The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on March 12, 2013

Google’s CIO explains the challenge of keeping data secure: ‘We spend a lot of time worrying about it’

Google’s CIO explains the challenge of keeping data secure: ‘We spend a lot of time worrying about it’
Nick Summers
Story by

Nick Summers

Nick Summers is a technology journalist for The Next Web. He writes on all sorts of topics, although he has a passion for gadgets, apps and Nick Summers is a technology journalist for The Next Web. He writes on all sorts of topics, although he has a passion for gadgets, apps and video games in particular. You can reach him on Twitter, circle him on Google+ and connect with him on LinkedIn.

Google likes to portray itself as a laid back, but highly innovative and agile company. The circular Google bike used for group meetings, the ability to bring your pets to work and the brightly colored cushions found on what appears to be every sofa are just a few of the company’s more fun, playful additions for its employees.

The technology giant’s offices on St Giles High Street, London, are no different. Google doesn’t own the entire building, and this particular locale – it also has two separate premises on Buckingham Palace Road – is mainly used for its PR and marketing staff.

As you walk through the door on the top floor though, Google’s unique take on office decor shines through. The carpet is a thick green and comes up to your ankles like grass, while wooden alcoves across the room imitate the large knots found at the bottom of a tree.

Ben Fried, the Chief Information Officer at Google, has an entirely different demeanor though. A small group of journalists – myself included – were invited to speak with him for an hour via Google Hangout. Despite the numerous time zones between us – he was sat in a surprisingly desolate looking room at the company’s offices in New York – it was clear to see that the man embodies a more corporate, disciplined approach to the company.

A fresh approach to security

This is apparent when he’s questioned about Google’s approach to data protection and security. From mid-2009 to the end of that year, the company was subject to a cyber attack known as Operation Aurora by an individual, or group of individuals, based in China.

Google was not the only company to be targeted, but it triggered a response in January 2010 which promised improvements to the security of Google and the data bestowed upon it by its users.

“Security is one of the things that IT departments need to spend the most time worrying about,” Fried explains to us pointedly.

With a sense of pride, he suggests that Google has one of the best security teams in the world. They’re attracted by the idea and challenge associated with defending such a high-profile and public target.

Even so, he admits that when it comes to security, Google spends “an awful lot of time worrying about it.”

A Google logo is seen through windows of

The problem is that the traditional approach to security in large companies such as Google is fast becoming irrelevant. In the past, there was a private, enterprise network where employees were given an enormous amount of trust. “We grant access to [Google employees] purely on the basis of having [their] IP address within that private network.’

The Internet, meanwhile, was the open network where no-one was trusted to do anything. The two were treated as entirely separate entities, or the “crunchy shell and soft inside,” as Fried eloquently puts it.

The argument was that the Internet was simply too large to take on. The private enterprise network was manageable, it had obvious boundaries and a simpler process for investigating any inappropriate behaviour.

The problem is that all Google employees now live on the Internet. They work both inside and outside of the company’s private network on a daily basis, connecting to the world wide web without hesitation. The only way to ensure the safety and security of Google’s data was to restrict what could be done inside its trusted network.

The result, however, would have “really alienated a lot of our workforce,” Fried suggests. Following the cyber attack in 2009, it’s easy to see how this could have been an attractive option.

Treating all networks the same

Google didn’t do that though. The technology giant is now moving to a much more dynamic approach where it treats all networks as if they were the Internet.

“[This means] we make smart choices based on what we know about the user, the device that they’re using, what we know about the network they’re coming from and the services that they want to use,” Fried says.

“And not to make any blanket assumptions – at all – based on how you connect.”

The notion that implementing increasingly stronger firewalls will protect Google’s corporate network, he says, is only “a very, very small piece of the puzzle.”

Google is trapped in a difficult position though. In order to make its services more intelligent and effective, it needs an ever-increasing amount of data from the user.

With more data, however, comes more responsibility, and the increased likelihood that it will be targeted by a cyber attack.

Protecting user data

Commenting on this trend, Fried details not how Google will defend the data, but how it will be informing users to make better decisions on the Internet.

“Transparency is incredibly important,” he says. “Being really transparent about what data we collect, what we do with it and explaining how this benefits you is key to letting users make decisions about where they want to stay on the spectrum.”

Marissa Mayer, CEO of Yahoo and a former Googler, said in an interview with Bloomberg earlier this year that transparency, choice and control were the core principles of online privacy.


What was particularly interesting, however, was her perspective on data ownership: “One of the key pieces here that also provides a lot of user choice is making sure that the data is portable. Making sure there is standardized formats, which really allows your barrier to switching providers to be lower.”

She added: “One of the analogies that I’ll use is, papers you wrote in college, are they yours? Absolutely. What about searches you’ve done over the past 10 years? Not nearly as coherent, not nearly as structured in eloquent prose, but just as insightful in terms of they were your thoughts, and your words, expressed your way. And they tell a lot about what you know and what you’ve learned. I do believe that fundamentally, they are yours.”

During our Google Hangout, Ben Fried seemed to hum a similar tune. “Your data is yours, not ours,” he said. “You can take it from us at any time and move it somewhere else, if you don’t want to us to have it anymore.”

Walking out of Google, our little band of journalists are shown the cafeteria – which employees can use for free – the extensive gym, a silent area for reading and a small theatre for presentations.

The serious side of Google

Google will always present itself as this incredibly relaxed, outside-the-box and collaborative company. It’s easy to get caught up in all of the magic and excitement as you look at everything painted in its prolific blue, red, yellow and green color scheme.

Peel back that layer, however, and you’ll find a very serious company desperately trying to protect both its own data and that stored on behalf of its users. Google will always be a target for hackers, and Operation Aurora probably won’t be the last cyber attack they’re affected by.

Google will continue to be a place where unorthodox ideas and moonshot projects are supported. It might seem idyllic to an outsider, but it’s important to remember that behind the scenes is a whole team of people like Ben Fried, working tirelessly to defend it.