## Google Cloud Security 9 Google services have over 1 billion users Physical security, hardware and software security,\ - Hardware infrastructure layer - hardware design and provenance - Google data centers use custom hardware - Secure boot stack, sending cryptographic signatures over: - BIOS - Bootloader kernel - Base operating system image - Premises security - access limited to small number of employees - third-party servers include additional Google monitoring on top of security offered by third-party data center - Service deployment layer - encryption of inter-service communication - [[Remote Procedure Call|Remote Procedure Calls]] - All RPC traffic between Google data centers encrypted - Deployment of hardware crypto accelerators to extend encryption for all RPC traffic inside Google data centers - User identity layer - Central identity service - Credential authentication - Intelligent challenges based on risk factors - Sign in location - New device - Storage services layer - Encryption at rest - Encrypted HDDs, SSDs - Internet communication layer - Google Front End (GFE) - TLS certificates ended using public-private key pair, X.509 certificate from a Certified Authority (CA) - Protection against Denial of Service (DoS) attacks - Scale of infrastructure allows absorption of DoS attacks - Additional multi-tier, multi-layer DoS protections - Operational security layer - Intrusion detection - Automated warnings to security teams about possible intrusions - Reducing insider risk - Limits and monitors activities of employees given admin access of infrastructure - Employee U2F use - Guard against phishing attacks - Software development practices - Central source control - Two-party review of new code - Development and use of common libraries to prevent new security bugs - Vulnerability Rewards Program - report bugs for rewards