Security in the cloud
October is European Cyber Security Month and as my team is working for many clients but we are located mainly in Europe that why I would like to talk about security in the cloud itself. We know that the possibilities of cloud computing are unlimited and the concept of responsibility in the cloud is very broad. We can narrow it down to shared responsibility which was very clearly illustrated by AWS as in the pic below.
It can be helpful in shifting the liability for the selected areas on the supplier which can be mentioned AWS or GCP and can be related to e.g. scaling and maintaining the environment. That’s this easy part. But when it comes to managing the resources we want to put in the cloud we need to do it wisely and think about the security aspect.
I would like to explain what is the security culture on the example of Google. Which in my opinion do its best and that’s why YouTube and Google have almost no downtime and failures in their operation. Google takes every aspect of security very seriously. Besides the cloud aspect which is obvious among the technical minds. But their security culture is visible in even the smallest action. The influence of this philosophy is visible, among others in the recruitment and hiring process, during which the candidate is verified not only in terms of competence but also if local labour law or statutory provisions allow, Google can verify the criminal record of a future employee. Another aspect is the mandatory security training for all employees that take place periodically. Importantly, the knowledge of security engineers and teams is updated with new threats, attack patterns, mitigation techniques, etc.
And as we are speaking about people. Google has a special team dedicated to Project Zero, which basically aims to prevent targeted attacks by reporting bugs to software providers and placing them in an external database. And then we have privacy teams which take care of the services Google launches. The focus on the documentation and review the codes to ensure that privacy requirements met the needed conditions.
What’s more, Google actively participates in the life of the security research community. Google Vulnerability Reward (VRP) was created especially for this purpose, which encourages researchers to report problems related to security design and implementation.
We have the people and their skills aspect that counts in creating security. But what about technology? Google Cloud operates on a specially designed and built technology platform to ensure the highest level of security. For this purpose, dedicated servers, a dedicated operating system and geographically dispersed data centres (divided into regions and zones). Google, guided by the principle of “defence in depth”, has created a resistant and highly available IT infrastructure that can be managed more securely and easily than traditional technologies. Data centres located in Regions and Zones. GCP services are available in over 200+ countries around the world, in 24 Regions, 73 Zones and 144 edge locations.
An that is how the network looks like:
What’s more, Google has created a network of its own optical fibres, public optical fibres and submarine cables that allow the provision of services with high availability and low latency worldwide.
Google takes proper care for their regions. Their security is based on a layered security model, which includes custom electronic access cards, alarms, vehicle access barriers, perimeter fences, metal detectors and biometric security. In addition, to be able to operate 24/7, data centres have backup and alternative power sources (including generators). There’s also a green aspect to that. Sustainability is very important that’ why the whole secure infrastructure in the GCP centres has ISO 50001 certification, which is associated with effective energy management. And that includes energy-efficient servers and network devices that do not contain components that increase the risk of security vulnerabilities.
Then we have compliance and transparency. For the sake of security, a Transparency Report has been created, which aims to verify the transparency of actions taken by state authorities and enterprises and their impact on security and data protection as well as access to information by users. In addition to the report, there are a number of certificates, approvals and compliance reports. A special set of available solutions allows easy adjustment to laws, regulations and legal frameworks. Thanks to the transparency of the tool, you can easily check the legal provisions and requirements that a designed application must meet in terms of security in a given region.
All these factors combine into one big security culture which Google has created for both their workers and clients. This is proof that most of their tools and services work and help in our daily life. And by collaborating with the community and developing products based on best security practices, Google can offer a level of security that’s satisfactory for us all.
