top of page

Hot Takes: Google's Approach to Security

Google recently published its Infrastructure Security Design Overview. You can find it here. It’s a short synopsis of how Google builds Security into its infrastructure. You should read it if you haven’t already. There are two things in particular that jumped out at me.

A Modern Approach to Firewalls

Google is focusing less on Firewalls as a primary control. This is explicitly mentioned in the document - twice - but the reader immediately gets the sense that traditional Layer 3 and 4 segmentation is considerably less relevant to the Google team. Instead, they’re focused on segmenting zones for the purposes of availability and integrating the firewall into the host fabric.

Gone is the idea, from the days of y’ore, of Application, Presentation, and Infrastructure layers. The Google team is and has been on the right track in the infrastructure space for a long time now. I’m confident their approach is the right approach and the data are in their favor. But let’s be honest with ourselves: most operations still implement the old model and budgets that I see indicate they will for another 8 to 10 years. This is awkward at best and troubling at worst. It sets those traditional SecOps shops up for serious disruption.

The Google (and others) model of flatter, application-centric infrastructure is going to be hugely disruptive for our industry. Many organizational budgets include tens of millions of dollars for network controls. Teams of 10 to 50 engineers and supporting staff manage these controls. Vendors, partners, resellers, training shops, services shops; all will be impacted and if they aren’t careful, the impacts will be grave.

I’m optimistic. I’m hopeful. I believe the model outlined in this paper is the future and it’s a future I want to live in. Like any other technology transition, it will have winners and losers. The key is to see the future here and be on the right side of it.

Red Teaming.

From the paper, “We conduct Red Team exercises to measure and improve the effectiveness of our detection and response mechanisms.” This is a somewhat obvious statement for me, and, if you’re reading this (all 5 of you; thanks for reading this guys!), you’ve got a background in this sort of thing and it’s obvious for you too. The key phrases here are, “to measure and improve” and “detection and response.”

What’s funny about me is that as a PenTester I was just shit. Awful. Worst ever. 0 talent. But I see the utility and purpose of PenTesting, Red Teaming, and Purple Teaming and I feel that I’m competent in telling its story and purpose in a large organization or small. Over the last few years, I’ve been doing that with some success.

I believe Google’s view of the Red Team is the right approach and should provide guidance to other organizations. For Google, the Red Team is there to measure and improve detection and response. Test this physical site. Launch a six-month campaign using client-side exploits to test our users and the ability to pivot. Use our .com environment to exfiltrate data. Now, how did you do? Did you get in the East gate past the sleeping guard? Is our user community well trained and is our Windows Gold build adequately secured? How is our Application Security? Did we see any of this happening? Why not? What was our response? What should and could we do next time? What else could we be missing?

I personally don’t think Red Teaming is for most organizations. I also think the Red Team itself and Red Teaming as a concept are misappropriated in many organizations that I come across. That’s another post for another time. But for those where it applies, Red Teams can be an incredibly powerful way to test the effectiveness of your controls – specifically your monitoring and response - and be in a state of constant improvement.

  1. I acknowledge firewalls do more than layer 3 and 4 controls. Today’s firewalls have a rich and robust set of controls built into them and everyone should be using them. Many are not. My point is directed less at what features on firewalls you’re using and more at what I see as a failure of our architecture in and of itself. Does our current architecture thinking scale into an application-centric environment? No. Does it work when the workload is pushed into AWS? Nope.

  2. I know I didn’t mention the Red Team and vulnerabilities. Neither does Google. I think it’s implied that yes, the Red Team will find vulnerabilities in your infrastructure. My opinion is the Red Team isn’t for vulnerability hunting, scanning, notification, tracking, and management. So if they find vulnerability, great. Fix it. They may find several. Fix those too. Just don’t lean on them for the identification of vulnerabilities across your enterprise.

bottom of page