Issuu on Google+

How Google Tackles IT Security And What You Can Learn from It Eran Feigenbaum, Director, Google Apps Security John “Four” Flynn, Lead, Google Security Monitoring Eric Sachs, Product Manager Brad Taylor, Gmail Spam Czar Serena Satyasai, Product Marketing Manager

1


Today’s Speakers As the Director of Security for Google Apps, Eran defines and implements security strategy for Google's suite of solutions of Enterprise Products. Prior to joining Google in 2007, Eran was the US Chief Information Security Officer for PricewaterhouseCoopers(PwC). Eran holds a bachelor's degree in electrical and computer engineering from the University of California at Irvine, and an MBA from Pepperdine University. Eric Sachs has over 15 years of experience with user identity & security for hosted web applications. During his 5+ years at Google he has worked as a Product Manager for many services including Google Accounts, Google Apps, orkut.com, Google Health, Google Security, and Internal Systems. Eric holds a B.A. in Computer Science & Managerial Studies from Rice University John "Four" Flynn has an extensive background in network monitoring, intrusion detection, and incident response. He currently leads Google's Security Monitoring program and is a founder of Google's Security Metrics group. John holds an MS in Computer Science/Information Assurance from George Washington University.

Known as Gmail's 'Spam Czar', Brad Taylor leads Gmail's technical anti-spam, anti-abuse and email delivery engineering efforts. Brad has played a key role in the development of Gmail's spam filter since Gmail launched in April, 2004. Brad holds a Master of Science degree in Electrical Engineering from Stanford University.


Agenda The Security of Google Apps

SAML, OpenID and Oauth

Modern security monitoring techniques DKIM/SPF – The Power Behind Gmail’s spam filtering

Q&A


Google Solutions for IT Develop innovative user-centric technology for businesses Backed by Google’s core research and development 1000+ people focused on Enterprise 20,000+ active search customers 3,000+ business sign up for Google Apps daily


Google Apps Premier Edition – for your domain Messaging

GMail

• Built-in spam protection

• Easy web publishing

• 25GB storage

• Wikis, team space, blog

• Fast search

Sites

• Permission-based sharing

• Personal, shared, public

• Real-time collaboration

• Resource scheduling

• Word processing

Calendar • RSVPs and updates

Talk (IM)

Collaboration

Docs

• Spreadsheets, presentations

• Video, voice, IM

• Web-hosted video

• Presence

• YouTube for your domain

• Browser-based access

Video

• Secure, internal sharing

Web-based Admin controls for moves, adds, changes, usage reporting. AV/AS, content monitoring and filtering, policy enforced TLS by Postini 365/24/7 support — 99.9% Uptime — Mobile options — Integration APIs — Partner program — Ad-Free

$50


Google Apps Customers Enterprises — Fortune 500 and Public Sector

Small and Mid-Size Businesses

Academic and Non-Profit Organizations

More than 1.75 million businesses Thousands of new businesses every day 6


Where’s the Best Place For My Data?

Company Servers

7

In the Cloud


A better way of doing business

Then

8

Now


Why is Security So Tough? Data Problem: Users want to access their data anytime, from anywhere

9

60%

1-out-of-10

66%

of corporate data resides unprotected on PC desktops and laptops

laptop computers will be stolen within 12 months of purchase

of USB thumb drive owners report losing them, over 60% with private corporate data on them


Why is Security So Tough? Patching Problem

1 Companies have multiple operating systems, each with different versions

3 Most companies take 25 to 56 days on average to deploy an OS patch

2 Different applications and different security patches for different applications

4

$$$

Companies spend more than $2 billion annually on patches

5 While you’re working on deploying your patch, other people are working on reverse engineering and gaining access to your environment

10

Google Confidential and Proprietary

10


Google’s approach to security

• • •

Hire some of the world's foremost experts in security Google Code of Conduct Security Training

• •

• •

Leverage Google’s expertise in security

11

Technology

Process

People

Security is part of Google DNA Security baked into our products from the initial design, not an afterthought Secure Code development process External Security Audits Reduce end point vulnerability and manual patching

• • • • • •

Custom built hardware Data replicated in multiple datacenters Data sharding across servers Data obfuscation on disk Rigorous media disposal process Tight control of Network Perimeter control


Why Should I Trust ? •

User trust is key to our business

Strong Privacy policy to customer data

We store our own data in the same environment


Agenda Overview of Google Apps and its Security

SAML, OpenID and Oauth

Modern security monitoring techniques DKIM/SPF – The Power Behind Gmail’s spam filtering

Q&A


Welcome to ShoesAreUs • Adam is the Enterprise admin at this 500 person company • They use multiple SaaS vendors such as Google Apps, Salesforce, WebEx, etc. • Sara and Tom are the new employees of the week • Adam goes to the admin panel of each vendor to add an account for them, though he reuses a single password on each SaaS vendor that is specific to the employee • Uh oh... o o

Mike was fired yesterday, and Adam forgot to go to each vendor and remove Mike's account, so he is still able to get in They think Frank's password might have been stolen too, but its too much work to change it in all these places


Federated Login


But what if you are not a large enterprise? Try to do it yourself o Usually Active Directory or nothing o Problem: a single point of failure Federated Login as a service o Growing set of vendors  Ping, Tricipher, Symplified, etc... o SAML as "standard" but still requires a lot of configuration o Adoption by more businesses leads to support by more SaaS vendors

16


Four options 1. Don't use a central login system 2. Deploy it yourself using enterprise software (Ping, Microsoft, IBM, CA, etc.) 3. Outsource to an identity vendor (Ping, Symplified, Tricipher, etc.) who provides configuration for lots of SaaS vendors 4. Use Google Apps, but only with a subset of SaaS vendors


Moving beyond passwords • Try adding stronger formats of authentication than passwords • SaaS vendors have some very advanced methods to protect password hacking o ...but they can still be stolen or phished • OTP=one time password generator


But I don't want to carry another device!

Usability is getting a lot better


Warning: Installed software

• Software on PCs and mobile devices o Example: POP, IMAP, Outlook • Options o Machine generated passwords: AIdk3audD8 o Blackberry Enterprise Server  Also supported by Google App Connector o Software that launches a web browser  Google Apps Sync for Outlook • Learn more by searching for "oauth goog"


Agenda Overview of Google Apps and its Security

SAML, OpenID and Oauth

Modern security monitoring techniques DKIM/SPF – The Power Behind Gmail’s spam filtering

Q&A


Security Monitoring How does Security Monitoring fit into the Security Function? • Augments Prevention, doesn't replace it • Humans have to be involved in analysis, but you can greatly optimize use of their time • Monitoring <=> Incident Response cycle is very important o Feedback from forensics into monitoring • Monitoring tools should keep at least three months of history online for forensics


Security Monitoring: A Recipe • Determine what data to collect • Create a collection and aggregation system for the raw data • Create a set of analyzers on top of that dataset to look for known indications of misuse or compromise • Provide a way to browse your dataset to allow for discovery of new indicators o Provide a low friction way of adding new analyzers • Deploy an aggregation system to rank and filter the indicators o Provide context on indicators for human analysts


Security Monitoring Challenges Challenge: Identity • Ensure your organization has business need other than security to maintain inventory services Challenge: Scaling • We benefit from Google Infrastructure. Consider ways to use cloud computing to help scale analysis Challenge: Environmental Noise • Gaining control over your environment makes detection easier


Security Monitoring: Trends • Network analysis: becoming less useful against malware over time but very useful for forensics • Antivirus: No longer enough on endpoints

• Automatically qualify alerts o Virtual Machines


Agenda Overview of Google Apps and its Security

SAML, OpenID and Oauth

Modern security monitoring techniques DKIM/SPF – The Power Behind Gmail’s spam filtering

Q&A


Gmail and Spam Fighting • Gmail's spam fighting technology helps keep unwanted messages out of the inboxes of our tens of millions of Gmail users • We process over 1 billion SMTP requests every day, which gives us visibility into many kinds of web-based threats and helps us detect and block new varieties of spam • Gmail is available in 53 languages worldwide


DomainKeys/DKIM & SPF • Gmail was an early adopter of email authentication • DomainKeys & DKIM o Sending domain cryptographically signs the email o Recipient domain uses public key cryptography to verify the domain is valid • SPF o Lets a domain publish in DNS which IPs are valid email sending IPs o Recipient domain can verify IP is valid for that domain • Reputations can be tracked, and forgeries rejected


DKIM vs. SPF • SPF is easier to implement, but doesn't handle forwarded mail • DKIM handles forwarded mail, but is harder to implement • Both are good • Gmail has a lot of forwarded mail


Using Authentication for anti-phishing • Gmail rejects any unsigned or unauthenticated eBay or PayPal email, as a matter of policy. • It's a small step towards restoring trust in email. • Other financial institutions are working towards this. • When a phishing target signs all of their email, Gmail can display a special authentication key.


Spam is what our users say it is

• Gmail's definition of spam is what our users say it is. • We expect sending domains to send only wanted email. • We track how users respond to authentication domains and compute reputations o In Inbox, if user doesn't hit "Report Spam― then: +1 o In Inbox, if user hits "Report Spam― then: -1 o In Spam, if user hits "Not Spam― then: +1 o In Spam, if user doesn't hit "Not Spam― then: -1 • A reputation score is computed from this per domain and used for spam classification.


Using reputation for spam filtering • Domains above a threshold are automatically whitelisted • Domains below a threshold are automatically blocked • Those in between user other factors: the reputation score is used as one of many factors • Those without authentication use other factors, and are likely spam paypal.com

hotmail.com

spam-pharmacy.example.com


Get more information • Security of Google Apps: www.google.com/apps/security • Goog Oauth & Federated Login Research: https://sites.google.com/site/oauthgoog/ • Google Apps: http://googleenterprise.blogspot.com/ • Gmail: http://gmailblog.blogspot.com/ • DKIM: www.dkim.org • SPF: www.openspf.org


Sign Up For A Free 30-Day Period Today

http://www.google.com/apps/business http://www.google.com/apps/exchange http://www.google.com/apps/notes

35


google & security