Google wants you to know your data is safe in its cloud. It published a white paper on how Google uses encryption to protect data in transit traveling over the Internet from the user to Google Cloud as well as internally while it’s moving between the company’s data centers.
Google also encrypts data at rest. And all of this encryption — for data at rest and in transit — happens by default.
The white paper comes as reports have surfaced that data on 123 million U.S. households was left unsecured in an Amazon Web Services (AWS) S3 cloud storage bucket. Analytics firm Alteryx stored data in a bucket that essentially allowed any user with an AWS account to access it, according to a blog post by UpGuard security researcher Chris Vickery.
In a Google blog post, Maya Kaczorowski, security and privacy product manager at Google Cloud, explains the measures Google takes to authenticate the data source, ensure the data arrives at its destination unaltered, and keep the data in transit confidential with encryption.
“When you connect to Google Cloud, the data you send is encrypted using HTTPS so that an adversary cannot snoop on your traffic,” she wrote. Google uses BoringSSL, an open source cryptographic library derived from OpenSSL, to implement TLS and other encryption in transit protocols. These are the encryption technologies HTTPS relies on to secure the connections.
Additionally, Google Cloud encrypts and authenticates data in transit when it moves outside of Google-controlled boundaries. “To ensure we are protecting data against any potential threats, our inherent assumption is that the wide area network is only semi-trusted — that is, that network links between physical boundaries can be compromised by an active adversary who can snoop, inject or alter traffic on the wire,” Kaczorowski wrote.
This happens at the network layer, where Google encrypts virtual machine (VM) to VM traffic as it crosses a Google boundary. There’s a second level of security at the application layer, where Application Layer Transport Security provides data authentication, integrity, and encryption when remote procedure calls from service to service leave a Google-controlled physical boundary.
In addition to securing Google Cloud, the company also supports open source projects and other encryption efforts to make the Internet as a whole more secure. This includes Certificate Transparency (CT), which is designed to audit and monitor certificates issued by certificate authorities (CAs). These are publicly trusted entities that issue electronic documents that verify a digital entity’s identity on the Internet.
CT is an open source project that “helps detect certificates that may not have been issued according to industry standards, or may not have been requested by the domain owner.”