How Google keeps your information secure
Posted by Douglas Merrill, VP of
Engineering
As many of you know, we spend a lot of time around here thinking
about new products to help you run your life more efficiently,
whether that’s organizing email in a better way, sharing pictures
with friends, or collaborating in real time on documents. What you
may not know is that we also spend a lot of time thinking about the
security that goes into those products, and more specifically the
ways we can protect you and your private information.
While the chances are that you'll never have a security
problem, we take security very seriously, and that's why we
have some of the best engineers in the world working here to secure
information. Much of their work is confidential, but we do want to
share some of the ways we're protecting your data. There are a
few things you should know about how we handle confidential
information:
Philosophy: First is our
>philosophy. At Google, security is a
continuous process. We don't just "check" a product
for security before we launch it — we are thinking about security
before the product is even created, and we are building it in
throughout the product's development. Also critical is our
belief in layered protection. It's much like securing your
house. You put your most private information in a safe. You secure
the safe in your house, which is protected with locks and possibly
an alarm system. And then you have the neighborhood watch program
or the local police monitoring your neighborhood. It's very
similar at Google. Our most sensitive information is difficult to
find or access (the safe). Our network and facilities (the house)
are protected in both high- and low-tech ways: encryption, alarms,
and other technology for our systems, and strong physical security
at our facilities. And finally, we've learned that when
security is done right, it's done best as a community (the
neighborhood); we encourage everyone to help us identify potential
problems and solutions. Researchers who work at security and
technology companies all over the world are constantly looking for
security problems on the Internet, and we work closely with that
community to find and fix potential problems.
Technology: These layers of protection are built on the
best security technology in the world. While we employ products
developed by others in the security community, we build a lot of
our security technology ourselves. Some of the most innovative
components of our security architecture focus on automation and
scale. These are important to us because we're handling
searches, emails, and other activities for millions of users every
day. To keep our security processes a step ahead, we automate the
way we test our software for possible security vulnerabilities and
the way we monitor for possible security attacks. We're also
constantly seeking more ways to use
>encryption and other technical measures to
protect your data, while still maintaining a great user
experience.
Process: In addition to technology, we have a set of
processes that dictate how we secure confidential information at
Google and who can access it. We carefully manage access to
confidential information of any sort, and very few Googlers have
access to what we consider very sensitive data. This is in no small
part because there's very little reason for us to provide that
access — most of our processes are automated, and don't
require much human intervention. Of course, the limited number of
people who are granted access to sensitive data must have special
approval. And while we hold ourselves to a very high standard, we
also work to ensure that our processes meet (and in many cases
exceed) industry standards. These include audits for
id="uask" >Sarbanes-Oxley,
>SAS 70,
>PCI (payment card
industry) compliance, and more. By working with independent
auditors, who evaluate compliance with standards that hold hundreds
of different companies to very rigorous requirements, we add
another layer of checks and balances to our security
processes.
People: The most important part of our approach to href="http://research.google.com/pubs/papers.html#category14"
security is our people. Google employs
id="d4xl" style="background-color: rgb(255, 255, 255);"
>some of the best and
brightest security engineers in the world. Many of our
engineers came from very high-profile security environments, such
as banks, credit card companies, and high-volume retail
organizations, and a large number of them hold PhDs and patents in
security and software engineering. As you can imagine, our
engineers are smart and curious and are on the lookout for security
anomalies and best practices in the industry. Our engineers have
published hundreds of academic papers on technically detailed
topics such as
id="x:h7" >drive-by
downloads that install malware (PDF file) or
>hostile virtualized
environments. (You can find some of these papers
id="to:9" >here
approach to security among all of our engineers, requiring everyone
to pass a coding style review (which enables us to control the type
of code used here and how it's used in order to prevent
software problems) and ensuring that all code at Google is reviewed
by multiple engineers so that it meets our software and security
standards.
And throughout the company, we use our own products. That means we
protect your' information with the same security that we use to
protect our own company emails and documents. And while we continue
to innovate with our products, we'll also continue to innovate
in the world of security. For more on our approach to security,
visit our
id="b:bc" >Security and Product Safety page.
Tags: , Douglas, EngineeringAs, know, Merrill, Posted, spend, VP
No comments yet. Be the first to comment this post.