Google hosts applications and data on a globally-accessible, multi-tenant, shared infrastructure. As a result, security is a fundamental design principle which expresses itself in many ways. This is portrayed in the physical security of data, the unique design of the data centers, first-class disaster recovery, and security of your data traffic.

Let’s clear up a common question first; Can any Google employee access the data centers at Google? NO! Google data centers are harder to get into than your old high school cheerleading uniform. Restricted barriers and security fencing are built around the data center facility, and therefore, authorized access is controlled through a checkpoint that is guarded by security personnel who work 24 hours a day, 7 days a week. Security teams also continuously monitor video feeds from places inside and outside Google’s data centers. Your laptop, thumb drive or on-premise server probably doesn’t have personal security guards or the latest physical security technologies to safeguard your data like Google.

Did you know that Google is one of the largest server manufacturers in the world? They don’t sell them though, they use to them build a unique and secure infrastructure to host your data.

Thousands of Google servers are built exclusively to run in Google data centers and store Google customers’ data. You can easily take a virtual tour of a data center or locate Google Data centers. Google infrastructure is unmatched in when it comes to SaaS.

What is your disaster recovery plan? What does your company do in a power outage or natural disaster? Predicting the future is difficult, and leaving a gamble on mother nature may not be the best plan. This is why Google has been proactive and already has a plan in place. Allow Google to take some of the stress off of backing up, or letting duplicate data centers sit idly.

Protecting your data in motion is just as important as your data at rest. This is why Google protects your data for the long term with forward secrecy. You are probably familiar with HTTPS and SSL. However, there is a flaw with HTTPS or SSL.

Let’s take a deeper look into the issue. When you browse online, a website presents a certificate. That certificate is then authenticated against an independent certificate authority. If the certificate matches, the green padlock in your browser’s address bar signifies that it is a secure session.

One problem with this is that some of these certificate authorities have been hacked and fraudulent certificates were put out, so people can imitate companies. Very bad!

Also, companies traditionally use between 9 and 13 certificates. It’s possible that governments and even individuals in organizations can actually get enough computing horsepower to crack these certificates. That’s bad again.

Then, there is encrypted traffic –which is Microsoft’s setup. However, there is nothing stopping anyone from intercepting your encrypted traffic, writing it to a disc, and cracking the certificate to retroactively read your content. Scary!

Don’t worry, there is a better way! Since 2011, Google has used a technology called perfect forward secrecy. This means Google does not use a certificate authority and Google Apps is its own certificate authority, so it is much more difficult to have a man-in-the-middle attack.

Google issues a unique certificate for every single session, for every single user. So even if the traffic is being captured, the number of certificates is exponentially higher. I am not saying this is the perfect solution, but it makes it much harder for hackers!

Tune in tomorrow for the final part of our Google Apps Security series, when we review the additional steps your organization can take to further enhance security.