Postini
 
Request A Demo Get A Free Trial
Security Backgrounder

For Google Security and Compliance Products



INTRODUCTION

The ubiquity of electronic communcations in general is a double-edged sword. While these communication channels increasingly play a vital role in organizations' ability to compete, they also make the companies that use them vulnerable to a growing onslaught of spam, viruses, spyware, worms, and a host of other threats. In addition, these organizations are also subject to numerous regulations and policy mandates that subject companies to compliance burden.

Different approaches have evolved to secure these communications, but most are based on point solutions that are expensive and complicated to implement and maintain. In contrast, Google's security and compliance products, powered by Postini, offer a single, on-demand platform that ensures the security and increases the compliance of multi-channel communications. More than 40,000 businesses around the globe trust Google to process and monitor their electronic communications – protecting their critical intellectual assets from external threats.

Using a multi-layer security strategy that combines advanced technologies, industry-standard policies, and best practices, Google maintains the availability, integrity, and confidentiality of its systems – and its clients' messages. This paper provides an in-depth overview of the multi-layer security strategy for Google's security and compliance products, which is comprised of seven components: privacy and data integrity, organizational, physical, network, application, host, and operational security.

PRIVACY AND DATA INTEGRITY

The security policies and procedures for these services are specifically designed to protect the confidentiality of the sensitive information that is often contained in its clients' electronic communications as well as the privacy of users.

Google's security and compliance products use a patented, pass-through processing technology to evaluate message content in real time using a variety of proprietary techniques. The company does not conduct manual processing of electronic communications of clients. This holds true for electronic communications that are processed by Google security and compliance products whether the content is considered legitimate or spam – including messages held in quarantine. This approach helps companies that must comply with government privacy regulations, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) feel confident that they can rely on these services to protect their highly sensitive and confidential email transactions.

In support of the security and compliance products, Google takes the privacy of users very seriously by taking the following steps:

  • Google does not require users to provide personal contact or demographic information. Clients can deactivate services at any time by turning off application settings.
  • Google never sells or makes available individual names, lists of users, or aggregate data to any third parties.
  • Google only uses client user configuration information to deliver services that match the client's requirements and not for any other purpose.
  • Google keeps all user-specific and email message information, including content, addresses, categorizations, and internet protocol (IP) addresses strictly confidential.

Google also stands behind its commitment to keep client data protected at all times through the following provisions in its standard client contract:

  • Google security and compliance products include specific confidentiality provisions in every client contract. While the provisions may differ based on client location, it is unambiguous in stating the commitment to the confidentiality of client-specific data. The company considers all client data the client's property and it will not use it for any other purpose other than those specified in the contract. In addition, client data associated with the security and compliance products is not shared with any third party.
  • When handling security and compliance products transactions, Google not only makes a contractual commitment but also makes an operational commitment to preserving client data integrity. It objectively measures the security systems as part of the certification and security audits process based on the International Organization for Standardization (ISO) 17799 standard for information security policies and the Generally Accepted Privacy Principles (GAPP) standard. It also conducts an annual, independent validation of its operational integrity and security best practices using AICPA Trust Services and SAS-70 Type II standards.
  • Google's commitment to confidentiality and data security is integral to the security and compliance products' architecture. Designed from its inception to reduce the risk of client data loss or exposure, the system architecture is based on real-time in-memory processing, allowing the company to meet the service-level agreements described in the client contract.

ORGANIZATIONAL SECURITY

The cornerstone of the security strategy, organizational security encompasses both the security staff and the policies it creates to define and maintain the other six components of the security strategy.

The experienced Google security and compliance products information security staff:

  • Develops, documents, and implements the division's security policies and standards
  • Reviews all system-related security plans for both internal (non-client facing) and production networks using a rigorous, multi-phase process
  • Implements a formal incident response process to quickly and effectively recognize, analyze, and remediate information security incidents and threats
  • Monitors compliance with established policies through ongoing security risk assessments and internal audits

Both the information security program and its policies are based on the ISO 17799 standard, the most widely accepted international standard for building a secure enterprise infrastructure. ISO 17799 includes a comprehensive set of controls for and best practices in information security.

Google's security and compliance products have received independent validation of its operational integrity and security best practices using AICPA Trust Services and SAS 70 Type II standards, certifying that the company has disclosed its business and security practices and has been audited to verify it follows those practices.

PHYSICAL SECURITY

The physical security program protects the Google security and compliance product data centers in state-of-the-art, highly secured facilities. Each facility includes 24x7 onsite security guards, external and internal closed-circuit TV video surveillance, and comprehensive physical access controls. Only authorized employees can access the locked cages within the facility.

Each of the company's seven primary data centers has a matching secondary, or continuation, data center that automatically takes over critical operations if the primary data center fails. To help prevent the possibility of overlapping catastrophic events causing the failure of a pair of data centers, the company maintains each primary data center in a different geographic region from its matching secondary data center.

Every appropriate data center facility includes raised data center floors and seismically protected equipment to prevent damage or loss from earthquakes or flooding. Additional environmental controls safeguard all equipment and systems contained in the facility, such as connections (water, heating, and cooling) to heating ventilation and air conditioning (HVAC) temperature controls, backup power supplies and generators, and fire suppression systems.

Figure 1: Google's security and compliance services global network


NETWORK SECURITY

The production network, containing the data processing and storage systems for all clients, ensures maximum reliability and uptime. Each primary system is duplicated at the continuity site, which mirrors all message flow operations. Processing systems are internally load-balanced to distribute processing and communications activity across network links and resources for best performance and traffic throughput. To prevent damage or loss due to unexpected hardware or software failures, subsystem redundancy within the systems provides a high degree of fault tolerance.

The Network Operations Center (NOC) personnel responsible for the Google security and compliance products systems closely guard and monitor access and system conditions 24x7 to ensure high availability and security.

APPLICATION SECURITY

With its patented technology for processing messages in memory in real time, the Google security and compliance products provides the highest level of security for its core email security service. It eliminates the need to write valid emails to disk, protecting client messages from the unauthorized access, destruction, or accidental loss that could occur if they were to reside on a disk or server.

The Postini Threat Identification Network (PTIN)®, a critical component of the messaging technology operates in conjunction with the real-time message process¬ing, tracking and updating in real time the origin IP addresses of servers suspected of sending unwanted message traffic.

For clients that need message archiving to meet compliance requirements, it protects their stored data with a combination of security devices that appropriately restricts traffic to and from the production environment in accordance with the company's rigorous security policies.

As shown in Figure 2, the Google security and compliance products' architecture includes two security zones: the secure common processing zone and the secure private processing zone.

THE SECURE COMMON PROCESSING ZONE

The secure common processing zone handles the flow of both email and client web access. During pass-through processing, the system instantly delivers legitimate email to each client's destination mail server, further evaluating any message suspected of harboring a virus or fitting a spam profile.

Depending on client preference, the services can block or quarantine suspicious email to a web-accessible storage area for client (i.e., administrator and/or end-user) review.

Figure 2: Google security and compliance products architecture

Company administrators access the web-based administrative console and end-users access the message center using secure socket layer (SSL) sessions, an industry-standard public key cryptography methodology for data communications. The combined implementation of both company specific and industry-standard authentication mechanisms controls the strict access to personal data and ensures 100% integrity.

All passwords used by administrators or end-users to log into the administration console are encrypted during network transport. In addition, all passwords are stored in an encrypted form in its databases. Clients with highly sensitive email communications can also choose to use the optional encrypted email delivery service module for encrypted transmission at the message and/or transport layer.

THE SECURE PRIVATE PROCESSING ZONE

The system stores and protects messages as part of its archiving services, quarantines potentially harmful messages, and protects all client profile and preference information in the secure private processing zone.

For all clients using Google Message Filtering, powered by Postini, or Google's Message Security, powered by Postini, the system quarantines suspect messages in a proprietary database. To provide even greater protection from unauthorized access, the system stores the message headers and bodies of quarantined messages separately. The services also write all quarantined messages to disk four times, to two redundant servers, both of which use mirrored storage. This design virtually eliminates the possibility of message loss.

In addition to storing messages for Google's Message Discovery, powered by Postini, the system also writes clients' valid emails to disk in three other instances. The first two instances – when a quarantined email contains a false positive and when extremely large message attachments cause mail delivery delays – constitute an extremely small percentage of messages processed.

The third instance, disaster recovery mail spooling, is a by-request option that allows the system to store a client's email in the event the client's mail servers are unavailable for any reason. Messages are stored in a secure database until the message flow is restored to the client's email server and delivery is requested either manually via the administrative interface or automatically by setting the service to auto-detect server availability.

HOST SECURITY

Google security and compliance products uses proprietary, hardened system software to run its production applications. All system builds and upgrades use automated processes to deliver consistency, eliminate the risk of human and administrative error, and include tests to verify post-installation processing integrity.

Before implementing any third-party software, the security staff:

  • Ensures that the application can deliver the intended functionality and operate in a stable and reliable manner in the production environment
  • Closely evaluates any possible application shortcomings to determine potential impact on security and performance standards
  • Thoroughly reviews and approves patches and upgrades to third-party software before applying them to the company's production servers

To monitor system security, the staff conducts regular internal and external vulnerability assessments on the company's email processing infrastructure to identify additional areas of potential exposure. The assessments also include a repair management process that tracks system restoration against a repair timeline.

OPERATIONAL SECURITY

Google recognizes that employees play a critical part in a company's ability to adhere to security and privacy standards. To address this, the security policies and procedures cover the company's personnel policies and daily operations. Prior to employment, Google conducts appropriate background checks on every individual offered employment. Upon hiring, every employee attends security training that details the company's policies and procedures. In addition, all employees that support, maintain, or develop Google security and compliance products are required to attend information security awareness refresher training annually.

Once hired, only authorized support personnel have access to the data centers and secure cage areas, as well as network access to the production network. Administrators conduct system administration over encrypted and authenticated remote connections. All operations employees are thoroughly trained on processes and procedures before being cleared to perform any system administration functions.

Authorized support personnel can only access production data to troubleshoot problems, conduct installations or upgrades, handle client migrations, verify client connectivity, and evaluate performance trends directly related to Google's security and compliance products. Any unauthorized manipulation of client data by authorized personnel is strictly prohibited. In rare cases, authorized support personnel may also access a client's electronic message environment for the sole purpose of troubleshooting a client-related issue. Clients must approve this access and any changes in advance.

As part of the company's SAS 70 Type II audit, the company periodically evaluates the impact that personnel have on adherence to security and privacy standards when accessing client specific information. Areas covered in this audit include the detailed hiring process, access privileges granted to each employee, and periodic review and training of the company's security and privacy policies.

CONCLUSION

Companies that trust their business communications to Google's security and compliance products can be assured that the privacy and integrity of these messages are secure, thanks to the multi-layered security strategy. Combining information security policies and best practices with a patented, state-of-the-art processing technology, the company's approach give companies the peace of mind that their sensitive intellectual property is in secure, professional hands.

ABOUT GOOGLE MESSAGE SECURITY AND COMPLIANCE

Message security and compliance products, powered by Postini, are available to businesses and organizations who want to make their existing email infrastructures more secure, compliant, and productive. The message security products protect you from spam and messaging threats. The compliance products enable you to enforce message policy and content management, archive messages with discovery services, as well as secure your web browsing and encrypt your sensitive email. As a service, there is nothing to install or maintain, so you can start small and implement additional services as your requirements grow.

Learn More.

 
© Copyright 2008 Google
Legal and Patent Notices | Privacy Statement | Security Statement | Acceptable Use Policy | Sitemap
Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of their respective owners.