In our new series about Google Workspace security, we will discuss Google’s approach to security and compliance. As cloud computing pioneers, Google takes their security very seriously and understands the concerns over enterprise cloud computing. Their approach comes in many parts. The first part starts internally and we will hear about today, Google’s Security and Privacy Focused Culture.
Any organization that claims to have strong security and privacy structures in their products must practice what they preach in their offices and with their employees. Google boasts one of the most secure and private cloud workspaces in the industry. Therefore, they must have an even stronger security and privacy culture for their employees. Let’s take a look at the various parts of Google’s hiring process, onboarding, company events, and training. These exemplify this strong security and privacy culture.
Employee Background Checks and Security Training
As any company working with sensitive information does, Google conducts background checks on all new employees before hiring them. They check the newcomer's education employment history as well as internal and external references. This is not a "normal" practice in all countries or localities, but Google goes the extra mile in order to ensure their products have the best people working on them. In certain locations, Google may also conduct background checks concerning criminal record and identity, perform credit checks and confirm the employee's immigration status.
Once an employee joins Google, they go through fairly extensive security training. During orientation, new Google employees agree to the code of conduct, which is publicly available. The main commitment in the code of conduct is keeping the information provided by customers safe and secure. In addition to the code of conduct, depending on which role the new employee has within Google, they will have to take part in additional security training. The IT team at Google trains all new developers on secure coding practices, secure design, and automated vulnerability testing tools.
Google has a zero-trust policy when it comes to access. This means that when a device tries to access a system, Google takes into account the device itself, its state, its associated user, and their context. Unsurprisingly, this zero-trust policy applies to both internal and external networks. The zero-trust policy allows Google's security and compliance teams to be as effective during normal times as they would be during emergencies. If Google takes its internal security seriously, you can bet that they will also take their customer's security very seriously.
During the last few years, the worldwide pandemic drastically changed the way we work. If you and your organization now find yourself in a situation where remote work for your employees is the new norm, it’s worthwhile taking a look at zero trust policies so you can offer your workforce a secure and scalable way to work together without a VPN or location requirements.
Internal Security and Privacy Events
Hackers and other people trying to enter secure networks are constantly innovating. This means that security and compliance teams need to constantly be on their toes looking for new attacks. By hosting security and privacy events, meetings, showcases, demos, and seminars, Google brings awareness and promotes innovation to the ever-evolving security conditions in their organization. A strong example of this is Google's "Privacy Week" where they host events across their global offices to bring awareness to all things related to privacy.
Dedicated Security and Privacy Teams
It might seem obvious at this point, but Google employs entire teams for security and privacy which belong to their engineering and operations division. Each is a team of experts, not just within their respective countries, but worldwide. The teams not only build strong defense systems for Google internally and Google products externally, but they also develop processes and protocols to actively scan for new security threats.
The security team reviews security plans for all networks, systems, and services; provides consulting services around security to various Google project teams; monitors Google's networks for suspicious activities; performs regular security audits; and consults with external experts for regular security audits. In addition to the internal security team, Google has another team called "Project Zero", which looks to prevent external attacks by reporting bugs to software vendors.
The Privacy teams at Google play an integral role in product launches. Whenever a new product comes to market, the teams ensure, with automated tools, that these new systems comply with Google's overarching privacy commitment. On top of this, the privacy teams conduct code audits and review product design documents to make sure the products follow privacy requirements.
Internal Audit and Compliance Specialists
A big part of regulatory compliance is knowing where and how your data is stored, who has access to it, and how the organization will deal with breaches and other security issues. Google has internal engineers and compliance experts who can help guide their customers to the right answers to some of the most important security and compliance questions. Not only do they help guide the customer to the right solutions, they collaborate together with the customer’s team to understand specific industry regulations. These regulations are constantly changing, so the team at Google stays on top of the changes and keeps their customers informed. The most surprising part of all is that on certain occasions, Google even lets customers conduct audits to verify their security and privacy controls.
Collaboration with Security Research Community
As you may know, the best way to learn and develop is from others. Different people from different backgrounds and cultures give us different and sometimes eye opening perspectives on things. With regards to Google's security and privacy, they work closely with a community of security experts who constantly look to exploit Google Workspace's security and privacy. Google even has a vulnerability reward program which helps incentivize this community of experts, offering rewards of up to tens of thousands of dollars for this hard work.
Overall it's safe to say that Google's approach to privacy and security builds trust with its customers. Beyond the standard laws and regulations, Google incentivizes the security community experts to find vulnerabilities in their systems. From the day a Google employee first steps foot in the company to when they leave, they are constantly trained and guided on how to detect and predict security problems.
If you decide that Google Workspace is the right tool for your team, please feel free to reach out to us at Seibert Media.