Professional Documents
Culture Documents
Google's Security Information
Google's Security Information
Google's Security Information
Name
Course
Professor
Institution’s Name
Date
Google’s Strategic Information Security 2
Abstract
information systems. In this paper, issues that Google has defined and addressed in order to
establish an information security strategy that is effective are critically evaluated. These are risk
control, protection mechanisms, personnel and security, law and ethics, and PRT network
monitor. Through analysis of these issues reveals how Google firm has achieved successful
mindset that is propelled by the desire to services availability is revealed from this analysis.
Google employs five risk control strategies. They are defense, transferal, mitigation, acceptance,
and termination. Additionally, a number of protection mechanisms are used to support a platform
used by millions of people and organizations including Google itself to operate their businesses
on products and technologies offered by the organization. From this analysis, it is seen that
Google has put in place enough practices and controls to ensure that customer information is
secure. On the other hand, Google, in its attempt to ensure customer satisfaction, has put in place
effective privacy and security plans, which include ensuring personnel security through
background checks, and putting in place regulations, laws, and ethics that its employees have to
follow. From this study, insights into ensuring confidentiality, availability, and integration of
Introduction
The new emphasis on physical security due to terrorist threat has led to increased
professionals should emphasize the wider role of information security in their organizations’
Google’s Strategic Information Security 3
strategy (Chow et al. 2009). Strategic information security integrates the significance of viable
security policy with the company’s strategic objectives (Bulgurcu, Cavusoglu, and Benbasat
2010; CART n.d.). It offers management and IT professionals with insights into matters
surrounding the goals of safeguardingcritical information assets. Its plan positions a business
toaccept, transfer, mitigate, or avoid information risk related to technologies, processes, and
people. Moreover, an established strategy assists the firm to effectively protect information’s
availability, integrity, and confidentiality. An effective plan has many benefits and can provide a
and shareholders, sustaining the reputation of the business, avoiding a damaging security
incident, and complying with industry standards (CART n.d.). This report focuses onGoogle’s
strategic information security. The company uses cloud computing to provide efficient and
familiar services and products for personal and business settings. These services allow
storage resources, memory, and CPU to shared and used by several users while providing
security benefits. While focusing on Google, the paper will first describe the strategy options,
which are employed to control risk. Second, Google’s protection mechanisms, such as
authorization, authentication, and biometric access control, will be examined. Other security
issues that the report will focus on are personnel and security, as well as the law and
ethicsincluding the current laws and regulations in Google. Finally, the paper will review the
Controlling Risk
There are a number of strategy options which are used to control risks by Google. They
are defense, transferral, mitigation, acceptance, and termination. The term defence refers to a
Google’s Strategic Information Security 4
scenario in which safeguards are applied in order to eliminate or reduce the magnitude of any
present uncontrolled risk. In case a risk is shifted to other areas or outside entities, this is referred
to as transferral (Navarro 20111). Mitigation is when measures are taken to reduce impact on
information assets in the event that the vulnerability of Google is successfully exploited by an
attacker. At times, there are risks that are left uncontrolled. However, the corporation
understands and acknowledges the risk that results from this inaction. This is referred to as
acceptance. Finally, termination is a risk control strategy whereby certain information asset may
be removed from the operating environment of the organization. The above strategies are well
explained below.
The defense strategy aims at preventing an attacker from exploiting the vulnerability for
which protection is required. Google applies a combination of physical and logical methods to
avail protection as a strategy of defense. Defence in depth, which refers to application of several
layers of defensive precautions, have been put in place by Network Security Google. They are
meant to defend the network perimeter from any possible external attack (Whitman and Mattord
2011). As a result, only those services and protocols that satisfy Google’s security requirement
can traverse its network. All unauthorised packets are thus dropped. Moreover, network
segregation is enforced using ACL technology and standard firewall. To add to this, software
engineers at Google Security Team work together with other engineers to develop and vet
reusable components that are meant to assist software projects evade certain vulnerabilities. A
good example is database access layers that are designed to be robust against HTML templating
frameworks or query-language injection vulnerabilities and bear built-in defenses to protect from
With respect to transferral, or sharing of responsibility for a given risk with a third party,
Google has entered into contracts with other organizations in addition to joint venture structures
or partnerships. The Information Security Team at Google works publicly with security
communities outside of the organization. Maintainers and software vendors also work closely
with this team, making it possible to identify any vulnerability. The staffs at the organization are
trained to handle evidence and forensics in preparation for an event. Proprietary tools and third
parties such as insurers are also involved. Where necessary, Google contracts third party security
firms for consultation to complement and validate its in-house security review (Hughes 2010).
Mitigation strategies have been put in place by Google to reduce the damage that can be
caused by vulnerability. Evaluation of incident response plans is carried out for certain area, for
example, those in which sensitive customer information is stored. The organization’s security
team is available 24 hours in a day. When any information security incident is reported, the staffs
prioritize it according to the severity. Post-mortem investigations are conducted to dentine the
cause of events, trends in multiple events, and to come up with better strategies to prevent
recurrence of the incidents. Most importantly, a set of data centers that are geographically
distributed is operated by Google. They are meant to ensure continued provision of services in
case of any incident with a given region. Swift failovers are supported by high-speed connections
between these centers. The centers’ management is also distributed so as to ensure system
administration and clock coverage that is around the clock. Additionally, Google runs a business
continuity plan in Mountain View, California that accounts for all major disasters, with the
assumption that services and people could be unavailable for as many as 30 days (Anuar,
Papadaki, Furnell and Clarke 2014). Thus, there are continued operations of the organization’s
Google recognizes the importance of being abreast of new attack patterns, threats,
infrastructure, mitigation practices, guidelines, and best practices among others. However, the
organization may choose not to control a given risk especially when the cost involved to protect
an asset far exceeds that of replacing it (Anderson and Moore 2006). At other times, the
probability of risk occurrence is very low for an asset whose priority is low. In such case,
acceptance equals negligence. Finally, the organization may employ termination to control a
given risk. It involves removing information asset from serving in the organization and varies
Protection Mechanisms
control approaches. They include authentication, authorization, accounting, and the use of
biometrics access controls. Google makes it a must for every employee to use a unique User ID.
This is termed as authentication controls. The account used identifies the activity of each
individual on the organizations network such as access to customer or employee data. Incase
passphrases or passwords are used for authentication, Google’s password policies are enforced.
Two-factor authentication mechanisms are widely used by Google and include one-time
On the other hand, authorization controls work such that access levels and rights are
granted based on the role and function of an employee. In this scenario, the concepts of need-to-
know and least-privilege are used to match defined responsibilities and access privileges. As a
matter of fact, only a limited number of default permissions to company resources are granted to
Google employees. Access to some more resources is granted based on specific job function.
Google’s Strategic Information Security 7
Any request for accessing additional resources must follow a formal process that involves
The Google’s data centers employ differing physical security measures given that they
are geographically distributed (Whitman 2004). Thus, the protection mechanism in these
facilities depends on local conditions such as regional risks and building locations. They include
exterior and interior cameras, alarm systems, and electron card-access control systems. Perimeter
fences, biometrics, and thermal imaging cameras are additional security controls that could be
On the other hand, the use of firewall is one of the mechanisms that provided a layered
approach within the environment of the security so that an attacker is blocker by another layer in
the event that he bypasses the first one (Hughes 2010). Given that the level of security provided
by a given firewall is dependent on the policies configured on it, Google employs a number of
firewall technologies. They include application level firewalls, packet filtering firewall, stateful
Hardware firewall makes it possible to use a single firewall for all machines in an
organization’s physical network. Unfortunately, all these machines on the network become
vulnerable after one firewall has been compromised. Software firewall, which provides the
second security layer, protects a network from worms, malware, email attachments, and viruses.
Additionally, it can easily be customized based on specific network requirements and thus is
widely used by Google. On the other hand, packet-filtering firewall carries out filtering at
transport or network layer based on details contained in every packet’s TCP/IP header. Based on
this information, packets are either accepted and routed along until they get to their destination or
Google’s Strategic Information Security 8
dropped. On the other hand, proxy firewall filters a message on the basis of the information it
contains.
whether a packet it to be transmitted or not. They serve as intermediary for email, HTTP, and
FTP among others (Hughes 2010). They serve to verify a given communication through
requesting for authentication for passage of packets. They are important when protecting
vulnerable services on secured systems. Unfortunately, they are rarely used by Google since they
exhibit slower performance, limit application awareness, and require proxies for every
application. While circuit-level gateways operate at session layer of TCP layers or OSI model of
TCP/IP, stateful inspection firewalls permit or deny packets on the basis of given rules. Since
this firewall tracks each session’ state to dynamically close ports as a given session may require,
Personnel security can be defined as a system of procedures and policies that seek to
manage the staff’s risks, who are employed on contract, temporarily, or permanently, exploiting,
or intending to exploit, their legitimate access to a business premises or assets for purposes,
which are not authorized (Martin 2010). Despite the fact thatmany organizations consider
personnel security, as something that is dealt with at the recruitment process, it is an area that
should be continually maintained throughout the time a member of staff’s is employed (Chow et
al.). This includes a number of activities, such as robust pre-employment screening,a strong
security culture, clear lines of communication, employee welfare, and effective line management
(CART n.d.). In addition, it needs to incorporate a formal process for managing staff that leave
the company. When consistently applied, personnel security measures assist in building a hugely
Google’s Strategic Information Security 9
beneficial culture at all organization’s levels and reduce operational vulnerabilities. Effective
security personnel aids firms to detect suspicious behavior and resolve security issues upon
emergence, and minimize staff’s chances of becoming unreliable after their employment. It also
At Google Technologies, employees are expected to carry out themselves in a way that is
in line with the organization’s guidelines regarding professional standards, appropriate usage,
business ethics, and confidentiality (Martin 2010). After the employees have been hired, it will
be very important for the company to verify every person’s education as well as previous
employment, and conduct both external and internal reference checks. In cases where statutory
regulations or labor laws permit, Google may also carry out security, immigration, credit, and
criminal checks in order to further ascertain the employee’s background. However, it will be
important to note that the degree of background checks should be dependent on the position at
hand.
as well as compliance with policies at the Employee Handbook of Google. The privacy and
confidentiality of customer data and information should be emphasized in the handbook. The
same should be done during new staff orientation. As part of new hire orientation, employees
should be provided with security training. Moreover, Google needs to ensure that every
employee reads, understands, and take a training course regarding its Code of Conduct, which
details the company’s expectation that all employees will conduct business in a manner that is
lawful, ethical, and with respect, as well as with integrity for one another and the company’s
Based on an employee’s job role, further security policies and training could be applied
(Hoover 2013). Google employees that handle customer information, for example, are required
consumer data outlines the appropriately using data alongside business processes, and the
the company should offer confidential reporting techniques in order to make sure that employees
are able to anonymously report any ethics violation that they might come across.
There is a fine line of difference, which exists between law and ethics (Kumar n.d.). Law
is defined as the systematic set of universally accepted regulations and rules created an
appropriate authority, such as government, which may be international, national, and regional.
On the other hand, ethics refers to the principles, which guides a society or an individual, created
with the objective of decidingwhat is either good or bad. More importantly, the definition of law
incorporates such terms, namely consistent, universal, published, accepted, and enforced.
However, ethics cannot be compelled and therefore they are never enforced as law. Contrary to
the law, ethics need not to be universal and published. In fact, it entirely relies on the individual
and the choice of the person in relation to their interaction to other society members.
Goggle’s determination and commitment to security should be clearly outlined in both its
Security Philosophy and its Code of Conduct (Kumar n.d.). These policies cover a broad array of
security problems and topics that range from general policies, which all employees have to
comply with, such as physical, data, and account security, along with more specialized policies,
which cover internal systems and applications that Google’s employees are needed to abide by.
Google’s Strategic Information Security 11
Besides, the security policies are reviewed and updated regularly. In addition, staff are required
to receive constant security training on security topics, namelyhow to label and handlesensitive
data, working from remote locations safely, and the safe use of the Internet. Further training is
periodically offered regarding policy topics of interest, such as in areas of emerging technology,
It is primarily the responsibility of the customer to respond to the law enforcement data
requests. Nevertheless, Google can obtain requests directly from courts and governments all over
the world regarding how an individual has utilized the organization’s services (Bulgurcu et al.).
Google takes measures to protect consumer’s privacy and restrict excessive requests whereas
ensuring its legal obligations are met. Respect for security and privacy of data stored with the
company remains its priority as it complies with the legal requests. Upon receipt of such
requests, the company reviews the request to ensure it satisfies Google’s policies and legal
requesting firm, and given under appropriate law. It is the company’s policy to inform customers
regarding the requests for their data unless prevented by the court order or law.
It is the company’s policy to take into account the security implications and properties,
services, and systems provided or used by Google throughout the whole project lifecycle.
Google’s “Services, Systems, and ApplicationsSecurity Policy” calls for individuals and teams to
implement appropriate security measures in services, systems, and applications being developed,
commensurate with identified security concerns and risks (Kumar n.d.). The policy outlines that
the company maintains a security team chartered with offering security related risk-assessment
and guidance.
Network monitoring is a very critical instrument that is used to assure the availability and
n.d.). In addition, an efficient memory monitor tool greatly assists in optimizing both the
bandwidth and hardware based on one’s needs through providing an analysis of long term
monitoring data. On the other hand, PRTG Network Monitor performs an extensive monitoring
solution, which analyses various aspects, such as monitoring network usage, checking
monitor the home network using a number of probes. It automatically creates the “Local Probe.”
It is also possible to add more probes in order to monitor VPNs and remote sites or to distribute
monitoring load.
Having installed and used the software so as to monitor the home network, the report
revealed a number of issues or limitations in my system, which this paper has reviewed. While
the network indicated some strength, it had a number of issues associated with it. Regarding the
system’s ‘Local Probe,’ System Health, Core Health, Probe Health of the network were all in
good condition. However, the network’s Disk Free had some issues since 6% (Free Space D) is
below the 10% error limit in Free Space D. Moreover, Common SaaS Check was down as 0%
The Network Infrastructure on the other hand despite showing some good security
features also indicated some limitations. To begin with, HTTP had some limitation since the host
was never found, something that indicates that the key name, such as address and name, was not
found. In addition, the SSL Certificate Center failed to establish secure connection, as there was
‘No Secure Protocol Available’ in Security Rating.Similarly, the SSL Security Check and SLL
Security Sensor were all down as there was No Secure Protocol Available and failure to establish
Google’s Strategic Information Security 13
secure connection respectively. Furthermore, IMAP was also down since Connection Closed
Conclusion
Google employs five risk control strategies, namely defense, transferal, mitigation,
support a platform used by millions of people and organizations including Google itself to
operate their businesses on products and technologies offered by the organization. From this
analysis, it is seen that Google has put in place enough practices and controls to ensure that
viable security policy with the company’s strategic objectives. Google, in its attempt to ensure
customer satisfaction, has put in place effective privacy and security plans, such as controlling
risk, using protection mechanisms, ensuring personnel security through background checks, and
putting in place regulations, laws, and ethics that its employees have to follow. As much as
well. Using PRTG Network Monitor, the system’s efficiency and performance can be greatly
enhanced.
Google’s Strategic Information Security 14
References
Anderson, R. and Moore, T., 2006. The economics of information security. Science, 314(5799),
pp.610-613.
Anuar, N.B., Papadaki, M., Furnell, S. and Clarke, N., 2014. A response selection model for
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R. and Molina, J., 2009,
control. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 85-
90). ACM.
Conti, G., 2008. Googling security: how much does Google know about you?. Pearson
Education.
Hoover, J.N., 2013. Compliance in the ether: cloud computing, data security and business
Hughes, C.R., 2010. Google and the great firewall. Survival, 52(2), pp.19-26.
Kumar, P.V., n.d. An Analysis on Law vs. Ethics and Morals in a Changing Society.
Martin, T.D., 2010. Hey-You-Get off of My Cloud: Defining and Protecting the Metes and
Bounds of Privacy, Security, and Property in Cloud Computing. J. Pat. & Trademark Off.
Navarro, L., 2001. Information security risks and managed security service. Information security
Paessler.com., n.d. PRTG Network Monitor - Powerful Network Monitoring Software. [online]
Whitman, M.E., 2004. In defense of the realm: understanding the threats to information security.
Whitman, M.E. and Mattord, H.J., 2011. Principles of information security. Cengage Learning.