Google’s infrastructure security teams continue to advance the state of the art in securing distributed systems. As the scale, capabilities, and geographical locations of our data centers and compute platforms grow, Google continue to evolve the systems, controls, and technology used to secure them against external threats and insider risk.
Building on the principles laid out in Building Secure and Reliable Systems, Google are excited to announce a new series of technical whitepapers on infrastructure security. The series begins with two papers:
- Protecting the physical-to-logical space in a data center
- Enforcing boot integrity on production machines
These papers are technical, but we designed them to be readable and accessible to non-experts. Google hope they give you insight into the exciting work our teams are doing to keep our customers safe, and that the papers can be a valuable resource as you work to protect your own infrastructure from attacks.
How Google protects the physical-to-logical space in a data center
Thomas Koh is the author of “Protecting the physical-to-logical space in a data center,” which explores Google’s security controls that help protect the vital physical-to-logical space.
Google define the physical-to-logical space in a data center as “arms-length from a machine in a rack to the machine’s runtime environment.” This space sits between physical controls (such as building access controls) and logical controls (such as secure service deployment). Physical-to-logical controls are designed to defend against attackers that have legitimate access to the data center floor.
To protect the physical-to-logical space, Google implements a number of security controls, including:
- Hardware hardening: Reduce each machine’s physical access paths, known as the attack surface.
- Task-based access control: Provide access to secure rack enclosures only to personnel who have a valid, time-bound business justification.
- Anomalous event detection: Generate alerts when physical-to-logical controls detect anomalous events.
- System self-defense: Recognize an unexpected change in the physical environment and respond to threats with defensive actions.
How Google enforces boot integrity on production machines
Jeff Andersen goes deep into boot integrity security on production machines in the “Enforcing boot integrity on production machines” whitepaper. The security posture of a data center machine is established at boot time, which means that the machine’s hardware must be configured, and the operating system initialized, all while keeping the machine safe to run in Google’s production environment.
In this paper, Google step through our boot process and demonstrate how our controls ensure attested machine boot integrity at each step in the boot flow.
The paper dives into the following:
- Hardware roots of trust and cryptographic sealing using Google’s custom Titan chip
- Credential sealing in the boot process
- Maintaining the integrity of the kernel, boot firmware, and root of trust firmware
- Ensuring root of trust authenticity