Google gives glimpse into security strategy

Google has outlined some of the methods it employs to keep its IT security tight.

Google director of product management Scott Petry — founder of Postini, which is now owned by the search giant — gave the low-down on the web giant's approach to security at the RSA Conference in San Francisco this week.

Petry said: "Google is possibly the number-one target on the internet today. We get an enormous amount of activity against our systems."

He added: "We can't do everything and we know that. No security measure is 100 percent perfect."

Petry pointed out that the increasing number of different devices and mediums available — such as YouTube and the iPhone — is having a huge impact.

He said: "The base tenets of security aren't changing, but the world around us is. The data is finding different ways to get out into the world."

One way in which Google tries to reduce its exposure to risk is by using an army of external testers to "hammer" code, with the aim of revealing and reporting any vulnerabilities on new releases.

Petry explained: "If you don't know what your risk is, you don't know how to manage it."

Google also uses a neighbourhood-watch approach, asking people to confidentially report vulnerabilities they discover. Close competitors have taken part in this programme and Google returns the favour.

Security training is also very much part of the Google culture, Petry said. "Educating people about security is about the most important thing a security professional can do."

New recruits — known as "nooglers" — are thoroughly trained in the company's security policies, while a peer-review process means new code is checked a number of times before going live.

Petry also said that Google establishes "guard rails" for employees — for example, the use of technology that measures the strength of internal passwords when users first create them.