How Google Secures Its Data Centers
In a cybersecurity landscape that experts say is changing at a dizzying pace, Google has developed security as a culture to protect its sensitive data.
“Bank robberies, military compounds and spies – that’s what you might think of when it comes to data center security. And to be honest you are not too far off,” says Google’s Stephanie Wong, Head of Developer Engagement at Google Cloud.
Wong walks viewers through the six layers of security – everything from fencing to thermal cameras to biometric scanners -- that protects Google’s data centers from threats in the Discovering Data Center series on YouTube.
Data Centers Adapting to ‘New Normal’ Cybersecurity
Maria Korolov, writing in Data Center Knowledge, says data centers are adapting to a ‘new normal’ that includes an alarming rise in ransomware attacks.
“Cybersecurity has also entered a stage of new normal where ransomware attacks are a constant threat, supply chain attacks are ubiquitous and new vulnerabilities are discovered daily,” writes Korolov. “Meanwhile, with systems and processes moving to the cloud and employees working remotely, the attack surface has expanded dramatically.
Timothy Liu, Forbes Technology Council, says that CISOs and other security professionals are being challenged like no time before.
“[Ransomware] attacks have become more prominent, more aggressive, more blatant and more costly, with the estimated average ransomware cost doubling in 2021 alone,” writes Liu. “Even smaller organizations are not immune; they may even be considered a more attractive target since their cybersecurity defenses may be lower and their willingness to pay a ransom higher.”
Sophos, a cybersecurity firm, reported in “The State of Ransomware 2021” that the average cost to recover from a ransomware attack has doubled from $761,106 in 2020 to $1.85 million in 2021.
Google’s Defense in Depth Starts at Layers 1 and 2
Given this cybersecurity environment, how exactly does Google reliably secure its data centers?
It all starts with six layers, also known as Defense in Depth. These layers become progressively more protected with access checks as you move to the core of the data center.
Layers 1 and 2 involve:
- Property boundaries
- Vehicle crash barriers
- Fences with motion detection
- Guard kiosks
- Thermal cameras
Layer 3 and 4: Iris Scans to Badge Checks
Layer 3 gives you access to the secure lobby where you get your irises scanned, and will find the general office area where hardware and data center operations teams work.
“You are now in the data center building. Badge checks exist at every entry point, and only one person can go through a door at a time,” says Wong.
As you move to Layer 4 you will find operational rooms, like the core network room and security operations center, which contains a highly trained staff that monitors all aspects of security and “can keep a level head at all times.”
Layers 5 and 6: Rarefied Space Where Data Lives
Next is layer 5, the data center floor. This is a rarefied space.
“Less than 1 percent of Googlers ever get to set foot here,” said Wong. “This is where data lives.”
To advance, you must walk through a circle lock, a big glass tube that lets only one person enter at a time.
Here you once again get your credentials checked and irises scanned.
“This is a form of dual-factor authentication. You must present two forms of identification – in this case, a badge and biometric data – to validate an individual’s identity,” said Wong.
Layer 6 is disk erase, where retiring hard drives get their data wiped and reused or shredded and recycled.
“Only those with special access can enter the disk erase room and retrieve drives through a secure two-way locker system,” said Wong.
To exit layers 5 and 6, employees are required to go through full metal detection under the supervision of a staff member.
Google Data Centers: Outside Protection
What about protecting Google data centers from the outside world?
External dangers to the Google data center include:
- Electromagnetic pulses
Yes! Zombies! In computing, according to anti cybercrime technology company Panda Security, Zombie is a computer connected to a network that has been compromised by a hacker, a virus, or a Trojan. It can be used remotely for malicious attacks and tasks.
“Most owners of Zombie computers do not realize that their system is being used in this way, hence the comparison with the living dead,” says Panda Security. “They are also used in DDoS Attacks in coordination with botnets in a way that resembles the typical Zombie attacks of horror films.”
Google, not resting on the six layers of its Defense in Depth, is on the watch for these outside attacks and proactive, even trying to penetrate its own defenses.
“We run dozens of drills a year, engaging unannounced skilled adversaries to try to get past controls,” said Wong. “After every testing attempt, we always evaluate our performance to ensure the strength of our security controls and iterate controls, as needed.”
Google’s Culture of Security
To truly appreciate what Google calls a “culture of security”, you must realize that data centers are only one piece of the Google security puzzle.
Google applies the layer approach to its entire cloud infrastructure, not relying on a single technology to make its data secure. Measures include:
- Operational and Device Security: Infrastructure software is developed and deployed with operations teams detecting and responding to inside and external infrastructure threats 24/7/365.
- Internet Communication: Communications over the internet to public cloud services are encrypted in transit. Multiple layers of protection are in place to defend against denial-of-service attacks.
- Identity: Access to sensitive data is protected by advanced tools like phishing-resistant security keys. Identities, users, and services are strongly authenticated.
- Storage Devices: Data stored in Google infrastructure is automatically encrypted at rest and distributed for availability and reliability. This protects the data from unauthorized access and service interruptions.
- Service Deployment: Any application that runs through Google infrastructure is deployed with security in mind. Trust is not assumed between services and multiple mechanisms to establish and maintain trust are used.
- Hardware Infrastructure: All hardware infrastructure is Google-controlled and Google-secured from purpose-built servers to networking equipment to custom security chips to low-level software stack running on every machine.
At DCS we can provide one-on-one consultation and training to help your data center technicians understand not only current link-loss budgets and limitations of fiber cabling but also how to install and configure their next-generation products to perform in a secure environment and at their highest capacity.
Contact DCS today to find out how we can help your data center decision makers use fiber connectivity solutions to their greatest advantage.