How Google protect your data?

Security

Confiability and Reliability

Access Control

Privacy

Security

Confiability and Reliability

Access Control

Privacy

Contains trade secrets and other confidential/proprietary information - Do not copy, share or distribute

Transparency is a priority

we put you in controland we keep you compliant

Malicious people have become

increasingly sophisticated and

effective.

Users are not make it easy...+ Large expectations

+ Relative easy to be deceived

+ Can cause damage from the inside

Article Link

For the past 15 years, Google has been buildingout the fastest, most powerful, highest quality cloud infrastructure onthe planet.

➔ Chipset➔ OS ➔ Applications

Proprietary Network Layer

Jupiter Superblocks & Pluto Switches

40 Terabits per second

Google backboneWe lay our own cables across the ocean

Confidential & Proprietary

Edge points of presence (>100)

Google global cache edge nodes (>800)

Better global infrastructure More edge & peering points than any public cloud

Confidential & Proprietary

Frankfurt

BelgiumLondon

São Paulo

FinlandNetherlands

Hong Kong

3

Sydney3

Singapore

Sydney

Mumbai

Tokyo

TaiwanS CarolinaN Virginia

Oregon Iowa

Montreal

California

3

34

33

3

3

Better global infrastructure Select from 20 Regions, 61 Zones

3

2

3 33

3

3

2

3

Edge points of presence (>100)

New regions and number of zones

Current region and number of zones

Google global cache edge nodes (>800)

Confidential & Proprietary

3

Tannat (BR, UY, AR) in construction

FASTER (US, JP, TW) 2016

Monet (US, BR) in construction for 2017

Junior (Rio, Santos) in construction

PLCN Unity (HK, LA) in construction for 2018

Frankfurt

BelgiumLondon

São Paulo

FinlandNetherlands

Hong Kong

3

Sydney3

Singapore

Sydney

Mumbai

Tokyo

TaiwanS CarolinaN Virginia

Oregon Iowa

Montreal

California

3

34

33

3

3

3

2

3 33

3

3

2

3

Edge points of presence (>100)

Future region and number of zones

Current region and number of zones

Google global cache edge nodes (>800)

Google leased/owned fiber

Better global infrastructure More than 100,000s miles of fiber optic cable

Demo

Security

Confiability and Reliability

Access Control

Privacy

Data Encrypted at Rest & Transit

Data Center

Data Center

Data Replication for High Availability

Data Center

Data Center

Data obfuscation for Security

Data Encryption for High Security

Encryption by default

Connections to Google Cloud

require TLS

Data is chunked and each

chunk is encrypted with its

own data encryption key

Data encryption keys

(DEKs) are wrapped using

a key encryption key (KEK)

Encrypted chunks and wrapped

encryption keys are distributed across

Google’s storage infrastructure.

PLACE IMAGE HERE

High availability comes from software

Data chunks encrypted with

unique keys

Encrypted chunks distributed across Google’s storage

infrastructure

Data is ‘chunked’ for encryption and storage

KMS is a central point of control for all data access

Google’s root KMS

New encryption WhitepaperEncryption Whitepaper: Must read

Protecting beyond just GoogleProject zero

Faster development, deployment, response

Agility

Adapting fast gives more

security

● we prevent more incidents

● we can respond faster

● we test our own systems

● we learn and iterate

Security

Confiability and Reliability

Access Control

Privacy

Are you secure ? Are you sure ?

Reduced “vendor in the middle” risk

Purpose-built

chips

Purpose-built

servers

Purpose-built

storage

Purpose-built

network

Purpose-built

data centers

Safee ArchitectureNo more Updates

Yesterday: Walls, walls and walls

On prem

Identity

ERP

SERVER

CRM

SERVER

EmployeeVPN

And... not just employees

On prem

Unintended access for contractor

Identity

ERP

SERVER

CRM

SERVER

Employee

Contractor

VPN

Change: Infra leaves the

building

On prem

IdentityEmployee

Contractor

VPN

ERP

VM

CRM

VM

Change: Identity leaves the

building

Employee

Contractor

ERP

VM

CRM

VM Identity

What are the risks?

Employee

Contractor

ERP

VM

CRM

VM IdentityIs this device

safe?Is it the

real person?

Is the network path secure?

Is this person allowed to see

this application?

Is my application safe?

Solutions

Employee

Contractor

ERP

VM

CRM

VM IdentityDevice

managementPhishing

resistant authN

Well configured TLS

Proxy for access control, TLS termination

App Security Scans

What we do

Employee

Contractor

Google Cloud Load Balancer

Google MDM

Pro

xy

ERP

VM

CRM

VM Identity

Cloud Security Scanner

Security Key Enforcement

Identity-Aware Proxyor

BeyondCorp

IAM Service

Who can do what on which resource

Identity-Aware Proxy

● Control access by user identity

● Simpler and safer than VPN

● Building block for “BeyondCorp”

Security Key Enforcement

● Enforce security keys as 2nd factor

● Protect from #1 threat, phishing

● Building block for “BeyondCorp”

Mobile Application

Network

Servers

Chips

Recap: Secure ArchitectureNo more patching anywhere in the stack

Security

Confiability and Reliability

Access Control

Privacy

Security PrivacyData

Protection

Photo credit: @ogwrnsk

Businesses have different needs than consumers

PortabilityScope IP

Contracts

Photo credit: Alan Davey

You are the data controller

We are a data processor

Third-party audits and certification

ISO 27001 ISO 27017 ISO 27018 HIPAA 21 CFR Part 11

ISAE 3402 Type II AICPA SOC 3AICPA SOC 1 SSAE 16 Type IIAICPA SOC 2

FedRAMP ATOFor G Suite and App Engine

MTCS Level 3STAR CertificationPCI DSS v3.2

Confidential & Proprietary

Thank you