Information Security Europe

Infosecurity Europe provides free access to an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise Master complexity and gain the foresight you need to safeguard your business at Infosecurity Europe 2014. Demonstrate clear thought leadership to ensure security is high on the corporate agenda Achieve visibility of your mobile workers, cloud providers and web of third party suppliers Clearly navigate and understand increasingly complex legislation Deliver security to drive and enable clear business growth

Infosec 2014: Datacentre security key to cloud security, says Google

The security challenges of the cloud are fundamentally the same as those of any in-house datacentre, says Peter Dickman, engineering manager at Google. This means securing data in both can be tackled in the same way, he told attendees of Infosecurity Europe 2014 in London.  “It is a question of adding as many layers of controls as possible without impairing usability,” said Dickman, which is the approach Google uses to continually evolve and improve security. Although cloud computing is at an unprecedented scale, he said there are really no new security challenges in the cloud. “Security is still about balancing controls with usability and, while it is not necessarily easy, it is also not impossible to achieve,” said Dickman. Security professionals know there is no such thing as perfect security, but he said there are many things that can be done to ensure data in the cloud is as secure as possible. Google, like most other cloud service providers, has had the advantage of building infrastructure with scalability and security in mind from the start. “We recognised that devices could be compromised, some applications could be malicious and that we could not assume that users were security savvy, so we planned accordingly,” said Dickman. First, this means that the computers in cloud datacentres are largely homogenous, making it quick and easy for service providers to update application software and security controls whenever needed. “This homogeneity enables us to treat each datacentre like a single computer, which makes it easier to do security and get it right,” said Dickman. Google uses a single, custom-built and security-hardened Linux-based software stack for all its servers in a single datacentre. The servers are designed so they do not include unnecessary hardware or software to reduce the number of potential vulnerabilities. This is important for cloud service providers, he said, as their business relies on preserving the trust placed in them as stewards of data belonging to hundreds of millions of users. Although cloud computing tends to raise concerns about data security, Dickman said this approach was developed in response to the demand for access to data everywhere. “People attempted to achieve this by making copies of data on portable media and mobile devices, but that was a security risk, and cloud computing essentially meets the need without the risk,” he said. The next step, said Dickman, is to ensure physical security at the cloud datacentres, using multiple layers of access control technologies and processes. “It is also important to build devices against possible malicious insiders, which is why our security teams build systems to check each other,” he said. Also within the datacentre, Dickman said it is important to follow the principles of isolation, segregation and sandboxing, and deploy encryption wherever, and whenever possible. “Encryption is no panacea, but it is worth the cost and Google is continually working to ensure our encryption algorithms are as fast and as secure as possible,” he said. Unfortunately, many organisations still fail to keep things separate, said Dickman. “This is not rocket science, just tricky engineering,” he said. Availability is another important component of security he said, but because cloud service providers take security seriously, they tend to build their datacentres to be fault tolerant. “We test our fault tolerance by turning things off, which should work if systems have been designed and implemented correctly,” said Dickman. Google has robust disaster recovery measures in place due to its ability to shift data access to other datacentres in various parts of the world, selected for their relatively high political stability. Google does not store each user's data on a single machine or set of machines. Instead, the company distributes all data, including its own, across many computers in different locations. The data is then split into chunks and replicated over multiple systems to avoid a single point of failure, and the data chunks are given random computer-readable only names as an extra measure of security. Google also rigorously tracks the location and status of each hard disk in its datacentres, and it destroys hard disks that have reached the end of their lives in a thorough, multi-step process. “No one knows yet how to build perfect security, but Google is continually working to make it better,” said Dickman. All companies are faced with the security challenge of finding the correct balance between what is needed and what can be afforded, he said. But Google, like most other cloud service providers, argues that because of the economies of scale, it is able to build and maintain security to a higher level than most companies could achieve on-premise. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

Day 1 Highlights from Infosecurity Europe 2014

Day 1 from #infosec14 - Security as a Business Enabler

Voltage Security at Infosecurity Europe 2014

Mark Read, Regional Channels Manager EMEA, Voltage Security talks to us about Voltage and its partnership with Thales, as well as changes he's seen...

Infosec 2014 welcomes Moscow

Various companies from Moscow are here again this year. This is one really great aspect of Infosec, in that there are companies from all over...

Live demo of Android Penetration Testing at Infosecurity Europe 2014

Pen Test Partners are performing live penetration testing against Android devices. infosecurity 2014

Thales at InfoSecurity 2014

A quick look at the Thales stand and the wider exhibition at Earl's Court.

Eleanor Dallaway of Infosecurity Magazine discusses Day 1 of Infosecurity Europe...

Eleanor Dallaway, Editor & Associate Publisher Infosecurity Magazine discusses her highlights & thoughts from Day 1 at Infosecurity Europe

VASCO Data Security at Infosec Europe 2014

Jan Valcke, President & COO, Vasco Data Security tells us why authentication is important in today's marketplace and how Thales benefits his business.

Infosec 2014: Cyber safety will take joint effort, says top EU...

Cyber safety can be achieved only through the joint efforts of all stakeholders, not just law enforcement, says Troels Oerting, head of Europol’s European Cybercrime Centre (EC3). “We will win, a safe and secure internet will prevail, but it will be a tough ride, and can only be done if everyone works together,” he told the opening keynote at Infosecurity Europe 2014 in London. Oerting also warned that malware is being developed at such a high rate that technological security controls alone are not enough to keep business and consumer data safe. “About 70% of cyber attacks are carried out using malware that is not detected by 40 of the main anti-malware systems in use by business today,” he said. Further evidence that traditional IT security tools are not working is the fact that cyber criminals were able to persist in company systems for an average of 229 days in 2013 before they were detected. Because of the high-level use of social engineering by cyber criminals, businesses need to pay more attention to secure their supply chains and society in raising security awareness in internet users. “Cybercriminals will use social engineering to go after lawyers, accountants and other business partners to gain access to the companies they are targeting,” said Oerting. Phishing is one of the most popular tools used by attackers, both cyber criminals and hacktivists like the Syrian Electronic Army, he said. “It takes just 28 phishing emails on average before attackers are able to gain access to targeted IT systems and move around at will,” said Oerting. Many parts of the world, such as Europe, are highly dependent on the internet for innovation, growth and prosperity, so it must be protected, he said. But law enforcement is facing several key challenges. Chief among these is the fact criminals no longer need to travel to commit crime and cannot be stopped at national borders. “There is no longer any geographical link between the crime and the perpetrators, which means many of the traditional policing techniques do not work in cyberspace,” said Oerting. This means criminals are typically not in the same country as where their crimes are carried out, making it difficult for law enforcement officials to investigate, identify suspects and make arrests. “We have a good level of co-operation between EU member states, but criminals tend to operate in countries that do not have extradition treaties with the countries they are targeting,” said Oerting. The second big challenge is that the top echelons of cyber criminals are increasingly using the so-called “dark web” where it is difficult to track and trace actors and their activities. The use of electronic currencies is also making it increasingly difficult to “follow the money”, said Oerting. Another challenge of cyber crime is that there is usually little or no physical evidence to work with. “And in the very near future, cyber criminals will be streaming everything through cloud services,” said Oerting. This development, he said, will make it even more difficult to gather evidence and be able to attribute criminal actions to specific actors without any doubt. For all these reasons, said Oerting, international co-operation is important around establishing norms of behaviour on the internet to keep it free and prevent it from becoming balkanised. He believes all stakeholders need to work together to raise cyber security awareness and build the digital capacity of their police forces to help prevent and fight cyber crime. In terms of cyber protection, he said products and services need to become more secure by design and end users need to be wary of downloading “free” applications. “If something is free, that means users' information is the product, because in reality, nothing in life is entirely free,” said Oerting. In the light of the challenges to law enforcement and traditional policing methods, he also believes that disruption is likely to become the most effective way to fight cyber crime. “We need to prioritise criminal activity that is causing the most harm and look for ways of disrupting cyber criminal business models because prosecution is extremely difficult,” he said. Oerting returned to his theme of collaboration, highlighting the various ways the EC3 is working with industry, government and security companies. “On the 5 May we will see the launch of the EU Cybercrime Coalition, which will bring together more than 20 banks in the region to share information with each other and with us,” he said. Cyber criminals tend to use the same tools and techniques to attack industry sectors, such as financial services, so it is important for these sectors to share information with their peers on attacks they are seeing, said Oerting. While law enforcement is not seeing complete success, and Oerting admits he is concerned about the developments he is seeing, he remains optimistic that concerted action by all stakeholders will win out in the end. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from RELATED CONTENT FROM THE TECHTARGET NETWORK

Infosec 2014: make IT security a personal issue for staff, say...

Security chiefs at Infosecurity Europe 2014 urged companies to raise awareness of cyber security by simply talking to employees about how to protect their own home PCs and laptops. Channel 4 CISO Brian Brackenborough explained that the security team a...

Interview with Peter Gibbons, Head of Information Security, Network Rail

Interview with Peter Gibbons, Head of Information Security, Network Rail, panellist in the Keynote Theatre at Infosecurity Europe 2013. Peter shares some of the...