Google’s Strategic Information Security 1

GOOGLE’S STRATEGIC INFORMATION SECURITY

Name

Course

Professor

Institution’s Name

City and State

Date
 Google’s Strategic Information Security 2

Google’s Strategic Information Security

Abstract

Information security strategy is central to both organizational survival as well as protection of

information systems. In this paper, issues that Google has defined and addressed in order to

establish an information security strategy that is effective are critically evaluated. These are risk

control, protection mechanisms, personnel and security, law and ethics, and PRT network

monitor. Through analysis of these issues reveals how Google firm has achieved successful

management of information security on both external and internal environment. A preventive

mindset that is propelled by the desire to services availability is revealed from this analysis.

Google employs five risk control strategies. They are defense, transferal, mitigation, acceptance,

and termination. Additionally, a number of protection mechanisms are used to support a platform

used by millions of people and organizations including Google itself to operate their businesses

on products and technologies offered by the organization. From this analysis, it is seen that

Google has put in place enough practices and controls to ensure that customer information is

secure. On the other hand, Google, in its attempt to ensure customer satisfaction, has put in place

effective privacy and security plans, which include ensuring personnel security through

background checks, and putting in place regulations, laws, and ethics that its employees have to

follow. From this study, insights into ensuring confidentiality, availability, and integration of

information assets at Google is obtained.

Introduction

The new emphasis on physical security due to terrorist threat has led to increased

organizational focus to protect information assets (Conti 2008).To command attention, IT

professionals should emphasize the wider role of information security in their organizations’
 Google’s Strategic Information Security 3

strategy (Chow et al. 2009). Strategic information security integrates the significance of viable

security policy with the company’s strategic objectives (Bulgurcu, Cavusoglu, and Benbasat

2010; CART n.d.). It offers management and IT professionals with insights into matters

surrounding the goals of safeguardingcritical information assets. Its plan positions a business

toaccept, transfer, mitigate, or avoid information risk related to technologies, processes, and

people. Moreover, an established strategy assists the firm to effectively protect information’s

availability, integrity, and confidentiality. An effective plan has many benefits and can provide a

competitive advantage. They include supporting commitment to suppliers, partners, customers,

and shareholders, sustaining the reputation of the business, avoiding a damaging security

incident, and complying with industry standards (CART n.d.). This report focuses onGoogle’s

strategic information security. The company uses cloud computing to provide efficient and

familiar services and products for personal and business settings. These services allow

accessibility of data from Internet-capable devices. Cloud computing environment enables

storage resources, memory, and CPU to shared and used by several users while providing

security benefits. While focusing on Google, the paper will first describe the strategy options,

which are employed to control risk. Second, Google’s protection mechanisms, such as

authorization, authentication, and biometric access control, will be examined. Other security

issues that the report will focus on are personnel and security, as well as the law and

ethicsincluding the current laws and regulations in Google. Finally, the paper will review the

PRT Network Monitor.

Controlling Risk

There are a number of strategy options which are used to control risks by Google. They

are defense, transferral, mitigation, acceptance, and termination. The term defence refers to a
 Google’s Strategic Information Security 4

scenario in which safeguards are applied in order to eliminate or reduce the magnitude of any

present uncontrolled risk. In case a risk is shifted to other areas or outside entities, this is referred

to as transferral (Navarro 20111). Mitigation is when measures are taken to reduce impact on

information assets in the event that the vulnerability of Google is successfully exploited by an

attacker. At times, there are risks that are left uncontrolled. However, the corporation

understands and acknowledges the risk that results from this inaction. This is referred to as

acceptance. Finally, termination is a risk control strategy whereby certain information asset may

be removed from the operating environment of the organization. The above strategies are well

explained below.

The defense strategy aims at preventing an attacker from exploiting the vulnerability for

which protection is required. Google applies a combination of physical and logical methods to

avail protection as a strategy of defense. Defence in depth, which refers to application of several

layers of defensive precautions, have been put in place by Network Security Google. They are

meant to defend the network perimeter from any possible external attack (Whitman and Mattord

2011). As a result, only those services and protocols that satisfy Google’s security requirement

can traverse its network. All unauthorised packets are thus dropped. Moreover, network

segregation is enforced using ACL technology and standard firewall. To add to this, software

engineers at Google Security Team work together with other engineers to develop and vet

reusable components that are meant to assist software projects evade certain vulnerabilities. A

good example is database access layers that are designed to be robust against HTML templating

frameworks or query-language injection vulnerabilities and bear built-in defenses to protect from

cross-site scripting vulnerabilities (Whitmanand Mattord 2011).

 Google’s Strategic Information Security 5

With respect to transferral, or sharing of responsibility for a given risk with a third party,

Google has entered into contracts with other organizations in addition to joint venture structures

or partnerships. The Information Security Team at Google works publicly with security

communities outside of the organization. Maintainers and software vendors also work closely

with this team, making it possible to identify any vulnerability. The staffs at the organization are

trained to handle evidence and forensics in preparation for an event. Proprietary tools and third

parties such as insurers are also involved. Where necessary, Google contracts third party security

firms for consultation to complement and validate its in-house security review (Hughes 2010).

Mitigation strategies have been put in place by Google to reduce the damage that can be

caused by vulnerability. Evaluation of incident response plans is carried out for certain area, for

example, those in which sensitive customer information is stored. The organization’s security

team is available 24 hours in a day. When any information security incident is reported, the staffs

prioritize it according to the severity. Post-mortem investigations are conducted to dentine the

cause of events, trends in multiple events, and to come up with better strategies to prevent

recurrence of the incidents. Most importantly, a set of data centers that are geographically

distributed is operated by Google. They are meant to ensure continued provision of services in

case of any incident with a given region. Swift failovers are supported by high-speed connections

between these centers. The centers’ management is also distributed so as to ensure system

administration and clock coverage that is around the clock. Additionally, Google runs a business

continuity plan in Mountain View, California that accounts for all major disasters, with the

assumption that services and people could be unavailable for as many as 30 days (Anuar,

Papadaki, Furnell and Clarke 2014). Thus, there are continued operations of the organization’s

services to its customers.

 Google’s Strategic Information Security 6

Google recognizes the importance of being abreast of new attack patterns, threats,

infrastructure, mitigation practices, guidelines, and best practices among others. However, the

organization may choose not to control a given risk especially when the cost involved to protect

an asset far exceeds that of replacing it (Anderson and Moore 2006). At other times, the

probability of risk occurrence is very low for an asset whose priority is low. In such case,

acceptance equals negligence. Finally, the organization may employ termination to control a

given risk. It involves removing information asset from serving in the organization and varies

from equipment disposal, firing of employees, to discontinuing certain service previously

provided at the organization.

Protection Mechanisms

The protection mechanisms put in place by Google encompass a number of access

control approaches. They include authentication, authorization, accounting, and the use of

biometrics access controls. Google makes it a must for every employee to use a unique User ID.

This is termed as authentication controls. The account used identifies the activity of each

individual on the organizations network such as access to customer or employee data. Incase

passphrases or passwords are used for authentication, Google’s password policies are enforced.

Two-factor authentication mechanisms are widely used by Google and include one-time

password generators and certificates.

On the other hand, authorization controls work such that access levels and rights are

granted based on the role and function of an employee. In this scenario, the concepts of need-to-

know and least-privilege are used to match defined responsibilities and access privileges. As a

matter of fact, only a limited number of default permissions to company resources are granted to

Google employees. Access to some more resources is granted based on specific job function.
 Google’s Strategic Information Security 7

Any request for accessing additional resources must follow a formal process that involves

approval from a system or data owner, executives, or manager.

The Google’s data centers employ differing physical security measures given that they

are geographically distributed (Whitman 2004). Thus, the protection mechanism in these

facilities depends on local conditions such as regional risks and building locations. They include

exterior and interior cameras, alarm systems, and electron card-access control systems. Perimeter

fences, biometrics, and thermal imaging cameras are additional security controls that could be

employed on the basis of a risk.

On the other hand, the use of firewall is one of the mechanisms that provided a layered

approach within the environment of the security so that an attacker is blocker by another layer in

the event that he bypasses the first one (Hughes 2010). Given that the level of security provided

by a given firewall is dependent on the policies configured on it, Google employs a number of

firewall technologies. They include application level firewalls, packet filtering firewall, stateful

inspection, dynamic filtering, software, hardware, circuit-level, and proxy firewall.

Hardware firewall makes it possible to use a single firewall for all machines in an

organization’s physical network. Unfortunately, all these machines on the network become

vulnerable after one firewall has been compromised. Software firewall, which provides the

second security layer, protects a network from worms, malware, email attachments, and viruses.

Additionally, it can easily be customized based on specific network requirements and thus is

widely used by Google. On the other hand, packet-filtering firewall carries out filtering at

transport or network layer based on details contained in every packet’s TCP/IP header. Based on

this information, packets are either accepted and routed along until they get to their destination or
 Google’s Strategic Information Security 8

dropped. On the other hand, proxy firewall filters a message on the basis of the information it

contains.

Application level firewalls investigate application level information so as to determine

whether a packet it to be transmitted or not. They serve as intermediary for email, HTTP, and

FTP among others (Hughes 2010). They serve to verify a given communication through

requesting for authentication for passage of packets. They are important when protecting

vulnerable services on secured systems. Unfortunately, they are rarely used by Google since they

exhibit slower performance, limit application awareness, and require proxies for every

application. While circuit-level gateways operate at session layer of TCP layers or OSI model of

TCP/IP, stateful inspection firewalls permit or deny packets on the basis of given rules. Since

this firewall tracks each session’ state to dynamically close ports as a given session may require,

it is widely used by Google.

Personnel and Security

Personnel security can be defined as a system of procedures and policies that seek to

manage the staff’s risks, who are employed on contract, temporarily, or permanently, exploiting,

or intending to exploit, their legitimate access to a business premises or assets for purposes,

which are not authorized (Martin 2010). Despite the fact thatmany organizations consider

personnel security, as something that is dealt with at the recruitment process, it is an area that

should be continually maintained throughout the time a member of staff’s is employed (Chow et

al.). This includes a number of activities, such as robust pre-employment screening,a strong

security culture, clear lines of communication, employee welfare, and effective line management

(CART n.d.). In addition, it needs to incorporate a formal process for managing staff that leave

the company. When consistently applied, personnel security measures assist in building a hugely
 Google’s Strategic Information Security 9

beneficial culture at all organization’s levels and reduce operational vulnerabilities. Effective

security personnel aids firms to detect suspicious behavior and resolve security issues upon

emergence, and minimize staff’s chances of becoming unreliable after their employment. It also

helps to employ reliable people.

At Google Technologies, employees are expected to carry out themselves in a way that is

in line with the organization’s guidelines regarding professional standards, appropriate usage,

business ethics, and confidentiality (Martin 2010). After the employees have been hired, it will

be very important for the company to verify every person’s education as well as previous

employment, and conduct both external and internal reference checks. In cases where statutory

regulations or labor laws permit, Google may also carry out security, immigration, credit, and

criminal checks in order to further ascertain the employee’s background. However, it will be

important to note that the degree of background checks should be dependent on the position at

hand.

Upon acceptance of employment at the organization, every staff is needed to perform a

confidentiality agreement (Hoover 2013). In addition, employees have to acknowledge receipt of

as well as compliance with policies at the Employee Handbook of Google. The privacy and

confidentiality of customer data and information should be emphasized in the handbook. The

same should be done during new staff orientation. As part of new hire orientation, employees

should be provided with security training. Moreover, Google needs to ensure that every

employee reads, understands, and take a training course regarding its Code of Conduct, which

details the company’s expectation that all employees will conduct business in a manner that is

lawful, ethical, and with respect, as well as with integrity for one another and the company’s

competitors, partners, and users (Conti 2008).

 Google’s Strategic Information Security 10

Based on an employee’s job role, further security policies and training could be applied

(Hoover 2013). Google employees that handle customer information, for example, are required

to necessarily complete requirements in accordance with these policies.Training regarding

consumer data outlines the appropriately using data alongside business processes, and the

violations’ consequences. All employees at the company should be responsible for

communicating security and privacy matters to the assignedorganization’ssecurity staff. Finally,

the company should offer confidential reporting techniques in order to make sure that employees

are able to anonymously report any ethics violation that they might come across.

Law and Ethics

There is a fine line of difference, which exists between law and ethics (Kumar n.d.). Law

is defined as the systematic set of universally accepted regulations and rules created an

appropriate authority, such as government, which may be international, national, and regional.

On the other hand, ethics refers to the principles, which guides a society or an individual, created

with the objective of decidingwhat is either good or bad. More importantly, the definition of law

incorporates such terms, namely consistent, universal, published, accepted, and enforced.

However, ethics cannot be compelled and therefore they are never enforced as law. Contrary to

the law, ethics need not to be universal and published. In fact, it entirely relies on the individual

and the choice of the person in relation to their interaction to other society members.

Goggle’s determination and commitment to security should be clearly outlined in both its

Security Philosophy and its Code of Conduct (Kumar n.d.). These policies cover a broad array of

security problems and topics that range from general policies, which all employees have to

comply with, such as physical, data, and account security, along with more specialized policies,

which cover internal systems and applications that Google’s employees are needed to abide by.
 Google’s Strategic Information Security 11

Besides, the security policies are reviewed and updated regularly. In addition, staff are required

to receive constant security training on security topics, namelyhow to label and handlesensitive

data, working from remote locations safely, and the safe use of the Internet. Further training is

periodically offered regarding policy topics of interest, such as in areas of emerging technology,

including social technologies and safe use of mobile devices.

It is primarily the responsibility of the customer to respond to the law enforcement data

requests. Nevertheless, Google can obtain requests directly from courts and governments all over

the world regarding how an individual has utilized the organization’s services (Bulgurcu et al.).

Google takes measures to protect consumer’s privacy and restrict excessive requests whereas

ensuring its legal obligations are met. Respect for security and privacy of data stored with the

company remains its priority as it complies with the legal requests. Upon receipt of such

requests, the company reviews the request to ensure it satisfies Google’s policies and legal

requirements. So as to comply, the request has to be written, signed by an authorized person of

requesting firm, and given under appropriate law. It is the company’s policy to inform customers

regarding the requests for their data unless prevented by the court order or law.

It is the company’s policy to take into account the security implications and properties,

services, and systems provided or used by Google throughout the whole project lifecycle.

Google’s “Services, Systems, and ApplicationsSecurity Policy” calls for individuals and teams to

implement appropriate security measures in services, systems, and applications being developed,

commensurate with identified security concerns and risks (Kumar n.d.). The policy outlines that

the company maintains a security team chartered with offering security related risk-assessment

and guidance.

PRT Network Monitor

 Google’s Strategic Information Security 12

Network monitoring is a very critical instrument that is used to assure the availability and

performance of an organization’s or private servers as well as the entire network (Paessler.com

n.d.). In addition, an efficient memory monitor tool greatly assists in optimizing both the

bandwidth and hardware based on one’s needs through providing an analysis of long term

monitoring data. On the other hand, PRTG Network Monitor performs an extensive monitoring

solution, which analyses various aspects, such as monitoring network usage, checking

bandwidth, availability, and performance (Paessler.com n.d.). With PRTG, it is possible to

monitor the home network using a number of probes. It automatically creates the “Local Probe.”

It is also possible to add more probes in order to monitor VPNs and remote sites or to distribute

monitoring load.

Having installed and used the software so as to monitor the home network, the report

revealed a number of issues or limitations in my system, which this paper has reviewed. While

the network indicated some strength, it had a number of issues associated with it. Regarding the

system’s ‘Local Probe,’ System Health, Core Health, Probe Health of the network were all in

good condition. However, the network’s Disk Free had some issues since 6% (Free Space D) is

below the 10% error limit in Free Space D. Moreover, Common SaaS Check was down as 0%

was below the error limit of 50% in Available Services.

The Network Infrastructure on the other hand despite showing some good security

features also indicated some limitations. To begin with, HTTP had some limitation since the host

was never found, something that indicates that the key name, such as address and name, was not

found. In addition, the SSL Certificate Center failed to establish secure connection, as there was

‘No Secure Protocol Available’ in Security Rating.Similarly, the SSL Security Check and SLL

Security Sensor were all down as there was No Secure Protocol Available and failure to establish
 Google’s Strategic Information Security 13

secure connection respectively. Furthermore, IMAP was also down since Connection Closed

Gracefully whereas PNG worked well.

Conclusion

Google employs five risk control strategies, namely defense, transferal, mitigation,

acceptance, and termination. Additionally, a number of protection mechanisms are used to

support a platform used by millions of people and organizations including Google itself to

operate their businesses on products and technologies offered by the organization. From this

analysis, it is seen that Google has put in place enough practices and controls to ensure that

customer information is secure. Strategic information security integrates the significance of

viable security policy with the company’s strategic objectives. Google, in its attempt to ensure

customer satisfaction, has put in place effective privacy and security plans, such as controlling

risk, using protection mechanisms, ensuring personnel security through background checks, and

putting in place regulations, laws, and ethics that its employees have to follow. As much as

attention needs to be given to organizational security, home network security is important as

well. Using PRTG Network Monitor, the system’s efficiency and performance can be greatly

enhanced.
 Google’s Strategic Information Security 14

References

Anderson, R. and Moore, T., 2006. The economics of information security. Science, 314(5799),

pp.610-613.

Anuar, N.B., Papadaki, M., Furnell, S. and Clarke, N., 2014. A response selection model for

intrusion response systems: Response Strategy Model (RSM). Security and

Communication Networks, 7(11), pp.1831-1848.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an

empirical study of rationality-based beliefs andinformation security awareness. MIS

quarterly, 34(3), pp.523-548.

Cart, A.N.F., n.d. Critical Elements of an Information Security Management Strategy.

Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R. and Molina, J., 2009,

November. Controlling data in the cloud: outsourcingcomputation without outsourcing

control. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 85-

90). ACM.

Conti, G., 2008. Googling security: how much does Google know about you?. Pearson

Education.

Hoover, J.N., 2013. Compliance in the ether: cloud computing, data security and business

regulation. J. Bus. & Tech. L., 8, p.255.

Hughes, C.R., 2010. Google and the great firewall. Survival, 52(2), pp.19-26.

Kumar, P.V., n.d. An Analysis on Law vs. Ethics and Morals in a Changing Society.

Martin, T.D., 2010. Hey-You-Get off of My Cloud: Defining and Protecting the Metes and

Bounds of Privacy, Security, and Property in Cloud Computing. J. Pat. & Trademark Off.

Soc'y, 92, p.283.

 Google’s Strategic Information Security 15

Navarro, L., 2001. Information security risks and managed security service. Information security

technical report, 6(3), pp.28-36.

Paessler.com., n.d. PRTG Network Monitor - Powerful Network Monitoring Software. [online]

Available at: https://www.paessler.com/prtg[Accessed 16 Oct. 2016].

Whitman, M.E., 2004. In defense of the realm: understanding the threats to information security.

International Journal of Information Management, 24(1), pp.43-57.

Whitman, M.E. and Mattord, H.J., 2011. Principles of information security. Cengage Learning.