How Google protect your data?
Security
Confiability and Reliability
Access Control
Privacy
Security
Confiability and Reliability
Access Control
Privacy
Contains trade secrets and other confidential/proprietary information - Do not copy, share or distribute
Transparency is a priority
we put you in controland we keep you compliant
Malicious people have become
increasingly sophisticated and
effective.
Users are not make it easy...+ Large expectations
+ Relative easy to be deceived
+ Can cause damage from the inside
Article Link
For the past 15 years, Google has been buildingout the fastest, most powerful, highest quality cloud infrastructure onthe planet.
➔ Chipset➔ OS ➔ Applications
Proprietary Network Layer
Jupiter Superblocks & Pluto Switches
40 Terabits per second
Google backboneWe lay our own cables across the ocean
Confidential & Proprietary
Edge points of presence (>100)
Google global cache edge nodes (>800)
Better global infrastructure More edge & peering points than any public cloud
Confidential & Proprietary
Frankfurt
BelgiumLondon
São Paulo
FinlandNetherlands
Hong Kong
3
Sydney3
Singapore
Sydney
Mumbai
Tokyo
TaiwanS CarolinaN Virginia
Oregon Iowa
Montreal
California
3
34
33
3
3
Better global infrastructure Select from 20 Regions, 61 Zones
3
2
3 33
3
3
2
3
Edge points of presence (>100)
New regions and number of zones
Current region and number of zones
Google global cache edge nodes (>800)
Confidential & Proprietary
3
Tannat (BR, UY, AR) in construction
FASTER (US, JP, TW) 2016
Monet (US, BR) in construction for 2017
Junior (Rio, Santos) in construction
PLCN Unity (HK, LA) in construction for 2018
Frankfurt
BelgiumLondon
São Paulo
FinlandNetherlands
Hong Kong
3
Sydney3
Singapore
Sydney
Mumbai
Tokyo
TaiwanS CarolinaN Virginia
Oregon Iowa
Montreal
California
3
34
33
3
3
3
2
3 33
3
3
2
3
Edge points of presence (>100)
Future region and number of zones
Current region and number of zones
Google global cache edge nodes (>800)
Google leased/owned fiber
Better global infrastructure More than 100,000s miles of fiber optic cable
Demo
Security
Confiability and Reliability
Access Control
Privacy
Data Encrypted at Rest & Transit
Data Center
Data Center
Data Replication for High Availability
Data Center
Data Center
Data obfuscation for Security
Data Encryption for High Security
Encryption by default
Connections to Google Cloud
require TLS
Data is chunked and each
chunk is encrypted with its
own data encryption key
Data encryption keys
(DEKs) are wrapped using
a key encryption key (KEK)
Encrypted chunks and wrapped
encryption keys are distributed across
Google’s storage infrastructure.
PLACE IMAGE HERE
High availability comes from software
Data chunks encrypted with
unique keys
Encrypted chunks distributed across Google’s storage
infrastructure
Data is ‘chunked’ for encryption and storage
KMS is a central point of control for all data access
Google’s root KMS
New encryption WhitepaperEncryption Whitepaper: Must read
Protecting beyond just GoogleProject zero
Faster development, deployment, response
Agility
Adapting fast gives more
security
● we prevent more incidents
● we can respond faster
● we test our own systems
● we learn and iterate
Security
Confiability and Reliability
Access Control
Privacy
Are you secure ? Are you sure ?
Reduced “vendor in the middle” risk
Purpose-built
chips
Purpose-built
servers
Purpose-built
storage
Purpose-built
network
Purpose-built
data centers
Safee ArchitectureNo more Updates
Yesterday: Walls, walls and walls
On prem
Identity
ERP
SERVER
CRM
SERVER
EmployeeVPN
And... not just employees
On prem
Unintended access for contractor
Identity
ERP
SERVER
CRM
SERVER
Employee
Contractor
VPN
Change: Infra leaves the
building
On prem
IdentityEmployee
Contractor
VPN
ERP
VM
CRM
VM
Change: Identity leaves the
building
Employee
Contractor
ERP
VM
CRM
VM Identity
What are the risks?
Employee
Contractor
ERP
VM
CRM
VM IdentityIs this device
safe?Is it the
real person?
Is the network path secure?
Is this person allowed to see
this application?
Is my application safe?
Solutions
Employee
Contractor
ERP
VM
CRM
VM IdentityDevice
managementPhishing
resistant authN
Well configured TLS
Proxy for access control, TLS termination
App Security Scans
What we do
Employee
Contractor
Google Cloud Load Balancer
Google MDM
Pro
xy
ERP
VM
CRM
VM Identity
Cloud Security Scanner
Security Key Enforcement
Identity-Aware Proxyor
BeyondCorp
IAM Service
Who can do what on which resource
Identity-Aware Proxy
● Control access by user identity
● Simpler and safer than VPN
● Building block for “BeyondCorp”
Security Key Enforcement
● Enforce security keys as 2nd factor
● Protect from #1 threat, phishing
● Building block for “BeyondCorp”
Mobile Application
Network
Servers
Chips
Recap: Secure ArchitectureNo more patching anywhere in the stack
Security
Confiability and Reliability
Access Control
Privacy
Security PrivacyData
Protection
Photo credit: @ogwrnsk
Businesses have different needs than consumers
PortabilityScope IP
Contracts
Photo credit: Alan Davey
You are the data controller
We are a data processor
Third-party audits and certification
ISO 27001 ISO 27017 ISO 27018 HIPAA 21 CFR Part 11
ISAE 3402 Type II AICPA SOC 3AICPA SOC 1 SSAE 16 Type IIAICPA SOC 2
FedRAMP ATOFor G Suite and App Engine
MTCS Level 3STAR CertificationPCI DSS v3.2
Confidential & Proprietary
Thank you