Imagine what would happen if all the Google engineers turned rogue and held the world’s Gmail accounts to ransom. Or if aliens attacked earth and wiped California off the map.
It sounds more like something from a Hollywood movie script than real life, but that’s the nature of disaster recovery — you rarely see it coming.
It may come as a surprise, however, to learn that the folks at Google Enterprise have considered just these scenarios.
“We play a lot of games here,” admits Google Enterprise director of security, Eran Feigenbaum. “Part of our disaster recovery plan is to assume the worst has happened. In last year’s scenario, Google was attacked by aliens and California was off the map. We asked: What do we do? How do we run our infrastructure?”
Read the full interview
Feigenbaum holds some serious security credentials; before joining Google in 2007, he held the post of US chief information security officer (CISO) for PricewaterhouseCoopers. He also spent several years designing and implementing cryptosystems for electronic commerce solutions for Fortune 1000 clients and government agencies.
But the links to Hollywood run deeper than war gaming and role play. When he is not defining and implementing the security strategy for Google's enterprise product suite, you are likely to find him practising the more arcane pursuits of magic and mentalism.
Indeed, you may know him better as Eran Raven, the contestant from NBC television show, Phenomenon.
“On a personal basis, I think the mentalism and profiling makes you curious,” he says. “It makes you want to attack problems, break them down and not accept the status quo. As a good security professional, I take those same types of skills. That’s really the way we do things a Google; let’s not accept things just because that’s the way it has been done in past. Let’s really attack it, break it down and ask: How can we do this better and change the way computing is done.”
It’s one of the reasons Google operates its own infrastructure, and custom-builds firewalls at the front end. But Feigenbaum maintains the real measure of a good security organisation is not just about security itself, but about how it reacts to an incident. For its part, Google employs more than 250 dedicated security professionals, as well as internal audit and compliance teams, physical security teams and those within the product teams.
“People don’t like to talk about it — we never want to think about getting into a car accident,” he says. “But the reality is security incidents happen for various reasons. It’s about how you react to that. Having a 24/7 security team is part of that and having our major security operations in California and Zurich so we can work through time zones.
"When there is a security incident, we assign an incident coordinator whose job is to triage that incident. And I think a big misnomer about this is if there is a security incident that affects customer data, we believe and contractually commit that it is our responsibility to notify those customers. There’s an idea that if something happens to your data, you won’t know. For sure – we will tell you.”
He says for all the hand wringing about Cloud security, it’s important to maintain perspective, even though he admits it is no panacea.
“We make headlines because we are Google,” he says. “But the reality is worse stuff is happening in the traditional environment every day.
“Is Cloud computing perfect security? No. It’s not. I’ll be the first one to say that. I was in an intelligence community where we proved we could find out information about a computer that was not connected to a network and was in a secure room, using various technologies. But I think Cloud computing is as secure, if not more secure, than what most organisations are doing today.”
Follow CIO Australia on Twitter: @CIO_Australia
Follow Georgina Swan on Twitter: @swandives