Data security in 2014: Make it more difficult for others to attack and easier for you to protect

Posted by Eran Feigenbaum, Director of Security, Google for Work

We know you want to be assured that your digital information is safe and available when you need it. The series of incidents that riddled 2014 showed why it is important to stay ahead of those ill-intentioned people targeting online information. We have taken clear steps to make our products more difficult to attack, and to make it easier for you to protect your data. Innovative security technology is necessary today, and making it easy to use is equally important.

At Google, we take security very seriously and it's built into everything we do, from protecting our datacenters and your devices, to our partnership with the security community to stop bad actors on the web.

This year we raised the bar even higher. We created new security teams, our engineers discovered and helped fix vulnerabilities like Heartbleed and Poodle, and we took a series of concrete steps that will increase the security of our customers’ information:

• We offered encryption as a default for Gmail since 2010, but this year we made sure every single email you send or receive is also encrypted while moving internally between our data centers.
• We released End-to-End, a Chrome extension that encrypts information between your browser and the intended recipient and yesterday, we made it available to the community.
• We ensured that all files uploaded to Google Drive are encrypted at rest on Google servers — in addition to in transit, as they are shared on the web.
• We launched a physical security key that provides second-factor authentication through your computer’s USB port, and we are working on admin tools to let you deploy this at scale in your organization.
• We gave business users controls to share responsibility with IT, providing a wizard to secure your account and a new dashboard to monitor device activity.
• We made it easier to secure devices in the workplace with the new security features in Android 5.0 Lollipop.
• We rebuilt our device management solution to support iOS 7, 8 and the new iPhone 6 and 6 Plus.

In addition to these announcements, we offer strong contractual commitments to protect our customers’ information. We do not show advertisements or scan customer information for advertising in Google Apps for Work, Education, Government or Non-Profit, and we do not use data for any other purpose than to manage and deliver our services. These commitments are regularly verified by independent auditors, and this summer we published their detailed findings in our SOC3 security audit report. We also help our customers comply with their regulatory obligations, and we renewed and extended our ISO 27001 certification and certified our Cloud Platform to the PCI standard. We were excited to participate in the development of the new ISO 27018 privacy standard for cloud computing, and look forward to opportunities to engage in similar efforts in the future.

Next year, the bad guys will keep all of us on our toes as we expect the number of threats and their sophistication to increase. We will keep raising the bar — for example we have been working to improve passwords with the new Smart Lock for Android feature, and developing identification technology that makes typing-in complex Captchas obsolete. As we enter 2015, you can expect our continued investment in security and a guarantee that we will continue to find ways to make it simple for people to use our services in a secure and transparent manner.