Infrastructure Security Aspects of Google Cloud Platform

Google’s security infrastructure is designed in progressive layers starting from the physical security of data centers, moving forward to the security of the hardware and software that binds the infrastructure, and similarly, the technical aspects and processes in place to support the operational security of the platform.

This infrastructure facilitates secure deployment of services, secure storage of data with end-user privacy, communications between services, secure and private communication with customers over the internet, and operation by administrators.

Google leverages this infrastructure to build its services for both consumers i.e GMail, Google search, Photos as well as enterprises i.e G Suite and Google Cloud Platform.

Secure Hardware Infrastructure:

• Google builds its own data centers and enforces multiple physical security layers to protect the data center floors and use technologies like biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.

• Google’s data center consists of server machines connected to a local network. Both the server boards and the networking equipment are custom self-designed by Google.

• Authorised automated systems to ensure servers run up-to-date versions of their software stacks (including security patches), to detect and diagnose hardware and software problems, and to eliminate machines from service if required.

Secure Deployment:

• Google uses cryptographic authentication and authorization at the application layer for inter-service communication.

• Strong Identification and access control to ensure granularity that administrators and services can naturally understand.

• Each infrastructure is entitled with a service account identity consisting of cryptographic credentials for secure identity and access management of resources and users.

• The owner of a service can use access-management features to specify exactly which other services or users can communicate with it.

• Special cryptographic privacy and integrity for RPC data on the network to ensure security benefits to other application layer protocols such as HTTP.

• To protect against sophisticated adversaries the infrastructure automatically encrypts all the infrastructure RPC (Remote Procedure Call) traffic over the WAN between the data centers, without requiring any explicit configuration from the service. Note - In distributed computing, a remote procedure call is when a computer program causes a procedure to execute in a different address space (usually on another computer on a shared network), which is coded as if it were a normal or local procedure call, without the programmer explicitly coding the details for the remote interaction.

Secure Data:

• Storage services are configured to use keys from the central key management service to encrypt data before it is stored to physical storage, i.e, encryption at the application level ensures the infrastructure to isolate itself from potential threats at the lower levels of storage such as malicious disk firmware.

• Facilitates scheduled deletion of specific data.

Secure Internet Communication with Services:

• To make a service live over theInternet, it can register itself with the Google Front End (GFE). GFE ensures that all TLS (Transport layer security is a protocol that provides communication security between client/server applications that communicate with each other over the Internet.) connections are terminated using correct certificates and following best practices such as supporting perfect forward secrecy and also applies protections against Denial of Service attacks. 

• Multi-tier, multi-layer DoS protections that further reduces the risk of DoS impact on a service.

• After DoS protection, the next layer security is central identity service which usually manifests to end-users as the Google login page asking for username, passwords and other account-related additional information.

Secure Operations between Services and Users:

• GCP provides out of the box libraries for developers to prevent against security bugs.

• Protection of employee credentials, monitoring activities, versioning, detection of illicit activities, OTP second factor verification, U2F-compatible (Universal 2nd Factor is an open standard that strengthens and simplifies two-factor authentication) Security Keys for each employee accounts. Note - U2F security keys can be used as an additional method of two-step verification on online services that support the U2F protocol, including Google, Dropbox, GitHub, GitLab, Bitbucket, Nextcloud, Facebook, and others.

• Active monitoring of activities of the employees who have been granted administrative access to the infrastructure with two-party approvals and introducing limited APIs that allow debugging without exposing sensitive data.

• Integrated host-based signals on individual devices, network-based signals from various monitoring points, and signals from infrastructure services for intrusion detection.

Overview in terms of GCE ( Google Compute Engine)

            Let's consider deployment of a GCE instance.

• GCE implementation consists of several logical components i.e Management control plane and also the configuration of the virtual machine itself.

• Management control plane exposes the external API and orchestrates virtual machine creation and migration.

• It runs several services on the infrastructure from the creation of service account identity, granting different permissions etc to make remote procedure calls (RPCs).

• GCE control plane exposes its API via GFE, and takes advantage of infrastructure security features like Denial of Service (DoS) protection and centrally managed SSL/TLS support.

• This can also be done by integrating Load balancer with GCE.

• End-user authentication using Cloud IAM roles.

• Automatic control over network traffic while it travels from one control plane to another or one Datacenter to another.

• Each VM runs with an associated virtual machine manager (VMM) service instance, which uses two identities, one for calling its own services and others for calling external VMMs.

• Persistent disks attached with GCE are encrypted at-rest and also protected by Keys.

• Providing the customers to choose, whether to send traffic from their VMs to other VMs or the internet in the clear, or to implement any encryption.

• Infrastructure Isolation is  provided to the VMs is based on hardware virtualization using the open source KVM stac

• GCE’s use of customer data follows GCP’s customer data policy i.e Google will not access or use customer data, except as necessary to provide services to customers.