Google Cloud Platform Securities

Network Firewall Rule Maintenance

Without explicit firewall rules, all incoming traffic from outside a network is blocked and no packet is allowed into a VM instance. To allow incoming network traffic, you need to set up firewalls to permit the connections. Such an approach to network permissions allows you to specify the origin and type of traffic permitted to reach your compute instances.

Sensitive Data Management(DM)

Data has sensitivity of different degrees. Google Cloud Platform provides the fundamental capabilities which are needed to build secure applications. Although it is your responsibility to enforce the appropriate movement and access your data at the level of your application. This includes preventing your end users from sharing critical information outside your corporate network / public cloud infrastructure and ensuring you keep data that could identify a specific individual safe.

Data Encryption(DE)

Encryption is automatic and no customer action is required. Google Cloud Platform services encrypt customer content that is stored at rest. For example, any new data which is stored in persistent disks is encrypted under the 256-bit Advanced Encryption Standard (AES-256), and each of the encryption key is itself encrypted with a regularly rotated set of master keys.

Data Center Physical Security

A layered security model is presented by the Google Data Center which encompass features like vehicular access barriers, perimeter fencing, custom designed electronic access cards, alarms, metal detectors and biometrics. The data center floor also features laser beam intrusion detection.

High-resolution interior and exterior cameras which observed Google’s Data Centers 24/7 can detect and track intruders. If an incident occurs in case camera footage, activity records, and access logs are reviewed.Experienced security guards routinely patrol the Data Centers. Less than 1% of the Googlers would ever be seen in anyone of the Data Centers.

Server and Software Stack Security

Google runs thousands of identical, custom-built servers. Google have built everything from hardware and networking to the custom Linux software stack along with security . Homogeneity, combined with ownership of the entire stack, greatly reduces our security footprint and allows us to react to the threats faster.

Trusted Server Boot

The only way to protect the boot process of a server is to secure it with a trusted entity which behaves in an expected manner. Google purposely built a security chip called Titan which enables the verification of the system firmware and software components and establishes a strong, hardware-rooted system identity.

Data Access

Google has practices and controls which protect the security of customer information. The layers of the Google application and storage stack require that requests coming from other components are authenticated and authorized. Access by production application administrative engineers to production environments is also controlled. A centralized group and role management system is used to define and control engineers’ access to production services, using a security protocol that authenticates engineers through the use of short-lived personal public key certificates; issuance of personal certificates is in turn guarded by two-factor authentication.

Data Disposal

Retired from Google’s systems, hard disks which contains information are subjected to a data destruction process.  At first, disks are logically wiped by authorized individuals , then another authorized individual performs a second inspection to confirm that the disk has been successfully wiped. The erase results are logged by the drive’s serial number for tracking the result. Finally, the erased drive is released for reuse and redeployment. If the drive cannot be erased due to some hardware failure, it is securely stored until physically destroyed. Every facility is audited on a weekly basis to monitor compliance with the disk erase policy.