Google : Designing Its Information Technology Infrastructure Security as

Competitive Advantage

Introduction

Earths information security lies in googles hand. Google is managing more Information than
any entity in the world, even though Google is not in the position to demand information from
people. People willingly to submit their information under googles services without much
concern about their information being. What google intend to do with our data ?, How google
managing our data ?, Is our data is secure under googles protection ?. We can conclude that is
the sign how googles infrastructure security is trustworthy and creates no worries to its
customers, and that factor can become a competitive advantage.

Michael Porter argued that Competitive advantage is a function of either providing

comparable buyer value more efficiently than competitors (low cost), or performing activities
at comparable cost but in unique ways that create more buyer value than competitors and, hence,
command a premium price (differentiation). While Laudons defining IT infrastructure a set
of physical devices and software applications that are required to operate the entire enterprise.
This paper gives a view how googles design its IT infrastructure security and conclude if
googles IT infrastructure security become its competitive advantage or mere part of
sustainably development effort.

Attack on the cyber security now arising, back on mid-year of 2017 the attack of WannaCry (a
particular kind of ransomware) gave a snap on people head for not aware of the threat of
compromised security. Roughly fifty percent of worlds population are using the IT and implies
on how many people are vulnerable to cybersecurity attack, and yet the awareness of cyber
security is low especially among the personal IT users. IT users should concern more about
cyber security and make consideration regarding security in choosing IT based services. In the
last few years , companies which provide IT based services now in race to provide enhancement
in their security departement (e.g. iPhone face-id , fingerprint lock on smartphones , multi-
layer authorization to log in gojek , etc.) . Since the company is profit-generating entity, the
reason to rise a trend in security is not only based on awareness on cyber security but also profit
oriented cause. This trend also become the background of this paper to relate IT infrastucture
security with competitive advantage.

1
Motivation

As stated in introduction, currently google is managing most information in the world. Their
services attract other entity to submit or store their information within google. Google services
dominated the market share in its own category, android is now most used operating system on
smartphones outnumbered apples ios, Gmail is the most popular mail services outmatched
yahoos mail or microsofts outlook, and google is still number one search engine in the world.
From the classic search engine to sensational operating system android implicitly require us to
expose our data to google.Like parents which registered their children to a educational
institution, the urge to know how the institution will managing their children is inevitable.
Parents would like to know how the learning process is conducted , in what kind of enviroment
their children will be, and what cost they will charged to obtain such privileges. We as the data
owner should concern on how our possesion (data) will be treated, the security of our data from
the unauthorized parties, and what cost google charged to us for using their services which
most of them are relatively free.

In this paper we specified the googles data management to the extent of securing its data. The
most convenience way to benchmark google security is by its IT infrastucture, IT infrastructure
is tangible and can be valued objectively. When people decided to use googles services, the
data security is not a concern even most people is not aware of what specification that google
use to managing their data. Is people trust on googles security only a matter of perception
since google is large corporation with known reputation or google deserved the trust of its
customers by providing a proper and sophisticated IT infrasructure security. After answering
this issue with decription of googles infrastucture security , we can conclude that googles
infrastructure security can bring competitive advantage to the company.

This topic also can be intriguing to google services user, the contents will give insight on what
infrastructure google use to secure their customers data. After reading this paper as IT user is
expected to increase awareness to IT infrastuctures and its security. Even such extent of
information which provided in the content is unnecessary as the end-user to utilise google
services,is still beneficial to know exactly what kind of services you submitted your data to.

2
Organization Profile

Company : Google LLC

Type : Subsidiary

Industry : Internet, Software, Computer hardware

Founded : September 4, 1998 in Menlo Park, California

Founders : Larry Page & Sergey Brin

Headquarters : Googleplex, Mountain View, California

Area served : Worldwide

Parent : Alphabet Inc.

Products : Google search , Google Adsense , Google+ , Google App Engine , reCAPTCHA ,
Google Maps, Android , Nexus Phones , etc.

Website : google.com

History

Google story begins in 1995 at Stanford University. Larry Page was considering Stanford for
grad school and Sergey Brin, a student there, was assigned to show him around. The following
year they struck a partnership. Working from their dorm rooms, they built a search engine that
used links to determine the importance of individual pages on the World Wide Web. They
called this search engine Backrub.

Soon after, Backrub was renamed Google. The name was a play on the mathematical
expression for the number 1 followed by 100 zeros and aptly reflected Larry and Sergey's
mission to organize the worlds information and make it universally accessible and useful.

Over the next few years, Google caught the attention of not only the academic community, but
Silicon Valley investors as well. In August 1998, Sun co-founder Andy Bechtolsheim wrote
Larry and Sergey a check for $100,000, and Google Inc. was officially born. With this
investment, the newly incorporated team made the upgrade from the dorms to their first office:
a garage in suburban Menlo Park, California, owned by Susan Wojcicki (now CEO of
YouTube).

3
Even in the beginning, things were unconventional: from Googles initial server (made of
Lego) to the first Doodle in 1998: a stick figure in the logo announcing to site visitors that
the entire staff was playing hooky at the Burning Man Festival. Don't be evil and The ten
things we know to be true captured the spirit of Googles intentionally unconventional
methods. In the years that followed, the company expanded rapidly hiring engineers,
building a sales team, and introducing the first company dog, Yoshka. Google outgrew the
garage and eventually moved to its current headquarters (a.k.a.The Googleplex) in Mountain
View, California. The spirit of doing things differently made the move.

The relentless search for better answers continues to be at the core of everything Google do.
Today, with more than 60,000 employees in 50 different countries, Google makes hundreds of
products used by billions of people across the globe, from YouTube and Android to Smartbox
and, of course, Google Search.

Google Implementation of IT Infrastructure Security

A. Secure Low Level Infrastructure

1. Security of Physical Premises

Google built its own data centers , those data centers are using multiple layers of physical
security like biometric identifications, metal detection, cameras, vehicle barriers, and laser-
based intrusion detection systems. The access also limited to small fraction of Googles
employees.

2. Hardware Design and Provenance

The server boards and the networking equipment which used in the data centers are custom-
designed by Google. Google also audit and validate the security properties provided by the
components which are make by the selected vendor. Google also design custom chips,
including a hardware security chip that is currently being deployed on both servers and
peripherals. These chips allow us to securely identify and authenticate legitimate Google
devices at the hardware level.

3. Secure Boot Stack and Machine Identity

Google server machines use a variety of technologies to ensure that they are booting the correct
software stack. Each server machine in the data center has its own specific identity that can be

4
tied to the hardware root of trust and the software with which the machine booted. This identity
is used to authenticate API calls to and from low-level management services on the machine.

B. Secure Service Deployment

1. Service Identity, Integrity, and Isolation

Each service that runs on the infrastructure has an associated service account identity. A service
is provided cryptographic credentials that it can use to prove its identity when making or
receiving remote procedure calls (RPCs) to other services. These identities are used by clients
to ensure that they are talking to the correct intended server, and by servers to limit access to
methods and data to particular clients. Google have a variety of isolation and sandboxing
techniques for protecting a service from other services running on the same machine. These
techniques include normal Linux user separation, language and kernel-based sandboxes, and
hardware virtualization.

2. Inter-Service Access Management

The owner of a service can use access management features provided by the infrastructure to
specify exactly which other services can communicate with it. Google engineers accessing
services are also issued individual identities, so services can be similarly configured to allow
or deny their accesses. The infrastructure provides a rich identity management workflow
system for these internal identities including approval chains, logging, and notification.

3. Encryption of Inter-Service Communication

The infrastructure provides cryptographic privacy and integrity for RPC data on the network.
To provide these security benefits to other application layer protocols such as HTTP, Google
encapsulate them inside its infrastructure RPC mechanisms.

4. Access Management of End User Data

A typical Google service is written to do something for an end user. The end users interaction
with an application like Gmail spans other services within the infrastructure. The infrastructure
provides a central user identity service which issues these end user permission tickets. An
end user login is verified by the central identity service which then issues a user credential,
such as a cookie or OAuth token, to the users client device. Every subsequent request from
the client device into Google needs to present that user credential.

5
 C. Secure Data Storage
1. Encryption at Rest

Performing encryption at the application layer allows the infrastructure to isolate itself from
potential threats at the lower levels of storage such as malicious disk firmware. That said, the
infrastructure also implements additional layers of protection. We enable hardware encryption
support in our hard drives and SSDs and meticulously track each drive through its lifecycle.
Before a decommissioned encrypted storage device can physically leave our custody, it is
cleaned using a multi-step process that includes two independent verifications. Devices that do
not pass this wiping procedure are physically destroyed (e.g. shredded) on-premise.

2. Deletion of Data

Deletion of data at Google most often starts with marking specific data as scheduled for
deletion rather than actually removing the data entirely. This allows us to recover from
unintentional deletions, whether customer-initiated or due to a bug or process error internally.
After having been marked as scheduled for deletion, the data is deleted in accordance with
service-specific policies.

D. Secure Internet Communication

1. Google Front End Service

When a service wants to make itself available on the Internet, it can register itself with an
infrastructure service called the Google Front End (GFE). The GFE ensures that all TLS
connections are terminated using correct certificates and following best practices such as
supporting perfect forward secrecy.

2. Denial of Service (DoS) Protection

The sheer scale of our infrastructure enables Google to simply absorb many DoS attacks. That
said, Google have multi-tier, multi-layer DoS protections that further reduce the risk of any
DoS impact on a service running behind a GFE.

3. User Authentication

After DoS protection, the next layer of defense comes from our central identity service. This
service usually manifests to end users as the Google login page. Beyond asking for a simple
username and password, the service also intelligently challenges users for additional
information based on risk factors such as whether they have logged in from the same device or

6
a similar location in the past. After authenticating the user, the identity service issues
credentials such as cookies and OAuth tokens that can be used for subsequent calls.

E. Operational Security
1. Safe Software Development

Beyond the central source control and two-party review features, Google also provide libraries
that prevent developers from introducing certain classes of security bugs. As a final check,
Google use manual security reviews that range from quick triages for less risky features to in-
depth design and implementation reviews for the most risky features. In addition, Google run
a Vulnerability Rewards Program where Google pay anyone who is able to discover and inform
us of bugs in our infrastructure or applications. We have paid several million dollars in rewards
in this program.

2. Keeping Employee Devices and Credentials Safe

Sophisticated phishing has been a persistent way to target our employees. To guard against this
threat Google have replaced phishable OTP second factors with mandatory use of U2F-
compatible Security Keys for employee accounts. Google make a large investment in
monitoring the client devices that Googles employees use to operate the infrastructure. Being
on the corporate LAN is not the primary mechanism for granting access privileges. Google
instead use application-level access management controls which allow Google to expose
internal applications to only specific users when they are coming from a correctly managed
device and from expected networks and geographic locations.

3. Reducing Insider Risk

Google aggressively limit and actively monitor the activities of employees who have been
granted administrative access to the infrastructure and continually work to eliminate the need
for privileged access for particular tasks by providing automation that can accomplish the same
tasks in a safe and controlled way.

4. Intrusion Detection

Google has sophisticated data processing pipelines which integrate host-based signals on
individual devices, network-based signals from various monitoring points in the infrastructure,
and signals from infrastructure services.

7
Analysis of the implementation

A. Successful Factors
Scalability : Google has the resources to provide its nature to grow without any
concerning obstacles. Its current infrastructure also adaptable to expansion and
upgrades. Along with the infrastructure upgrades that requires more capital, Google
also find new way to monetize its users.
Openess : Google is open for changes that favor its users experiences for using
Googles services.
Network Effects : Google has a good brand reputation that excel the relationship with
other vendor to help them creating or developing their new technologies and
infrastructures.
Cocreation : Google also rely on external feedback, Google run a reward program that
encourages external parties to involved in Googles securities development.
Excellent Human Resources : Google posessed many expertise in the industry who keep
the business sustainably growing and improving.

B. Inhibitive Factors
Big Target : Google is one of the largest technology company and its name attract many
sophisticated hackers to breach its security for the sake of accomplishment. So Google
required more maintenance activities which required lot of funds.
High Expectation : Since Google is pioneer on many technology breakthrough, the high
expectation on development on new technology and infrastructure is unavoidable.
When google cant matched the public expectation it can damaged googles brand
values and its financial condition.
C. Challenges & Opportunities
Challenges : High frequency of cyber security attacks ; Certain technology can be
outdated quickly ; Cost of capital in developing new technology ; Competitors newer
technologies may dissolve Googles competitive advantage.
Opportunities : More secure technology attract more new users ; More advanced
technology might required less cost to operate ; Developing the infrastructure supports
sustainable advantage ; Minimize the compromised security ; Increase the shares price .

8
Conclusions

Google invest heavily in securing its infrastructure. Google have many hundreds of engineers
dedicated to security and privacy distributed across all of Google, including many who are
recognized industry authorities. The security in the infrastructure is designed in layers starting
from the physical components and data center, to hardware provenance, and then on to secure
boot, secure inter-service communication, secured data at rest, protected access to services
from the internet and finally, the technologies and people processes we deploy for operational
security.