Evaluating quality control measures
In this tutorial we will learn and understand about evaluating quality control measures.
As a cloud pioneer, Google fully understands the security implications of the cloud model. Our cloud services are designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Google runs on the same infrastructure that we make available to our customers, your organization can directly benefit from these protections. That’s why we focus on security, and the protection of data is among our primary design criteria.
However, security drives our organizational structure, training priorities and hiring processes. It shapes our data centers and the technology they house. It’s central to our everyday operations and disaster planning, including how we address threats. Further, it’s prioritized in the way we handle customer data.
Google’s security culture
Google has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.
Employee background checks
Before they join our staff, Google will verify an individual’s education and previous employment, and perform internal and external reference checks. Further, Google may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.
Security training for all employees
All Google employees undergo security training as part of the orientation process and receive ongoing security training throughout their Google careers. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keeping customer information safe and secure. However, depending on their job role, additional training on specific aspects of security may be required.
Internal security and privacy events
Google hosts regular internal conferences to raise awareness and drive innovation in security and data privacy, which are open to all employees. Security and privacy is an ever-evolving area. Then, Google recognizes that dedicated employee engagement is a key means of raising awareness.
Our dedicated security team
Google employs security and privacy professionals, who are part of our software engineering and operations division. Our team includes some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining the company’s defense systems, developing security review processes. And also in building a security infrastructure, and implementing Google’s security policies.
Operational security
Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations.
Vulnerability management
Google administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner.
Malware prevention
An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Google takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect, and eradicate malware. Google helps tens of millions of people every day to protect themselves from harm by showing warnings to users of Google Chrome, Mozilla Firefox, and Apple Safari when they attempt to navigate to websites that would steal their personal information or install software designed to take over their computers.
Monitoring
Google’s security monitoring program is focused on information gathered from internal network traffic, employee actions on systems, and outside knowledge of vulnerabilities. At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. However, a proprietary correlation system built on top of Google technology also supports this analysis.
Incident management
We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Google’s security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61).
Data access and restrictions
Administrative access
To keep data private and secure, Google logically isolates each customer’s data from that of other customers and users, even when it’s stored on the same physical server. However, only a small group of Google employees have access to customer data. For Google employees, access rights and levels are based on their job function and role. Thus, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
For customer administrators
Within customer organizations, administrative roles and privileges for Google Cloud are configured and controlled by the project owner. This means that individual team members can manage certain services or perform specific administrative functions without gaining access to all settings and data.
Third-party suppliers
Google directly conducts virtually all data processing activities to provide our services. However, Google may engage some third-party suppliers to provide services related to Google Cloud, including customer and technical support. Prior to onboarding third-party suppliers, Google conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.
Reference: Google Documentation