Google infrastructure is designed to ensure that information is secure throughout its entire lifecycle. Security within Google infrastructure encompasses several layers and concerns the deployment of services, the storage of data, inter-process and external communications, up to operational concerns.
Physical layer
At the physical layer, security is ensured by:
- Limiting and strictly controlling access to the data centers.
- Carefully vetting component providers and auditing their components’ security properties.
- Using custom chips on both servers and peripherals to identify Google devices.
- Validating cryptography signatures on BIOS, boot-loader, kernel, and base OS image at each boot or update.
Service deployment
At the service level, Google does not assume any trust between services running on the same infrastructure. This has a number of important consequences for service identification, authorization, and data privacy and integrity, including the following:
- Each service has a cryptographic identity that is used when doing remote procedure calls (RPC).
- A service can be configured to be built from specific reviewed, checked in, tested, and approved source code, thus limiting the ability of an intruder to make modifications to source code.
- Several isolation techniques such as sandboxes and hardware virtualization are used to protect a service from other services running on the same machine. For very sensitive services, multiple isolation techniques may be used at the same time, including requiring that a service run exclusively on dedicated machines.
- API access is restricted both at the service and engineer level using white lists and a central ACL and group database.
- Encryption is used for all RPC communication.
- Each user-level request from a service to another, e.g. from Gmail to the Contacts service, must go through an identity verification process where the user session token is used to obtain a short-lived token that is then used at the RPC level.
Data storage
Google uses encryption both at the application and at the drive level. Indeed, before being stored to disk, data is encrypted using a central key management service that provides audit logs, automatic key rotation, etc. Additionally, hard drives and SSDs use hardware encryption and are only reused after a thorough multi-step erase process.
Internet communication
Google infrastructure is isolated from the internet, and only a subset of machines are exposed to external traffic. The cornerstone of Google approach is the Google Front End (GFE), which provides a registration and publication services for all internal services that are available on the internet. GFE ensures that TLS termination is handled correctly, enforces best practices, and provides Denial of Service (DOS) protection by acting as a reverse proxy. DOS protection is effectively enforced through a dedicated, central service that oversees all incoming requests at the load balancer and can instruct it to drop or throttle attack traffic.
A key step to secure internet communication is user authentication, that manifests itself through the Google login page and is backed by a central identity service. As it may be widely known, Google authentication does not rely only on username and password, but challenges any login attempt for additional information such as the device that is used, its location, etc. For increased security, Google authentication also offers support for two-factor authentication.
Additional aspects of securing Google infrastructure concerns operational security, which deals with how software is created, with protecting employees’ machines and credentials, and protecting against possible threats from insiders and external actors.
Many more details are available on Google's website, including a list of pointers to documents covering specific areas in greater detail.