Cloud service providers hold data in trust for hundreds of millions of users, and must act accordingly, a senior Google engineer told Infosecurity Europe.
"We have hundreds of millions of users and run hundreds of billions of searches," said Peter Dickman, engineering manager at Google Zurich. "There is a lot of data associated with users, and it is held in trust. It is not our data or information, but users' data and information. We hold it on their behalf, and allow them to extract value from it."
This, he argued, puts a real responsibility on cloud companies to protect data, and to ensure both the security and availability of their systems. "We have stewardship responsibilities," Dickman explained.
This, he pointed out, applies not just to Google but other global public service providers. But it is by no means the case that the cloud is less secure than locally-run IT services or outsourced datacentres.
Instead, the move to the cloud has shed more light on security shortcomings that already existed in IT, Dickman said. "There are no new security problems created by the cloud. What we think of as new problems are problems we've always had, but we'd not paid enough attention to."
The solution is for cloud service companies to be rigorous in applying information security best practice, including in areas such as authentication, encryption, and running hardened operating systems.
Google is deploying a number of specific measures to improve security, Dickman said, including certificate pinning, to avoid man in the middle attacks; pre-loading certificates and running its own, hardened, DNS. Providers should "use SSL when they can", and the industry as a whole is moving towards certificate transparency.
Other measures, though, should be ones that all operators of large IT systems deploy. Google's Dickman pointed out that cloud sceptics make much of the need to ensure separation of clients' workloads in multi-tenanted systems. But IT departments should be ensuring such separation anyway, he advised.
"People often say 'but my competitor might be in there'. That is the point of these systems," he noted. "You should be isolating [workloads] whether there is multi-tenancy or not. If you have multiple applications, you don’t want a breach in one to compromise the others." Isolation and sandboxing are techniques IT should be deploying anyway.
Other measures, though, are unique to Google. Physical security and staff security are essential, Dickman said; Google engineers even lay security traps for each other, in case an insider represents a threat. But not all CISOs will want to follow all Google's examples. One of its data centres now has a resident alligator, attracted by abundant local fish, but now adding teeth to the security perimeter.