Bank robberies, military compounds, and spies- that’s what you might think of when it comes to data center security. And to be honest, you’re not too far off. But how exactly does Google reliably secure its data centers? It all starts with six layers, also known as Defense in Depth. Layers become progressively more protected with access checks as you move to the core of the data center. Layers one and two involve property boundaries, vehicle crash barriers, fences with motion detection, guard kiosks, and thermal cameras. Layer three gives you access to the secure lobby, where you get your irises scanned, and will find the general office area where hardware and data center operations teams work. You’re now in the data center building.
Badge checks exist at every entry point, and only one person can go through a door at a time. As you move to layer four, you’ll find operational rooms, like the core network room and security operations center, which contains a highly trained staff that monitors all aspects of security and can keep a level head at all times. Next is layer five, the data center floor. Less than 1% of Googlers ever get to set foot here. This is where data lives. In order to advance, you have to walk through a circle lock, a big glass tube that lets only one person enter at a time. Here, you get your credentials checked and your irises scanned. This is a form of dual-factor authentication. You must present two forms of identification- in this case, a badge and biometric data- to validate an individual’s identity.
Layer six is disk erase, where retiring hard drives get their data wiped and reused or shredded and recycled. Only those with special access can enter the disk erase room and retrieve drives through a secure two-way locker system. In order to exit layers five and six, you’re required to go through full metal detection under the supervision of a staff member. But what about protecting from the outside? We’re talking asteroids, electromagnetic pulses, fires, pandemics, and zombies. We run dozens of drills a year, engaging unannounced skilled adversaries to try to get past controls. After every testing attempt, we always evaluate our performance to ensure the strength of our security controls and iterate controls, as needed. Now, that’s what you call a culture of security. If you want to learn more, check out cloud.google.com/security.