Google to defend the cloud at RSA Conference
|To get security news and tips delivered to your inbox, click
here to sign up for our free newsletter.
Let's say I'm a potential enterprise customer. As part of
my vetting process in selecting service providers, my company conducts extensive evaluations of my
potential partner's security, including at least one site visit. Is Google amenable to this type of
scrutiny for large customers?
Cloud computing hasn't established a de facto standard or certification to allow customers to
understand the security level differences the cloud provider may have. So, in the interim we've
done a SAS 70 Type 2, where we've listed controls around confidentiality, integrity and
availability of the data on our systems. We've had an independent third party come and verify those
controls are in place and operating effectively. As opposed to letting you do a site visit, we
would share that SAS 70 that gives information from an independent third party with our customers.
A number of analysts and security practitioners say
that cloud computing can be problematic for regulatory compliance. How can I trust my data to the
cloud and still satisfy auditors?
It's incumbent on every organization to understand their specific regulatory requirements and how
those map to technical controls. We're very forthcoming with our customers on what technical
controls we have and can, or cannot, meet. But I think it's incumbent on an organization that's in
a regulatory space to understand the controls of their cloud provider, the type of data they want
to put in the cloud, and if those controls meet their regulatory requirements. In a cloud computing
environment, you speak about Google's thousands of homogeneous, purpose-built servers. With so many
companies' data residing across so many servers and my own data distributed and backed up across
many servers, and probably in different countries, how can I be assured Google employees and other
customers can't get access to my data? How do you enforce data segregation?
It starts with Google's policies. Nothing is more important to us than the security and privacy of
our users. Because of that, we put people, policies and technologies in place to ensure that. Some
of those are role-based security and privileged access. We only give access to people on a need to
know basis to those systems. And it's our policy to log administrative access and review logs as
needed. And this is verified by our SAS 70 audit.
The data on Google apps are stored on Google-owned servers in Google-managed data centers. So,
we're taking responsibility and following our guidelines rather than outsourcing that data to
somebody else. What about data encryption? Does Google encrypt data at rest? Can a customer request
to have data encrypted, or control that from his end?
Google encrypts data in transit and gives admins the option to turn on SSL. Instead of encrypting
data at rest, we've taken a different model. That starts with spreading that data, sharding that
data, spreading that data across multiple machines, so you don't have a single machine to attack
like the typical environment; obfuscating that data so it's no humanly readable, and then giving
those shared files random file names. We think this model is more secure than the encrypted server
model -- we're you know where to attack.
Most people that do encryption don't do it very well. They do the cryptography well, but the key
management is not performed well. In reality, it's [data] is not encrypted well because the key is
Your bio says that in your spare time, you enjoy
practicing magic and that you're a mentalist. Do you find either or both of those handy in your
I think there's a lot of commonality between magic, mentalism and security. If you think about it,
magicians and mentalists are looking for different ways to fool us. When you look at the left hand,
they're doing something sneaky with the right hand. The same is true with security and hackers.
Hackers are trying to find vulnerabilities in our systems, things we haven't thought about; trying
to get us to look at something over here when they're doing something over there and make use of