How Google keeps its tech security tip top

Protecting the "number one target" on the web

Google has outlined some of the ways it keeps its IT security tight.

Google director of product management Scott Petry - founder of Postini, which is now owned by the search giant - gave the low-down on the web giant's approach to security at the RSA security conference in San Francisco this week.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Petry said: "Google is possibly the number one target on the internet today. We get an enormous amount of activity against our systems."

He added: "We can't do everything and we know that. No security measure is 100 per cent perfect."

Petry pointed out that the increasing number of different devices and mediums - such as YouTube and the iPhone - is having a huge impact.

He said: "The base tenets of security aren't changing but the world around us is. The data is finding different ways to get out into the world."

One way in which Google tries to reduce the risk it's exposed to is to use an army of external testers who "hammer" code to turn up and report any vulnerabilities on new releases.

Petry explained: "If you don't know what your risk is, you don't know how to manage it."

Google also uses a neighbourhood watch approach asking people to confidentially report vulnerabilities they discover. Close competitors have taken part in this programme and Google returns the favour.

Security training is also very much part of the Google culture. Petry said: "Educating people about security is about the most important thing a security professional can do."

New recruits - known as 'nooglers' - are thoroughly trained in the company's security policies while a peer review process means new code is checked a number of times before going live.

Petry also said Google establishes "guardrails" for employees - for example the use of technology that measures the strength of internal passwords when users first create them.