back to article Google reveals its servers all contain custom security silicon

Google has published a Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services. Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so …

  1. bazza Silver badge

    Rule of Thumb

    The more data an online service provider manages to snaffle from its freetard / paying users, the more it likes to boast abouts its security measures.

    So, what do Google know about us all?!

    Of course, these days Google, Facebook, etc. are snaffling data about people who are not their users (Android's use of caller ID, Facebook's face recognition and tracking, etc).

    1. Anonymous Coward
      Anonymous Coward

      Q

      Google?

      They know everything.

      They know more about you than the CIA, NSA, CGHQ, and all of the other spy agencies around the world combined

      You think you can just turn off google analytics and limit the javascript that runs on your PC? Guess again. There are ways around that. And note: Almost every website you visit runs Google Analytics.

      Google's security is at a minimum what the US Government should be using. Had they done this... it would have been much harder for the Chinese to hack their servers (OPM) and had the DNC used it... they too would haven't been hacked from the outside.

      Now you know what they (Google) do with all of that money they collect from ad revenue.

      1. Pascal Monett Silver badge

        Re: "You think you can [..] limit the javascript that runs on your PC?"

        Um, in a word : yes. NoScript does just that.

        Of course, that means using a different browser than any made in Redmond.

        You should try that one day.

        1. Anonymous Coward
          Anonymous Coward

          Re: "You think you can [..] limit the javascript that runs on your PC?"

          I suggest you take a deeper look at what can and can't be done using NoScript. (Which I use BTW)

          But what's embedded in the javascript that runs the site?

          There are other ways Google can track you. If you don't realize this then you haven't spent enough time thinking about it.

      2. tr1ck5t3r
        Trollface

        Re: Q

        Theres a database which the FBI have which is the largest in the world. You can trace family trees back several generations, lookup sneaker patterns and practically anything else you could possibly want to know about an individual, right down to the time they were predicted to have a toilet break when at home, I shit you not.

        Anyway, even if the chip does security and even if its custom built, if its got firmware which is NOT burnt into the chip for life, or needs someone to short some jumpers or pins on the chip, then it can be hacked.

        The fact they use encryption when shifting data around between machines just makes it easier to hide the hacks.

        So is that encrypted data passing down the wire, yours or mine?

        1. Ian Michael Gumby Silver badge

          @Tricker ... Re: Q

          Yes, anything can be hacked. However, its possible to increase the barriers to a point where hacking becomes futile and obtaining the information thru other means is easier.

          And there are other things that Google could do, but doesn't yet do...

      3. DougS Silver badge

        Google's security would not have prevented OPM hack

        Despite what an AC thinks. Having a security chip (which I'll bet is just a TPM chip that has only Google's certificate installed, because what they claim for it is exactly what TPM does) and encrypting devices doesn't prevent software security issues. And based on all the holes they find and fix in every release of Android, it is pretty evident that Google is no better than anyone else in terms of software quality.

        While I'd guess the OPM servers were way behind in patching, and that probably aided the attack, bog standard TPM chips and encrypted drives wouldn't help there. Regular patching may have, but that would be pretty silly for Google to brag about, especially when 'custom security silicon' sounds so much better.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google's security would not have prevented OPM hack

          I'm sorry, but the use of hardware in security is only one layer of the security.

          Again if the government had implemented security efforts found in Google and those found in global banks, the hacking of the OPM could have been prevented.

          Granted, banks and others do get hacked. But the level of effort required grows.

          1. DougS Silver badge

            Re: Google's security would not have prevented OPM hack

            Sorry AC, repeating a claim over and over again with zero evidence doesn't make it true, despite what Donald Trump seems to think.

      4. TReko

        Re: Q

        >had the DNC used it... they too would haven't been hacked from the outside.

        No. The DNC (Podesta) was using Google. His Gmail account was hacked. He clicked on a fake password reset link. The problem is human ignorance and that one Google password gives you full access.

        If you use Google Drive, adding an extra layer of security through something like SyncDocs is a wise measure. That way, you have defence in depth.

      5. Anonymous Coward
        Anonymous Coward

        Re: Q

        >Now you know what they (Google) do with all of that money they collect from ad revenue.

        Words best reserved for when Google Skynet goes live, methinks.

    2. Mark 85 Silver badge

      Re: Rule of Thumb

      I do find it interesting that the company that hates our privacy is so paranoid about theirs. Same with MS and FB. I do grasp it that they know "everything" and it's worth a fortune to them and if it were ever accessed by "unauthorized actors" a real shit-storm would happen. But still, a bit of respect for those who give Google everything.. like make "incognito mode" really incognito and not tell me what usernames, passwords, etc. I'm using for banks, etc.

  2. A Non e-mouse Silver badge

    Firewalls

    "We do not rely on internal network segmentation or firewalling as our primary security mechanisms"

    I thought that not relying on just a firewall to protect your infrastructure was old hat. What's the phrase? Defense in depth?

    1. Trevor_Pott Gold badge

      Re: Firewalls

      "We do not rely on internal network segmentation or firewalling as our primary security mechanisms"

      Doesn't say they don't use firewalls. Just says they're not 1990s about it like the arrogant believers in eggshell security. Willing to bet Google are at the forefront of automated incident response. None of this "nothing can get through MY defenses" machismo. Instead: "things WILL get through, but we have crazy quarantine and RCA responses automated into every layer".

      You know, like actual security experts would approach things. Anyone who uses firewalls as the primary security mechanism either doesn't have an adequate budget, or doesn't care enough about the data...

      (Hell, even salting and hashing your passwords in a database is accepting that firewalls can and do fail to keep the bad guys out. C'mon!...)

      1. Lee D Silver badge

        Re: Firewalls

        From the guys that never encrypted their leased line connections between datacentres until various three-letter-agencies said they were able to sniff them?

        Though I don't doubt they try, it doesn't sound like they built things with the right kind of assumptions, which is probably worse than just about any other security problem you can imagine.

        1. Trevor_Pott Gold badge

          Re: Firewalls

          I trust companies that have had a good security/privacy scare more than those that haven't. Nothing causes a rethink on the howto than getting caught with your pants down. I'm willing to bet Google have refined their approaches aggressively. Remember: they're academics. Give a nerd a puzzle...

  3. malle-herbert Silver badge
    Big Brother

    Fine...

    But I still won't trust them with MY data...

    1. Anonymous Coward
      Anonymous Coward

      Re: Fine...

      It's ok, it's boring anyway.

  4. Stuart 22

    Cheating VW

    "These requirements limit the ability of an insider or adversary to make malicious modifications to source code and also provide a forensic trail from a service back to its source."

    Methinks the Wolfsburg answer would be more than 2.

    Which is why I would trust Google code more than the average car maker's code under my bonnet.

    But then my motor is comes from the pre-code era.

  5. WibbleMe

    So is this why we can't send emails from Google Cloud Public Apps?

    https://cloud.google.com/compute/docs/tutorials/sending-mail/

    1. Anonymous Coward
      Anonymous Coward

      No, that's just because of spam.

  6. Anonymous Coward
    Anonymous Coward

    A chain is only as strong

    As its weakest link.

    Which part of this diagram highlights the process of handing data over to the NSA? I can't see it.

    Or does this document imply that the NSA simply has the requisite embedded hardware to make their tasks easier?

    1. Tom Paine Silver badge

      Re: A chain is only as strong

      Handing over design to LEA (not the NSA - the Feds and the cops) is a by-design business process. By law, actually.

      The NSA smiley face "magic happens here"* type of illegal / pseudo-legal access will be what they're trying to prevent with the bootkit / microcode signing, encryption everywhere, PFS, etc.

      * (it's one of the Snowden leaked presentations)

      1. Anonymous Coward
        Anonymous Coward

        Re: A chain is only as strong

        @Tom Paine - perhaps you should reread your namesake's "Rights of Man" to realise how far you deviate from your presumptive political hero.

        The problem with CALEA in the US is how it happens and the lack of obvious oversight.

    2. Anonymous Coward
      Anonymous Coward

      Re: A chain is only as strong

      @AC

      No need to send the data to the NSA - they ARE the NSA. Why else would they spend all that money on security? Nobody else does!

  7. Anonymous Coward
    Anonymous Coward

    OK, so that leaves three questions..

    1 - we KNOW they read user data as they admit as much in their own Terms & Conditions - where is that happening, who controls that and where does it go? No data on that.

    2 - it's a nice document, but until it has been vetted by an independent 3rd party that you could actually trust it is just that - a lot of theory.

    3 - even if the DOCUMENT makes sense, where is the independent validation that it has actually been implemented and is maintained?

    Not that I have a deep interest in the answers: I don't use them nor do I contemplate changing that at any point in the future.

  8. Walter Bishop Silver badge
    Linux

    Security on a lockable chip

    "we root the trust of the boot chain in either a lockable firmware chip"

    Something similar to what I've been saying for years, now when is Google going to pay me for copying my innovation?

    1. ratfox Silver badge
      Devil

      Re: Security on a lockable chip

      If you patented your idea, maybe...

      Otherwise, no.

    2. tr1ck5t3r
      Trollface

      Re: Security on a lockable chip

      Using the lock switch on a SD card doesn't count.

  9. Anonymous Coward
    Anonymous Coward

    No doubting their capability and ability to execute. As per others my concern isn't what external actors might steal from them, but what they may now and in the future do with the data.

  10. Anonymous Coward
    Anonymous Coward

    This won't make me trust Google, but it's generally a good thing. We all need this.

    1. Pascal Monett Silver badge

      What I find interesting is that this opens the possibility that, in future, in-house chips to validate hardware could well become readily available to every company. I don't think end users will get any because that's not the market, but Fortune 1000 companies could well invest in that kind of scheme, as well as important web site companies that are not (yet) in the Fortune 1000 list.

      That's potentially a lot of money available to push this kind of tech forward. I wonder what the ripple effect would be.

  11. skswave

    Tpm tee sed turn it on

    A little trusted computing goes a long way

    Tpm for bios integrity

    Virtual smart card for no logon

    Firewalls are not for access control

    Tee for android hardware auth

    SED is duhhh even on laptops

    Rivetz building some of the mobile parts

    1. rsrsps

      Re: Tpm tee sed turn it on

      just turning on the TPM isn't useful. you need to present the measurements to someone so that they can provide you with the means to unlock some resource that is needed (network access, a keychain, a specific secret, etc.).

      the only use case for TPM in, say, a laptop is to enable TPM-bound SED. And that has its own problems - SW installs must be carefully managed to ensure that at a version boundary the SED can still be unlocked even though the TPM has changed - you can do this if you are a vendor [this is how we do it at skyportsys] but good luck if your workload is 2008-or-before-windows or linux and you aren't running on a platform like ours.

  12. Anonymous Coward
    Anonymous Coward

    I can personally verify most of this stuff. Of course the system is not perfect. The custom chips business is a thing that I have been predicting for a number of years. The reason to publish is mostly to brag, but also because good security is in everyone's benefit. Laying out a roadmap for people who having gotten this far encourages others to implement these steps while they research better ones.

  13. rsrsps

    amusing

    Interesting. We do basically all of this as a service for normal mortal enterprises at Skyport Systems (all of the attestation, etc.).

    It's not easy to do especially because measurement is consistently not the most wonderful thing in the world to make robust given that the measurement/robustness of most BIOSes is pretty poor since no one is using it so the vendors mostly don't fix it. PCIe option roms, etc. need to be covered. A lot of vendors got caught with their pants down a few years back not even making the flash read-only after booting (and almost everyone screwed up update capsule validation!).

    I am really curious if Google actually fails closed or open or some hybrid (fail to honeypot) when they see a failure.

  14. EveryTime Silver badge

    I read that as a statement that they used to keep their keys in a commercial ARM-based micro controller, or perhaps a FPGA, on SMBus. They have recently switched to an embedded ARM core on their own semi-custom spin so that they are a little more resistant to physical attacks.

  15. inmypjs Silver badge

    Whoopy fucking Do

    You would think the assholes might be able offer an encryption option in the built in android backup to their cloud.

    How wonderful Google trust no one while expecting everyone to trust them - frankly just fuck Google.

  16. Paul Smith

    Apart from the custom security chips and fitting them to all(?) their servers, (more details would be welcome here!) they seem to be doing exactly the same as any other reasonably large enterprise. I would be interested in knowing the quality and thoroughness of the implementation, which tends to vary in organizations I have been involved with.

  17. Adam 1 Silver badge

    > These requirements limit the ability of an insider or adversary to make malicious modifications to source code and also provide a forensic trail from a service back to its source.

    So they trust the compiler then?

  18. dbtx Bronze badge

    the piss, anybody? Nobody?

    Well then I'll take it:

    Hope Yahoo! is also reading. Not that it will really help.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019