Well informed reports (that Google will not deny), that hackers breached Google's most sensitive software code, the Gaia password system, surface titanic security flaws at Google.
Why Google is too big not to fail.
1. "Bigtable" Storage design: How Google stores and accesses "all the world's information" in and from its data centers is: "'Bigtable:' a Distributed Storage System for Structured Data." It is Google's innovation to maximize scalability, speed and cost efficiency -- not security, privacy, or accountability. Simply, Bigtable is an "all eggs in one basket" approach to information storage and access.
- It is the single largest database of information the world has ever known. It is also distributed across the world in Google's multiple data centers. Per Yale computer science Professor Michael Fischer: "Google stores every piece of data in three centers randomly chosen from the many it operates worldwide in order to guard the company's ability to recover lost information."
- Per Google's own Peter Fleischer on his blog: "It's actually very hard to answer the apparently simple question: 'where's my data?'"
- If Google doesn't know where your data is at any given time, how do they know if your own private data has been breached?
- The "Titanic" security flaw in Bigtable's fundamental design is that it is not compartmented.
- Like the Titanic ship that sunk fast because it did not have compartments to partially contain the breach of rapidly incoming water, Google's Bigtable design, where Google stores all the world's information in basically one virtual receptacle without compartments, means that when Google's system was breached, the hackers could theoretically have gone most anywhere in Bigtable.
- Since Google does not employ the standard omni security protocol of compartmentalization, Google would not know what information was breached so that those affected could try and protect themselves from the new liability and danger.
- This helps explain why Google is "turtle-ing" and not giving guidance about what's secure and what's not.
- Most likely, they don't have a clue because Bigtable is simply too big and complex to check.
2. Biggest Target: Google's unique mission to "organize all the world's information and make it universally accessible and useful" has effectively created a world central bank of information. As bank robber Willie Sutton said when asked why he robbed banks, he infamously replied: "Its where the money is."
- The reason Google will always be a number one target for hackers is that in designing a system and database for Google to quickly and efficiently access all the world's information, Google has created the ultimate convenience for hackers to quickly and efficiently access the information they prize because Google put all the valuable information in one virtual place so hackers have a one stop-shop and only one outer wall to overcome.
3. Biggest Speed Freak: Google's #3 corporate priority is "fast is better than slow;" thus speed is one of Google's key competitive differentiators. Google's #2 design principle is "every millisecond counts"... "Nothing is more important than people's time." Unfortunately, if Google actually bothered to ask users what their top priority was, most would say safety and security. Without a foundation of trust, what good is speed?
- As I have written extensively, Google is proactively forcing everyone on the Internet to be faster. Google now ties search ranking to the load speed of websites, Google is trying to change the DNS system, and Google has a whole initiative "to make the web faster."
- Is speed compatible with security, safety and privacy protection? Almost every aspect of security involves some inefficiency, or slowing down to create security checkpoints, verifications, authorizations, patrols, gates, locks, sweeps, spotchecks, etc.
- Do we consider the fastest of just about anything to be safe or the safest?
- Google believes nothing is more important than people's time. By definition, security is thus a subordinate or tertiary concern to Google's business, leadership and engineers.
4. Biggest "Open" Proponent: Google is the single biggest force pushing for openness on the Internet. Google has a corporate philosophy that information and content should be shared. Google's mission is to make all the world's information accessible -- showing that Google feels deeply about breaking down any barriers to bringing information to people (even if it means bending/breaking the law... see: Viacom vs Google, Book Settlement).
- Does anyone consider openness the same as security? Open sharing, an open door, open window, an open interface, are these what most people view as what is most safe and secure? Does openness offer the most protections from bad actors?
- Moreover, Google is attacked because Open Source is more vulnerable to attack than proprietary software, per blogs by a leading open source proponent, here and here.
- Furthermore, Google's own Director of entreprise application security, Eran Feigenbaum, told CIOs and CISOs: "A lot of data and access is exposed in an open API; it's not the traditional UI that a user might expect." "It is incumbent upon you as security officials to know what the security controls of your cloud provider are."
5. Biggest "Free" Proponent: Like Google's philosophy and activism for openness, Google is also widely-recognized as the leading proponent of "free content." At Chris Anderson's Google book signing of his book "Free: the Future of a Radical Price," Mr. Anderson said: Google's Chief Economist Hal Varian "taught me everything I know about free."
- It is both human nature and business practice to treat what is "free" as if it has less value and like it is not in need of extensive protection or security measures.
- Since Google generally takes whatever information it can find and copy, and since it's mission is to make that information universally accessible to everyone for free... in Google's mind it should not be focused on making that information secure from those who seek it.
- The titanic big problem here is that while Google may view the information as free to users, users and others certainly don't view the private information that cohabits Bigtable with "free" information, as not valuable or worthy of high security.
6. Big Monoculture Mindset: Google has a "monoculture" and a "one size fits all" approach to customer service per Yale computer science professor Michael Fischer. Google is well known for its vigorous hiring practices that demand top grades and scores from the top universities, mastery of Mensa brain teasers, and surviving a guantlet of interviews to weed out anyone that won't fit in with the clone culture of the Google founders.
- The result is a very insular culture that tends to all share the same blinders. The most recent example of this monoculture-with-blinders is how Google claimed to have thoroughly vetted its Google Buzz service internally and no one within Google anticipated the privacy uproar that automatically exposing people's previously private email lists to the public would be a problem.
- (Ten nations just sent an open letter to Google wondering how Google's process could have so badly missed these obvious privacy concerns.)
- To better understand the depth of this Google monoculture and "group think" on security matters, consider how Google CEO Eric Schmidt described his Google culture goal in an Economic Club speech in Washington. The company's goal is "to think big and inspire a culture of yes" and that "Google is melding a positive office culture with minimal accountability controls." per Washington Internet Daily 6-10-08).
- A corporate culture that respected and valued security, would have a culture that encouraged someone to be able to say "no" and demanded substantial accountability controls.
In sum, for all the big reasons documented above, Google is a security-challenged company and "security is Google's Achilles heel."
Google's titanic security flaws will only become more problematic now that hackers have figured out how vulnerable Google is, and more importantly, how accessible all this extremely valuable information is.
Simply, Google is too big not to fail.
Previous parts of the "Why Security is Google's Achilles Heel" Series:
- Part I: "Why security is Google's Achilles heel"
- Part II: "Google values security much less than others do"
- Part III: "Google: "Security is part of our DNA" (Do Not Ask)
- Part IV: "Why Security is Google's Achilles Heel"
- Part V: "Google Apps Security Chief is a magician/mentalist"
- Part VI: "Google-China: Implications for Cybersecurity"
- Part VII: "Did Google Over-React to China Cybersecurity Breach?"
For even more information, see the Security section of PrecursorBlog's sister site: www.GoogleMonitor.com.