixed everywhere.
And this is the only way where you really have a chance to stay ahead.