Google Infrastructure Security Design Overview
Google InfrastructureSecurity Design OverviewGoogle Cloud Whitepaper
Table of ContentsIntroduction2Secure Low Level Infrastructure3Secure Service Deployment4Secure Data Storage7Secure Internet Communication8Operational Security9Security of Physical PremisesHardware Design and ProvenanceSecure Boot Stack and Machine IdentityService Identity, Integrity, and IsolationInter-Service Access ManagementEncryption of Inter-Service CommunicationAccess Management of End User DataEncryption at RestDeletion of DataGoogle Front End ServiceDenial of Service (DoS) ProtectionUser AuthenticationSafe Software DevelopmentKeeping Employee Devices and Credentials SafeReducing Insider RiskIntrusion DetectionSecuring the Google Cloud Platform (GCP)11Conclusion13Additional Reading13The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written.Google’s security policies and systems may change going forward, as we continually improve protection for our customers.
CIO-level summary Google has a global scale technical infrastructure designed to provide securitythrough the entire information processing lifecycle at Google. This infrastructureprovides secure deployment of services, secure storage of data with end userprivacy safeguards, secure communications between services, secure andprivate communication with customers over the internet, and safe operationby administrators. Google uses this infrastructure to build its internet services, including bothconsumer services such as Search, Gmail, and Photos, and enterprise servicessuch as G Suite and Google Cloud Platform. The security of the infrastructure is designed in progressive layers starting fromthe physical security of data centers, continuing on to the security of thehardware and software that underlie the infrastructure, and finally, the technicalconstraints and processes in place to support operational security. Google invests heavily in securing its infrastructure with many hundreds ofengineers dedicated to security and privacy distributed across all of Google,including many who are recognized industry authorities.1
IntroductionThis document gives an overview of how security is designed into Google’stechnical infrastructure. This global scale infrastructure is designed to providesecurity through the entire information processing lifecycle at Google. Thisinfrastructure provides secure deployment of services, secure storage of datawith end user privacy safeguards, secure communications between services,secure and private communication with customers over the internet, and safeoperation by administrators.Google uses this infrastructure to build its internet services, including bothconsumer services such as Search, Gmail, and Photos, and enterprise servicessuch as G Suite and Google Cloud Platform.We will describe the security of this infrastructure in progressive layers startingfrom the physical security of our data centers, continuing on to how the hardwareand software that underlie the infrastructure are secured, and finally, describingthe technical constraints and processes in place to support operational security.Google Infrastructure Security LayersOperational SecurityIntrusion DetectionReducing Insider RiskInternet CommunicationGoogle Front EndSafe EmployeeDevices & CredentialsSafe SoftwareDevelopmentDoS ProtectionStorage ServicesEncryption at restDeletion of DataUser IdentityAuthenticationLogin Abuse ProtectionService DeploymentAccess Managementof End User DataEncryption of InterService CommunicationInter-Service AccessManagementHardware InfrastructureSecure Boot Stack andMachine IdentityHardware Design andProvenanceSecurity of PhysicalPremisesService Identity,Integrity, IsolationFigure 1.Google InfrastructureSecurity Layers:The various layers of securitystarting from hardwareinfrastructure at the bottomlayer up to operational securityat the top layer. The contentsof each layer are described indetail in the paper.2
Secure Low Level InfrastructureIn this section we describe how we secure the lowest layers of ourinfrastructure, ranging from the physical premises to the purpose-built hardwarein our data centers to the low-level software stack running on every machine.Security of Physical PremisesGoogle designs and builds its own data centers, which incorporate multiplelayers of physical security protections. Access to these data centers is limited toonly a very small fraction of Google employees. We use multiple physicalsecurity layers to protect our data center floors and use technologies likebiometric identification, metal detection, cameras, vehicle barriers, andlaser-based intrusion detection systems. Google additionally hosts some serversin third-party data centers, where we ensure that there are Google-controlledphysical security measures on top of the security layers provided by the datacenter operator. For example, in such sites we may operate independentbiometric identification systems, cameras, and metal detectors.A Google data centerconsists of thousandsof server machinesconnected to a localnetwork. Both theserver boards and thenetworking equipmentare custom designedby Google.Hardware Design and ProvenanceA Google data center consists of thousands of server machines connected to alocal network. Both the server boards and the networking equipment arecustom-designed by Google. We vet component vendors we work with andchoose components with care, while working with vendors to audit and validatethe security properties provided by the components. We also design customchips, including a hardware security chip that is currently being deployed on bothservers and peripherals. These chips allow us to securely identify andauthenticate legitimate Google devices at the hardware level.Secure Boot Stack and Machine IdentityGoogle server machines use a variety of technologies to ensure that they arebooting the correct software stack. We use cryptographic signatures overlow-level components like the BIOS, bootloader, kernel, and base operatingsystem image. These signatures can be validated during each boot or update.The components are all Google-controlled, built, and hardened. With each newgeneration of hardware we strive to continually improve security: for example,depending on the generation of server design, we root the trust of the boot chainin either a lockable firmware chip, a microcontroller running Google-writtensecurity code, or the above mentioned Google-designed security chip.Each server machine in the data center has its own specific identity that can betied to the hardware root of trust and the software with which the machinebooted. This identity is used to authenticate API calls to and from low-levelmanagement services on the machine.Google has authored automated systems to ensure servers run up-to-dateversions of their software stacks (including security patches), to detect and3
We use cryptographicauthentication andauthorization at theapplication layer forinter-servicecommunication.This provides strongaccess control at anabstraction level andgranularity thatadministrators andservices can naturallyunderstand.diagnose hardware and software problems, and to remove machines fromservice if necessary.Secure Service DeploymentWe will now go on to describe how we go from the base hardware and softwareto ensuring that a service is deployed securely on our infrastructure. By ‘service’we mean an application binary that a developer wrote and wants to run on ourinfrastructure, for example, a Gmail SMTP server, a BigTable storage server, aYouTube video transcoder, or an App Engine sandbox running a customerapplication. There may be thousands of machines running copies of the sameservice to handle the required scale of the workload. Services running on theinfrastructure are controlled by a cluster orchestration service called Borg.As we will see in this section, the infrastructure does not assume any trustbetween services running on the infrastructure. In other words, the infrastructureis fundamentally designed to be multi-tenant.Service Identity, Integrity, and IsolationWe use cryptographic authentication and authorization at the application layerfor inter-service communication. This provides strong access control at anabstraction level and granularity that administrators and services cannaturally understand.We do not rely on internal network segmentation or firewalling as our primarysecurity mechanisms, though we do use ingress and egress filtering at variouspoints in our network to prevent IP spoofing as a further security layer. Thisapproach also helps us to maximize our network’s performance and availability.Each service that runs on the infrastructure has an associated service accountidentity. A service is provided cryptographic credentials that it can use to proveits identity when making or receiving remote procedure calls (RPCs) to otherservices. These identities are used by clients to ensure that they are talking tothe correct intended server, and by servers to limit access to methods and datato particular clients.Google’s source code is stored in a central repository where both current andpast versions of the service are auditable. The infrastructure can additionally beconfigured to require that a service’s binaries be built from specific reviewed,checked in, and tested source code. Such code reviews require inspection andapproval from at least one engineer other than the author, and the systemenforces that code modifications to any system must be approved by theowners of that system. These requirements limit the ability of an insider oradversary to make malicious modifications to source code and also provide aforensic trail from a service back to its source.4
We have a variety of isolation and sandboxing techniques for protecting aservice from other services running on the same machine. These techniquesinclude normal Linux user separation, language and kernel-based sandboxes,and hardware virtualization. In general, we use more layers of isolation for riskierworkloads; for example, when running complex file format converters onuser-supplied data or when running user supplied code for products like GoogleApp Engine or Google Compute Engine. As an extra security boundary, we enablevery sensitive services, such as the cluster orchestration service and some keymanagement services, to run exclusively on dedicated machines.Inter-Service Access ManagementThe owner of a service can use access management features provided by theinfrastructure to specify exactly which other services can communicate with it.For example, a service may want to offer some APIs solely to a specific whitelistof other services. That service can be configured with the whitelist of theallowed service account identities and this access restriction is thenautomatically enforced by the infrastructure.The owner of aservice can useaccess managementfeatures provided bythe infrastructure tospecify exactly whichother services cancommunicate with it.Google engineers accessing services are also issued individual identities, soservices can be similarly configured to allow or deny their accesses. All of thesetypes of identities (machine, service, and employee) are in a global name spacethat the infrastructure maintains. As will be explained later in this document, enduser identities are handled separately.The infrastructure provides a rich identity management workflow system forthese internal identities including approval chains, logging, and notification. Forexample, these identities can be assigned to access control groups via a systemthat allows two party-control where one engineer can propose a change to agroup that another engineer (who is also an administrator of the group) mustapprove. This system allows secure access management processes to scale tothe thousands of services running on the infrastructure.In addition to the automatic API-level access control mechanism, theinfrastructure also provides services the ability to read from central ACL andgroup databases so that they can implement their own custom, fine-grainedaccess control where necessary.Encryption of Inter-Service CommunicationBeyond the RPC authentication and authorization capabilities discussed in theprevious sections, the infrastructure also provides cryptographic privacy andintegrity for RPC data on the network. To provide these security benefits to otherapplication layer protocols such as HTTP, we encapsulate them inside ourinfrastructure RPC mechanisms. In essence, this gives application layer isolationand removes any dependency on the security of the network path. Encryptedinter-service communication can remain secure even if the network is tapped ora network device is compromised.5
Services can configure the level of cryptographic protection they want for eachinfrastructure RPC (e.g. only configure integrity-level protection for low valuedata inside data centers). To protect against sophisticated adversaries who maybe trying to tap our private WAN links, the infrastructure automatically encryptsall infrastructure RPC traffic which goes over the WAN between data centers,without requiring any explicit configuration from the service. We have started todeploy hardware cryptographic accelerators that will allow us to extend thisdefault encryption to all infrastructure RPC traffic inside our data centers.Access Management of End User DataA typical Google service is written to do something for an end user. For example,an end user may store their email on Gmail. The end user’s interaction with anapplication like Gmail spans other services within the infrastructure. So forexample, the Gmail service may call an API provided by the Contacts service toaccess the end user’s address book.We have seen in the preceding section that the Contacts service can beconfigured such that the only RPC requests that are allowed are from the Gmailservice (or from any other particular services that the Contacts service wantsto allow).This, however, is still a very broad set of permissions. Within the scope of thispermission the Gmail service would be able to request the contacts of any userat any time.Since the Gmail service makes an RPC request to the Contacts service on behalfof a particular end user, the infrastructure provides a capability for the Gmailservice to present an “end user permission ticket” as part of the RPC. This ticketproves that the Gmail service is currently servicing a request on behalf of thatparticular end user. This enables the Contacts service to implement a safeguardwhere it only returns data for the end user named in the ticket.To protect againstsophisticatedadversaries who maybe trying to tap ourprivate WAN links, theinfrastructureautomatically encryptsall infrastructure RPCtraffic which goes overthe WAN betweendata centers.The infrastructure provides a central user identity service which issues these“end user permission tickets”. An end user login is verified by the central identityservice which then issues a user credential, such as a cookie or OAuth token, tothe user’s client device. Every subsequent request from the client device intoGoogle needs to present that user credential.When a service receives an end user credential, it passes the credential to thecentral identity service for verification. If the end user credential verifies correctly,the central identity service returns a short-lived “end user permission ticket” thatcan be used for RPCs related to the request. In our example, that service whichgets the “end user permission ticket” would be the Gmail service, which wouldpass it to the Contacts service. From that point on, for any cascading calls, the“end user permission ticket” can be handed down by the calling service to thecallee as a part of the RPC call.6
Service AService BCall B.get info()Service Config:Name AAccount a serviceEncryption ofinter-servicecommunicationB.get info()Caller ID a serviceCallee ID b serviceINFRASTRUCTUREIdentityProvisioning byService ownerAutomaticmutualauthenticationAccess Rule Config:Only account ‘a service’can access B.get info()Service Config:Name BAccount b serviceFigure 2.Service Identity andAccess Management:The infrastructure providesservice identity, automaticmutual authentication,encrypted inter-servicecommunication andenforcement of accesspolicies defined by theservice owner.Enforcementof Serviceowner’saccess policySecure Data StorageUp to this point in the discussion, we have described how we deploy servicessecurely. We now turn to discussing how we implement secure data storage onthe infrastructure.Encryption at RestGoogle’s infrastructure provides a variety of storage services, such as BigTableand Spanner, and a central key management service. Most applications atGoogle access physical storage indirectly via these storage services. The storageservices can be configured to use keys from the central key management serviceto encrypt data before it is written to physical storage. This key managementservice supports automatic key rotation, provides extensive audit logs, andintegrates with the previously mentioned end user permission tickets to link keysto particular end users.Performing encryption at the application layer allows the infrastructure to isolateitself from potential threats at the lower levels of storage such as malicious diskfirmware. That said, the infrastructure also implements additional layers ofprotection. We enable hardware encryption support in our hard drives and SSDsand meticulously track each drive through its lifecycle. Before a decommissionedencrypted storage device can physically leave our custody, it is cleaned using amulti-step process that includes two independent verifications. Devices that donot pass this wiping procedure are physically destroyed (e.g. shredded)on-premise.7
Deletion of DataDeletion of data at Google most often starts with marking specific data as“scheduled for deletion” rather than actually removing the data entirely. Thisallows us to recover from unintentional deletions, whether customer-initiated ordue to a bug or process error internally. After having been marked as “scheduledfor deletion,” the data is deleted in accordance with service-specific policies.When an end user deletes their entire account, the infrastructure notifiesservices handling end user data that the account has been deleted. Theservices can then schedule data associated with the deleted end user accountfor deletion.The Google Front Endensures that all TLSconnections areterminated usingcorrect certificates andfollowing best practicessuch as supportingperfect forward secrecy.Secure Internet CommunicationUntil this point in this document, we have described how we secure services onour infrastructure. In this section we turn to describing how we securecommunication between the internet and these services.As discussed earlier, the infrastructure consists of a large set of physicalmachines which are interconnected over the LAN and WAN and the security ofinter-service communication is not dependent on the security of the network.However, we do isolate our infrastructure from the internet into a private IPspace so that we can more easily implement additional protections such asdefenses against denial of service (DoS) attacks by only exposing a subset ofthe machines directly to external internet traffic.Google Front End ServiceWhen a service wants to make itself available on the Internet, it can register itselfwith an infrastructure service called the Google Front End (GFE). The GFEensures that all TLS connections are terminated using correct certificates andfollowing best practices such as supporting perfect forward secrecy. The GFEadditionally applies protections against Denial of Service attacks (which we willdiscuss in more detail later). The GFE then forwards requests for the serviceusing the RPC security protocol discussed previously.In effect, any internal service
technical infrastructure. This global scale infrastructure is designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services,
Grammar as a Foreign Language Oriol Vinyals Google vinyals@google.com Lukasz Kaiser Google lukaszkaiser@google.com Terry Koo Google terrykoo@google.com Slav Petrov Google slav@google.com Ilya Sutskever Google ilyasu@google.com Geoffrey Hinton Google geoffhinton@google.com Abstract Synta
Google Brain avaswani@google.com Noam Shazeer Google Brain noam@google.com Niki Parmar Google Research nikip@google.com Jakob Uszkoreit Google Research usz@google.com Llion Jones Google Research llion@google.com Aidan N. Gomezy University of Toronto aidan@cs.toronto.edu Łukasz Kaiser Google Brain lukaszkaiser@google.com Illia Polosukhinz illia .
Google Meet Classic Hangouts Google Chat Google Calendar Google Drive and Shared Drive Google Docs Google Sheets Google Slides Google Forms Google Sites Google Keep Apps Script D
Google Drive (Google Docs, Google Sheets, Google Slides) Employees are automatically issued a Kyrene Google account. Navigate to drive.google.com. Use Kyrene email address and network password to login. Launch in Chrome browser for best experience. Google Drive is a cloud storage sys
Configuration needs Google Home app. Search "Google Home" in App Store or Google Play to install the app. 3.1 Set up Google Home with Google Home app You can skip this part if your Google Home is already set up. 1. Make sure your Google Home is energized. 2. Open the Google Home app by tapping the app icon on your mobile device. 3.
2 Após o login acesse o Google Drive ou o Google Docs e selecione a ferramenta Google Forms (Formulários). Clique na caixa de Ferramentas do Google, localizada no canto direito superior da tela e selecione o Google Drive. Na tela do Google Drive clique em New , opção More e selecione Google Forms. OBS: É possível acessar o google
File upload, Folder upload, Google Docs, Google Sheets, or Google Slides. You can also create Google Forms, Google Drawings, Google My Maps, etc. Share with exactly who you want — without email attachments. Search or sort your list of files, folders, and Google Docs. Preview files and Google Docs.
Google Apps All of the Google applications that are available upon logging into Google.com (G , Gmail, Gphotos, Gdrive, etc.). Google Suite Google’s online cloud based office companion applications (Docs, Sheets, Slides). Google Drive Google’s online cloud storage and file sharing/collaboration application.
