Taken over by aliens? Don't worry; Google has it covered
- 22 August, 2011 16:41
Google Enterprise director of security, Eran Feigenbaum
Imagine what would happen if all the Google engineers turned rogue and held the world’s Gmail accounts to ransom. Or if aliens attacked earth and wiped California off the map.
It sounds more like something from a Hollywood movie script than real life, but that’s the nature of disaster recovery — you rarely see it coming.
It may come as a surprise, however, to learn that the folks at Google Enterprise have considered just these scenarios.
“We play a lot of games here,” admits Google Enterprise director of security, Eran Feigenbaum. “Part of our disaster recovery plan is to assume the worst has happened. In last year’s scenario, Google was attacked by aliens and California was off the map. We asked: What do we do? How do we run our infrastructure?”
Read the full interview
Feigenbaum holds some serious security credentials; before joining Google in 2007, he held the post of US chief information security officer (CISO) for PricewaterhouseCoopers. He also spent several years designing and implementing cryptosystems for electronic commerce solutions for Fortune 1000 clients and government agencies.
But the links to Hollywood run deeper than war gaming and role play. When he is not defining and implementing the security strategy for Google's enterprise product suite, you are likely to find him practising the more arcane pursuits of magic and mentalism.
Indeed, you may know him better as Eran Raven, the contestant from NBC television show, Phenomenon.
“On a personal basis, I think the mentalism and profiling makes you curious,” he says. “It makes you want to attack problems, break them down and not accept the status quo. As a good security professional, I take those same types of skills. That’s really the way we do things a Google; let’s not accept things just because that’s the way it has been done in past. Let’s really attack it, break it down and ask: How can we do this better and change the way computing is done.”
It’s one of the reasons Google operates its own infrastructure, and custom-builds firewalls at the front end. But Feigenbaum maintains the real measure of a good security organisation is not just about security itself, but about how it reacts to an incident. For its part, Google employs more than 250 dedicated security professionals, as well as internal audit and compliance teams, physical security teams and those within the product teams.
“People don’t like to talk about it — we never want to think about getting into a car accident,” he says. “But the reality is security incidents happen for various reasons. It’s about how you react to that. Having a 24/7 security team is part of that and having our major security operations in California and Zurich so we can work through time zones.
"When there is a security incident, we assign an incident coordinator whose job is to triage that incident. And I think a big misnomer about this is if there is a security incident that affects customer data, we believe and contractually commit that it is our responsibility to notify those customers. There’s an idea that if something happens to your data, you won’t know. For sure – we will tell you.”
He says for all the hand wringing about Cloud security, it’s important to maintain perspective, even though he admits it is no panacea.
“We make headlines because we are Google,” he says. “But the reality is worse stuff is happening in the traditional environment every day.
“Is Cloud computing perfect security? No. It’s not. I’ll be the first one to say that. I was in an intelligence community where we proved we could find out information about a computer that was not connected to a network and was in a secure room, using various technologies. But I think Cloud computing is as secure, if not more secure, than what most organisations are doing today.”
Follow CIO Australia on Twitter: @CIO_Australia
Follow Georgina Swan on Twitter: @swandives
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
CIOs to Become In-House Brokers -- and That's a Good Thing
The future of computing
10 Hot Hadoop Startups to Watch
The future of computing
Journey to the Future-State framework
Defining the future role and cataloguing the competencies that would take CIOs there was only the first step. In 2009 Council members pushed for more – they wanted to help the IT profession make the journey from Functional Head (where IT is inevitably viewed as a cost centre) to a Business Strategist (where IT is externally focused and viewed as an organisational ‘game changer’). Although a single prescription for advancing the role is impossible because CIOs circumstances are all different, members wanted a general roadmap and guidelines.
Secure by design - How to dramatically simplify data protection, access control and other critical security tasks
This white paper examines how you can dramatically reduce the effort required to protect mission-critical information, while giving users fast, simple, flexible remote access that enhances business productivity.
Top 20 Critical Security Controls - Compliance Guide
Simply being compliant is not enough to mitigate attacks and protect critical information. Organizations can reduce chances of compromise by shifting away from a compliance-driven approach. This guide provides the Top 20 Critical Security Controls (CSCs) developed by the SANS Institute to address the need for a risk-based approach to security.