Google to defend the cloud at RSA Conference

Cloud computing is changing the way we do business; the scalability, flexibility and cost savings are seductive, even irresistible. But, as with every "next big thing" in technology, security is a potential stumbling point. The distributed computing that makes the cloud model possible makes it difficult, perhaps impossible for customers to implement and enforce the kind of controls they would normally exercise with service providers. Moreover, regulatory compliance can become an issue, as the very nature of cloud computing can be impede traditional controls and audit inspection. Google is one of the leaders in the young cloud computing market, and is trying to make a strong case for its security program. In this interview, Eran Feigenbaum, director of security for Google Apps, describes the security strengths and some of the limitations of cloud computing, and how Google works to ensure data security and privacy. Here are some excerpts. Feigenbaum will participate in a panel at the 2009 RSA Conference, "Cloud computing – secure enough for primetime today?"

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

 Let's say I'm a potential enterprise customer. As part of my vetting process in selecting service providers, my company conducts extensive evaluations of my potential partner's security, including at least one site visit. Is Google amenable to this type of scrutiny for large customers?
Cloud computing hasn't established a de facto standard or certification to allow customers to understand the security level differences the cloud provider may have. So, in the interim we've done a SAS 70 Type 2, where we've listed controls around confidentiality, integrity and availability of the data on our systems. We've had an independent third party come and verify those controls are in place and operating effectively. As opposed to letting you do a site visit, we would share that SAS 70 that gives information from an independent third party with our customers.

SearchSecurity radio:

A number of analysts and security practitioners say that cloud computing can be problematic for regulatory compliance. How can I trust my data to the cloud and still satisfy auditors?
It's incumbent on every organization to understand their specific regulatory requirements and how those map to technical controls. We're very forthcoming with our customers on what technical controls we have and can, or cannot, meet. But I think it's incumbent on an organization that's in a regulatory space to understand the controls of their cloud provider, the type of data they want to put in the cloud, and if those controls meet their regulatory requirements. In a cloud computing environment, you speak about Google's thousands of homogeneous, purpose-built servers. With so many companies' data residing across so many servers and my own data distributed and backed up across many servers, and probably in different countries, how can I be assured Google employees and other customers can't get access to my data? How do you enforce data segregation?
It starts with Google's policies. Nothing is more important to us than the security and privacy of our users. Because of that, we put people, policies and technologies in place to ensure that. Some of those are role-based security and privileged access. We only give access to people on a need to know basis to those systems. And it's our policy to log administrative access and review logs as needed. And this is verified by our SAS 70 audit.

The data on Google apps are stored on Google-owned servers in Google-managed data centers. So, we're taking responsibility and following our guidelines rather than outsourcing that data to somebody else. What about data encryption? Does Google encrypt data at rest? Can a customer request to have data encrypted, or control that from his end?
Google encrypts data in transit and gives admins the option to turn on SSL. Instead of encrypting data at rest, we've taken a different model. That starts with spreading that data, sharding that data, spreading that data across multiple machines, so you don't have a single machine to attack like the typical environment; obfuscating that data so it's no humanly readable, and then giving those shared files random file names. We think this model is more secure than the encrypted server model -- we're you know where to attack.

Most people that do encryption don't do it very well. They do the cryptography well, but the key management is not performed well. In reality, it's [data] is not encrypted well because the key is readily available.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

 Your bio says that in your spare time, you enjoy practicing magic and that you're a mentalist. Do you find either or both of those handy in your work?
I think there's a lot of commonality between magic, mentalism and security. If you think about it, magicians and mentalists are looking for different ways to fool us. When you look at the left hand, they're doing something sneaky with the right hand. The same is true with security and hackers. Hackers are trying to find vulnerabilities in our systems, things we haven't thought about; trying to get us to look at something over here when they're doing something over there and make use of that vulnerability.

Dig deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close