Building core strength: New technical papers on infrastructure security

Google’s infrastructure security teams continue to advance the state of the art in securing distributed systems. As the scale, capabilities, and geographical locations of our data centers and compute platforms grow, Google continue to evolve the systems, controls, and technology used to secure them against external threats and insider risk.

Building on the principles laid out in Building Secure and Reliable Systems, Google are excited to announce a new series of technical whitepapers on infrastructure security. The series begins with two papers:

These papers are technical, but we designed them to be readable and accessible to non-experts. Google hope they give you insight into the exciting work our teams are doing to keep our customers safe, and that the papers can be a valuable resource as you work to protect your own infrastructure from attacks.

How Google protects the physical-to-logical space in a data center

Thomas Koh is the author of “Protecting the physical-to-logical space in a data center,” which explores Google’s security controls that help protect the vital physical-to-logical space.

Google define the physical-to-logical space in a data center as “arms-length from a machine in a rack to the machine’s runtime environment.” This space sits between physical controls (such as building access controls) and logical controls (such as secure service deployment). Physical-to-logical controls are designed to defend against attackers that have legitimate access to the data center floor.

To protect the physical-to-logical space, Google implements a number of security controls, including:

How Google enforces boot integrity on production machines

Jeff Andersen goes deep into boot integrity security on production machines in the “Enforcing boot integrity on production machines” whitepaper. The security posture of a data center machine is established at boot time, which means that the machine’s hardware must be configured, and the operating system initialized, all while keeping the machine safe to run in Google’s production environment.

In this paper, Google step through our boot process and demonstrate how our controls ensure attested machine boot integrity at each step in the boot flow.

The paper dives into the following:

Related posts

Helping small businesses manage their time and connect with their customers

by Cloud Ace Indonesia
5 months ago

Low-latency fraud detection with Cloud Bigtable

by Cloud Ace Indonesia
2 years ago

How to deploy Tink for BigQuery encryption on-prem and in the cloud

by Cloud Ace Indonesia
2 years ago