Building core strength: New technical papers on infrastructure security

Google’s infrastructure security teams continue to advance the state of the art in securing distributed systems. As the scale, capabilities, and geographical locations of our data centers and compute platforms grow, we continue to evolve the systems, controls, and technology used to secure them against external threats and insider risk.

Building on the principles laid out in Building Secure and Reliable Systems, we are excited to announce a new series of technical whitepapers on infrastructure security. The series begins with two papers:

• Protecting the physical-to-logical space in a data center
• Enforcing boot integrity on production machines

These papers are technical, but we designed them to be readable and accessible to non-experts. We hope they give you insight into the exciting work our teams are doing to keep our customers safe, and that the papers can be a valuable resource as you work to protect your own infrastructure from attacks.

How Google protects the physical-to-logical space in a data center

Thomas Koh is the author of “Protecting the physical-to-logical space in a data center,” which explores Google’s security controls that help protect the vital physical-to-logical space.

We define the physical-to-logical space in a data center as “arms-length from a machine in a rack to the machine’s runtime environment.” This space sits between physical controls (such as building access controls) and logical controls (such as secure service deployment). Physical-to-logical controls are designed to defend against attackers that have legitimate access to the data center floor.

To protect the physical-to-logical space, Google implements a number of security controls, including:

• Hardware hardening: Reduce each machine’s physical access paths, known as the attack surface.
• Task-based access control: Provide access to secure rack enclosures only to personnel who have a valid, time-bound business justification.
• Anomalous event detection: Generate alerts when physical-to-logical controls detect anomalous events.
• System self-defense: Recognize an unexpected change in the physical environment and respond to threats with defensive actions.

You can read the full paper now: How Google protects the physical-to-logical space in a data center.

How Google enforces boot integrity on production machines

Jeff Andersen goes deep into boot integrity security on production machines in the “Enforcing boot integrity on production machines” whitepaper. The security posture of a data center machine is established at boot time, which means that the machine’s hardware must be configured, and the operating system initialized, all while keeping the machine safe to run in Google’s production environment.

In this paper, we step through our boot process and demonstrate how our controls ensure attested machine boot integrity at each step in the boot flow.

The paper dives into the following:

• Hardware roots of trust and cryptographic sealing using Google’s custom Titan chip
• Credential sealing in the boot process
• Maintaining the integrity of the kernel, boot firmware, and root of trust firmware
• Ensuring root of trust authenticity

You can read the full paper now: How Google enforces boot integrity on production machines.

We plan to publish more papers like these. As more become available, we’ll publish them on our infrastructure security whitepapers page. We hope they’re exciting, illuminating, and most of all, useful.