White Paper: Google’s Approach to IT Security
IT Security is very vital to any organisation as customers constantly react to security incidents. Hence, why many companies are spending more on its IT security as many organisations have lost business due to security breaches which seems to be estimated to account for 62% of the $7.2 U.S. million average cost of an IT security breach (Ponemon and Symantec, 2011, cited in Kolfal, Patterson and Yeo, 2013)
Google which has high awareness of what IT security breaches can cause to its various technologies that uses cloud computing (such as Gmail, Google Calendar, Google Docs, Google App Engine, Google Cloud Storage and others) has written this white paper to highlights its security strategy in place to overcome any security breach that may arise for their platform which offers its cloud products.
This security strategy provides high level controls at multiple levels of data storage, access, and transfer. According to Google (2012) this strategy includes the following components:
- Google corporate security policies: These includes a wide range of security related topics either from general policies that all their employee must satisfy such as account, data, and physical security as well as a more focused policies which covers their internal applications and systems which their employees are required to follow.
- Organizational security: Google’s security organization is further divided into various teams whom responsibility is on information security, global security auditing, and compliance, as well as physical security for protection of Google’s hardware infrastructure. These teams work together to address Google’s overall global computing environment.
- Data asset management: This includes their customer and end-user assets as well as corporate data assets which are managed under security policies and procedures.
- Access control: In order for their enormous data assets to be secured, Google employs a number of authentication and authorization controls that are designed to protect against unauthorized access.
- Personnel security: Google employees are expected to conduct themselves in a way to be in line with their set out guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
- Physical and environmental security: Google has policies, procedures, and infrastructure to handle both physical securities of its data centers as well as the environment from which the data centers operate.
- Infrastructure security: Google security policies provide a series of threat prevention and infrastructure management procedures.
- Systems and software development and maintenance: Google’s “Applications, Systems, and Services Security Policy” requires high technical teams and individuals to implement suitable security measures in applications, systems, and services being developed, commensurate with identified security risks and concerns.
- Disaster recovery and business continuity: To drastically reduce service interruption due to hardware failure, natural disaster, or other catastrophe, Google implements a disaster recovery program at all of its data centers. This program includes various components to reduce the risk of any single point of failure.
As Google employs this multi-layered security strategy consisting of their core components as highlighted above which enables them to avoid any security breach and has proved to be successful. Other companies can take lessons from it and try putting in place this IT security strategy in order to avoid any security breach. And also putting emphasizes on IT Security by regarding it as a high priority that need attention in their business.
Google (2012). Google’s Approach to IT Security. Retrieved From https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf
Kolfal, B., Patterson, R. and Yeo, M. (2013). Market Impact on IT Security Spending. Decision Sciences, 44(3), pp.517-556.