In a recently published Infrastructure Security Design Overview document, Google has revealed that it uses proprietary chips to ensure the security of its servers in its own and third-party data centers.
As spotted by The Reg, the document says that the company designs “custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.”
In house, in data center
“Google server machines use a variety of technologies to ensure that they are booting the correct software stack,” it continues.
“We use cryptographic signatures over low-level components like the BIOS, bootloader, kernel, and base operating system image. These signatures can be validated during each boot or update. The components are all Google-controlled, built, and hardened.
“With each new generation of hardware we strive to continually improve security: for example, depending on the generation of server design, we root the trust of the boot chain in either a lockable firmware chip, a microcontroller running Google-written security code, or the above mentioned Google-designed security chip.”
Google was infamously implicated in the 2013 Snowden leaks, where it was revealed that the NSA and GCHQ had successfully tapped the corporation’s data centers.
The document states: “To protect against sophisticated adversaries who may be trying to tap our private WAN links, the infrastructure automatically encrypts all infrastructure RPC [remote procedure calls] traffic which goes over the WAN between data centers, without requiring any explicit configuration from the service. We have started to deploy hardware cryptographic accelerators that will allow us to extend this default encryption to all infrastructure RPC traffic inside our data centers.”
Previously, Google revealed that it designed its own ‘Tensor Processing Units’ for machine learning projects. While the company has been relatively quiet about how widespread its TPUs are, it had said they were used for the AlphaGo project, as well as to cut the costs of its Cloud Vision API by roughly 80 percent.
The document details several other security measures adopted by Google, including “independent biometric identification systems, cameras, and metal detectors” when colocating in third-party data centers, as well as revealing that the company scans employees’ devices to “ensure that the operating system images for these client devices are up-to-date with security patches.”