What Happens to My Data in Google? (Pt. 3 of 3)

This is the 3rd of a 3-part series on Google Cloud Security. You can read the first part here, and the second part here

When I talk to customers, we get past the security conversation pretty quickly. 

When I explain to them how Google does things, they have lots of independent verification, your rate, you can test Google, they buy the security very quickly.  

The problem now is people worry more about what’s happening to their data. 

It quickly goes from a security conversation to, “No, no, I believe Google’s security is better than ours,” to a conversation more like, “I want to know what happens to my company’s data within Google’s hands.”  

What happens to your company data in Google?

Now, there’s a lot of misinformation about this.  

So, how does Google think about data protection? They think about it two ways. I always like to start this talk with security, because without security, you’re not going to have data protection.

The other component is privacy. If you don’t have a solid privacy policy and policy practices in place, you’re not going to have it either. 

The number one piece of misinformation is that people confuse Google’s consumer services (the ones that Google offers for free) with the services they offer to companies, businesses, schools, and nonprofits. 

They’re completely different offerings. Just to be clear, for that free Gmail account that you sign up for, yes, they’re using that data for advertising. Yes, there’s profiling. Yes, there’s scanning.  

But for all the products that they offer to businesses, schools, nonprofits, that’s not the case. In that case, in the original case, you guys own the data. Google is simply considered the data processor.  

Google can only use the data in the way in which you’ve instructed them. Let me go into a bit more detail here… This has three big components, like three legs in a stool, really.  

1. Transparency

What transparency means is that they’re going to tell you what they’re doing with your data. And it’s about being transparent before you’re a customer, without having to sign some sort of magical, special agreement.  

So, I mean sharing things like where their data center locations, Google’s security reports, their SOC 3 reports, their ISO reports. All of their contracts are public. Meaning their data processing and who their subprocessors are, all these components, all of their commitments on data deletion, information on what data can be used for… this is all publicly available. 

You can look it up now. It’s on the web.

And what it comes down to is what can Google use the data for?

We can use the data for absolutely nothing but what you instruct us to do.  -Google

So just to be clear, Google cannot use your data for advertising. They cannot mine your data for any purpose whatsoever, even to improve their own product; they’re simply not allowed to do so. And this is part of their business contract with companies.  

The intellectual property of the data is yours. You get the idea: Google literally has zero rights on your data. They own the rights to their service.  

So, as long as you don’t try to reverse-engineer Gmail, you’re going to be OK.

They’re also extremely portable. 

You could literally take your entire organization’s data and shift it into Google over the weekend. And you could change your mind next week, and move everything out Google. You can do that too.  

There’s no penalty. It comes out in usable file formats. It works so well, Google’s competitors have built tools around it to quickly expedite the movement of data in and out of their platform.  

2. Strong Contracts

All of Google’s contracts are written in a way that’s European-centric language. It’s not because they’re a European company. It’s just that the standards there are very, very specific when it comes to data.  

So there, you’re the data controller and the data owner. You give Google instructions, they’re the data processor. They can only do what you tell them. They have a global data privacy policy that applies to businesses, schools, and non-profits

It’s different from the one that if you look up “Google Privacy Policy,” it’s not that one. That’s for consumers.  

This one is publicly available and they update this all the time. Because they’re constantly getting feedback from data protection authorities in the US, in Europe, in Asia and our position is that they will only strengthen their commitments, not weaken them. So one of the more recent ones is they put an SLA on data deletion. Google made ongoing commitments to maintain compliance with their security audits and data privacy audits, which I’ll talk to you about here in a moment.

These sorts of things, this is all available, which is very useful for a business.  

So if you’re a parent, and you want to know what’s happening to your children’s data, you can just go and read it. There’s no advertising. There’s no scanning. It’s not some secret contract that each company has their own thing agreed upon.

They build on it. Google tells you what they’re going to do, they’re transparent. They legally commit.

But how do you really know what they’re doing? Google’s perspective is that you should trust them, but verify yourself.

3. Auditing

The problem in the past is that all of Google’s audits had been very, very focused on security. They start with security. Security’s strong. They have all the ones you’d expect– ISO 27001, SOC 2, SOC 3, SSAE in 16, ISAE 3402.  

These are all independent security audits. But again, we get past that security conversation pretty quickly and it goes into data usage. People don’t argue about security. They know what good security is.  

They argue about data usage, and how data should be protected.

Should it be transferred internationally? How does all that work?

So, what did Google do? They went and worked with their buddies over at ISO, their Swiss friends, Google’s standard-setting organization. And they worked with them to develop a new standard.

The new standard is called ISO 27018. This is about data privacy, the processing of personally identifiable information by public clouds, which is Google.

It’s exactly what Google’s looking for.

The next thing Google did is work with their auditor to be able to audit them against this new standard. So remember their infrastructure, everything I talked about being completely customized?  

Google can’t run an audit sending a college kid in with a clipboard saying, “Oh, there’s my blade server, and what’s my patch level?” 

It doesn’t work that way.  

At Google, everything is customized. They have to embed their auditors with their engineering teams. It takes a long time. It took over a year for the auditors to be trained on Google’s platform, and then be able to conduct an audit afterwards.

But the good news here is that they’ve adopted the standard, and they’ve had this since September.

Google announced it almost a year to the date after the standard had been released. Just so you understand how important this is, let me talk a little bit about how these standards work, if you’re not familiar with them.  

ISO 27001 is a family of standards.  

The first level is around security. There’s 114 security controls, which goes back to our story. You have to have security before you can have privacy. After you’ve gone through, and we talk about all these different controls that are in place for Google’s platform, you’ll learn that ISO 27018 is built on top of it.

You have to have security before you can have data protection and these are looking at different things. This is asking if Gmail is secure? Is it locked down? Are all those controls in place?  

And the next one is looking at the question: what’s that data being used for? Is it guaranteed that it’s not being used by other systems? What’s out there? How is this being protected? 

This is what’s important.  

So now, for the first time, you have independent, third-party, audited verification on what’s happening to your data.

This is something that you can take to your board. This is something you can tell your users about. But what makes it interesting, when we start talking about things like data privacy, is that it just doesn’t apply to services like security.  

So security on Gmail, Drive, and all of those products are covered. But, data is different; you can get to that from all kinds of different ways.

For Google’s privacy standard, yes, it had to cover the applications. But it had to cover every way that you could get to the data, so all the APIs, all the SDKs, or the software development kits, and tools that you might want to run on top of them.

So all these have been included as well.  

Another benefit of working with a company like Google who operates around the world is that they operate around the world. And that means that different countries and regions have different standards relating to data privacy.  

And for Google, they always have to take the strictest one.  

International Security Compliance

Sometimes it’s Europe, sometimes it’s Korea, and sometimes it’s the US. And these sorts of things, knowing that they have to meet all of these strict standards, you can have peace of mind that this is something that’s important to them, and that they’re going to be on the leading edge of what’s happening with data protection around security and data privacy.

Google has a very, very large team, both in DC, in Brussels, in Singapore, working with governments, who focus on working with data protection authorities because this is an evolving thing.

In Europe, there’s a lot of change happening right now. Google is compliant with everything that’s happening there now. They work very, very closely with them. But this is something that is constantly developing and because Google has such a vested interest in all these markets, it’s in their interest to be compliant and to be a leader.

And this is something that they’re really trying to bring home to the US. So when you talk about moving to the cloud, now, you can think about the abilities, but it does this increase the risk for what you’re doing on a day-to-day basis at your business?  

We think that you should look at it as a risk assessment. We talk about having extraordinarily strong, world-class, leading-edge security. That’s great, but it’s only part of the problem.  

You have to understand how that data is being used and know what systems there are.

Having all this information available, it’s fun to share with you guys extraordinarily detailed security audit reports to back all these claims up.

You can run your own penetration testing. Having strict, bulletproof contracts about what your data can and cannot be used for and having very, very strong enforcement mechanisms for them there. 

Don’t look at Google’s platform as being the same as you have on your personal accounts, or being equivalent. It’s 10 times better.

How Does Google Handle Cloud Security? (Pt. 2 of 3)

This is the second post in a three-part series on cloud security. To read the first post on, click here. 

We live in a mobile-first world. What have we learned from the security mishaps in the past few years?

The traditional thinking of having walls around everything, putting everything on your secure network, well that doesn’t work anymore.  

The reason people did that is because they don’t have infinite budgets, and they said, “Okay, we need to focus on security. The logical place to focus security measures on is the network.”

Google’s philosophy is a bit different. 

Big surprise there. 

Google’s Philosophy With Securing a Network

Google believes there’s no such thing as a secure network anymore, whether it’s run by a government or a company.

At Google, they assume everything is breached. They assume everything is broken. They assume these things because they believe that it is the only way to protect yourself.

When talking about secure architecture, you can’t just be good at one thing. You have to own the entire stack. And for most companies and organizations, this is far too expensive.  

There’s no way you’re going to get budget to do this.

So Google, at the scale that they operate on, literally invests billions of dollars in this. Because they’re investing at this scale, they’re able to do things that other companies simply can’t.  

Google looks at their data centers (their network) and they secure all the information.  

But where do most of the breaches occur?  

Hackers haven’t breached a data center. But, they’ve hacked social networking, or they’ve installed something on your browser or your device. So, Google has taken the steps to protect you there as well.

How Google Protects Your Users From Attacks

First thing’s first, Google has Chrome as a browser.

There’s a version of Chrome called Chrome for Work. You can use it, it’s free.  

But, with Chrome for Work, what makes it different is the fact that you can apply up to 280 security policies to Chrome. And you might say, “Well, I could do that with Internet Explorer.”

But, Internet Explorer just runs on Windows. Chrome runs on Windows, Macs, Linux, iPhones, Android, and all the Chrome devices.

You can now have one set of security policies, apply it across all your different devices, and have them all act as first-class citizens.

So, where are those breaches happening?  

It’s that old enemy of ours, the username and the password. And what happens? It’s that thing that you tell your users not to do. You say, “Please don’t use your password on other sites.” 

What do they do? Everyone has their favorite password and they reuse it over, and over, and over again.

So, at Google, what they’re trying to do is to make the password irrelevant. In fact, we have multi-factor authentication. 

With multi-factor authentication, the username and password become irrelevant without a code or having a phone nearby, which is connecting via Bluetooth or et cetera.

This is the next step to get around that social engineering.

There’s a Chrome extension called Password Watch. It’s a Chrome extension you can require via policy for all your users. 

It takes a portion of your corporate password – a portion of it, not the whole thing. It’s hashed, it’s salted, it’s stored on the browser (not at Google). And what happens is it watches what your users are doing.  

Then, if someone tries to reuse your corporate password on another website, it locks the account.

So, it’s the end of the night, I’m sleepy, I go to another website. That password’s muscle memory, right? I accidentally put in my corporate password on a different site.

I’m like, oh no, now I need to reset, everything is off now and I need to go back and reset all my accounts.  

It’s that kind of proactive security you need to use to protect yourself.

Encryption in Transit

As I talked about in Part One of the series, Google has an amazing story on encryption at rest in their data centers. 

Encryption in transit at Google, they use a technology called Perfect Forward Secrecy.

It’s stronger than most military-grade VPNs.  

Effectively, what this is, is that for every single user, for every single web session, they have a unique set of certificates, hardened to 2048-bit strength.  

If you’re using mobile devices, it’s a mobile-first world out there. On Google’s platform, there’s Android for Work. This uses SELinux to create a secure container on the device where you can store your corporate information and manage the device.

But not everybody’s on Android.

So you can do the same thing for the iOS, for the native iOS MDM, MAM APIs.

Again, enforcing things like encryption and data management, that’s all part of our platform. But, if you have another third-party solution, Google plays nice with everyone else.

It uses the bits that makes sense for your organization. If you guys have a robust authentication system for your company (Google works with governments and militaries as well), if you want to be able to have a username, a password, a token, a retinal scan, a blood sample, if that’s what you want to do you want to manage that, that’s something Google can integrate with all those different systems.

They have lots of customers with great examples.  

How do Google’s Products Work in Light of Security?

There’s a product called Google Drive. I’m sure you’ve used it and are familiar with it. 

For those who don’t know what it is: it’s a huge, unlimited hard drive in the sky for your data. The only limit is that of file size; the maximum size a file can be is five terabytes.  

So, if you have one that’s bigger than that, I’m sorry, not yet.  It’ll probably be coming. But you can have as many of those 4.9 terabyte files as you want.

The amazing thing about Google Drive is that it works with all the different file formats, not just Google stuff. It works with Microsoft OpenOffice, Adobe, whatever.

Whatever you have, or just big, big, big files of data, you can upload them here, it becomes very easy to share, and it’s available on different devices.

Now, the great thing about Drive is that it’s easy to share. But, the scary thing about Drive is also that it’s easy to share.  

I want to be able to control what’s happening to my information. So, if you’ve never seen a sharing dialogue within Google Drive, the way that it works is that every single document has strict permissions.

Now, with the strict permissions, I can invite individual users within my company to have access to that. I can have them view it. I can have them edit it. I can have them collaborate it.  

All these things are there and I can actually put information rights management on it. This is a problem Google has been trying to solve in IT for a long time. So I want IRM. I want to be able to prevent people from copying, downloading, or printing this information.  

When you combine IRM with permissions like this, you have real control of your data.

When I want to share a document with you, I send an email. It has a link. I click on the link, and if I decide later that you shouldn’t have access anymore, I remove your access.  

That data has never left the cloud, and it’s not available on their device anymore. But let’s say you really want to control who you share it with. Lots of folks say, well, I want to share my information, I want to collaborate, but I want to control the collaboration.

So, now Google has said you can whitelist organizations outside of your own who you’d like to collaborate with.

So, it’s not just the entire world.

You can limit it to a set of other organizations- this is having real control of your data. And again, this works within any file format.

How Google Protects You Against Hackers

Scale matters in security more than anything else. If you’re going to scale in any area, you have to scale in security. At Google, they have over 500 full-time engineers working on security all the time.  

That’s more the most IT departments. And their guys (as you can imagine) are very, very good, but there are lots of smart people outside of Google.

So they collaborate with the academic research community and the security community. They’re published over 160 white papers on security.  

If you don’t believe any of the claims I’m making, Google was the first company to have a bug bounty program.

Hey, if you don’t believe that their security is so good, you’re welcome to try and hack it yourself.  

Conduct your own penetration test. You don’t have to call me. If you can find something interesting, Google has money for you. It can make you famous, give you a swag T-shirt, and, if you do something really impressive, maybe even a job.

This is the proof that’s in the pudding. I was talking with one of the head security guys at Google and he was mentioning that six of their large customers in the last six months conducted penetration tests against Google… with no results. 

A government customer for Google in Australia, in the military, was talking about the security of their network. Google proposed, “Well, let’s run a pentest on your network and mine. I know who’s going to come up on top. And this can be part of an evaluation.”  

This is not being cocky, but it is saying there’s a difference between perceived security and actual security and that Google is interested in actual security.

Of course, it wouldn’t be any fun for Google just to say, “Come try and hack us” if they didn’t try and hack other people.  

So they have a team called Project Zero.  

This is where they’re hacking their friends in Redmond and their friends in Cupertino. Of course they’re nice, not bad guys.

So when Project Zero finds vulnerabilities, they tell them about it. But the only catch is that they only give them 30 days to fix it.

Now for Google, 30 days is a very long time. For some of Google’s competitors, 30 days is not near enough. And if they don’t fix it, Google shames them publicly about their security vulnerabilities, and releases it to the press.

So, that entices the companies to do the right thing.

Now, the reason that they do this is not to be mean. It’s their philosophy that if the cloud is not secure for everyone, then it is secure for no one.

So, we’re all better off working together. Now, the way in which Google runs their infrastructure makes them very agile with security.  

And when I’m talking about agility, you could think about a zero-day attack. 

So, if there’s a new zero-day attack, what do you have to do today? Well, it has to come out, and it has to be discovered. After it’s discovered, you’re going to go and work with your AV vendor.

You’re going to say, please give me a fix. They’re going to develop a fix. They’re going to give it to you. Then you’re going to have to distribute it. You’re going to have to install it. You’re going to have to go through all this. How many days have passed already?  

But you’ve already been taken. The Chinese are in and out.  

Since Google is the world’s largest email provider (with over 900,000 active accounts), they have to be ready for zero-day attacks.

With AV and vulnerability scanning, Google has multiple layers. In addition to that, there’s a company out there called VirusTotal. That’s a Google company. Their sole reason for existing is to facilitate the identification and addressing of malware and threats.  

Now, in that same zero-day attack scenario, there’s a new zero-day attack, it attacks a Gmail user in Mumbai. Not only can Google protect that one user in Mumbai, they then immediately protect all other accounts in real time. 

This is the speed you have to move at to stay ahead in today’s world. 

Google can actually prevent incidents before they even happen now.

You guys heard about the Heartbleed SSL vulnerability? That was a big one last year. The POODLE SSL exploit? Google discovered all of those.

So, before they were even announced, Google was patched and fixed for those vulnerabilities over their entire platform, network, and user base.  

Google’s not always going to be the first one to find a bug. But, because of the way that they run their infrastructure, when it’s fixed once, it’s fixed everywhere.

This is the only way you really have a chance to stay ahead when it comes to cloud security.

Click here to read part 3/3

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google