U fu O q O V How Google Workspace L= 5 O 3 August 2020 O Ò DV O O O uses encrypt ION tO AD protect your data paia Aa , CR E en - pa CALO i Lar TL TL DEL IP x ONE TAAPRSIRE E PILArotaSETA pe Li ES COC oa È i o sé papi Ca |, - mi T9l i Lig (2% P a n LA tia x “Ta Ut i ; , Re L E si E IT tiGe NE Google Cloud sl E »| nà €) Google Cloud Table of contents Table of contents Ooai\dl<11 = Introduction QU How Google approaches encryption Encryption of data stored at rest pia Data on disks Table 1 Google Workspace: Encryption of data stored at rest Key management and decryption process Googles key management service Rotating keys to limit risk JN The key management server Encryption at Rest flow 00 An example of encryption in Google Drive 0 Auditing and Access Control for keys data 0 Data on backup media n 5 Encryption of data in transit O mn Data traveling over the Internet di O Between you and Google = dA Between you and non-Google users 2=-a dA Encryption protocols used by Google Workspace 4 N Encryption is only part of our comprehensive security strategy W — €) Google Cloud ) Introduction Here at Google, we know that security is a key consideration for organizations that choose Google Workspace. This is why we work so hard to protect your data — whether it's traveling over the Internet, moving between our data centers or stored on our servers. A central part of our comprehensive security strategy is encryption, which helps prevent information from being accessed in the event that it falls into the wrong hands. This paper will describe Google's approach to encryption and how it keeps your sensitive information safe. This whitepaper applies to Google Workspace products described at . We are bringing to our education and nonprofit customers in the coming months. Education customers can continue to access our tools via G Suite for Education, which includes Classroom, Assignments, Gmail, Calendar, Drive, Docs, Sheets, Slides, and Meet. G Suite for Nonprofits will continue to be available to eligible organizations through the Google for Nonprofits program. This whitepaper applies to both consumer and enterprise data. The content contained herein is correct as of August 2020 and represents the status quo as of the time it was written. Googles security policies and systems may change going forward, as we continually improve protection for our customers. €) Google Cloud , How Google approaches encryption Encryption is a way of scrambling data into unreadable content known as ciphertext that can only be descrambled by parties who possess a secret key. Attackers who want to cireumvent encryption will typically try to steal the keys or exploit flaws in the encryption algorithms and their implementation. Encryption strength depends on a number of factors, such as the algorithm used, its implementation and the key size for that algorithm. It also depends on how keys are created, managed and secured. As computers get better and faster, it becomes easier to perform the complicated mathematical computations needed to break encryption. Even the mathematics behind this process — known as cryptanalysis — can improve over time, making it easier to break encryption. As a result, encryption algorithms that seemed strong a few years ago may no longer be as strong today. Google has a team of To keep pace with this evolution, Google has a team of world-class security world-class security engineers tasked with following, developing and improving encryption technology. engineers tasked Our engineers take part in standardization processes and in maintaining widely used encryption software such as BoringCrypto — an SSL library in with following, Chrome/Chromium, Android and a number of other apps/programs. We regularly developing and publish our research in the field of encryption so that everyone in the industry — improving encryption including the general public — can benefit from our knowledge. technology. Encryption is an important piece of the Google Workspace security strategy, helping to protect your emails, chats, video meetings, files, and other data. First, we encrypt certain data as described below while it is stored "at rest” — stored on a disk (including solid-state drives) or backup media. Even if an attacker or someone with physical access obtains the storage equipment containing your data, they won't be able to read it because they don't have the necessary encryption keys. Second, we encrypt all data while it is “in transit” — traveling over the Internet and across the Google network between data centers. Should an attacker intercept such transmissions, they will only be able to capture encrypted data. We'll take a detailed look at how we encrypt data stored at rest and data in transit below. €) Google Cloud ; Encryption of data stored at rest In Google's data centers, data belonging to Google Workspace customers is stored at rest in two types of systems: disks and backup media. Disks are used to write new data as well as store and retrieve data in multiple replicated copies. Google also stores data on offline backup media to help ensure recovery from any catastrophic error or natural disaster at one of our data centers. Data stored at rest is encrypted on both disks and backup media, but for each system we use a distinct approach for encryption to mitigate the corresponding security risks. These encryption mechanisms are detailed below. Data on disks Google encrypts customers’ data stored at rest for the solutions in the Google Workspace product family (see Table 1). This encryption happens without the customer having to take any action. Core content is data created by the user, such as messages and attachments in Gmail. Google encrypts To understand how this encryption works, it's important to understand how data as it is Google stores customer data. Data is broken into “chunks,' which are stored on written to disk local disks and identified by unique chunk IDs. with a per-chunk Google encrypts data as it is written to disk with a per-chunk encryption key that encryption key is associated with a specific Access Control List (ACL). The ACL ensures that that is associated data in each chunk can only be decrypted by authorized Google services and employees. with a specific Access Control This means that different chunks are encrypted with different encryption keys, List. even if they belong to the same customer. These chunks are encrypted using the Advanced Encryption Standard (AES) cipher with a 128-bit or stronger key. Table 1 details what type of data is encrypted by each Google Workspace solution. €) Google Cloud Table 1 Google Workspace: Encryption of data stored at rest Core content data that is encrypted Calendar Events and descriptions of events. Chat Chat conversations that happen between individuals or in groups, while chat history is on, including images, videos, links, and uploaded files. This excludes all conversations when history is off. Cloud Search All search indices and indexable content from third party repositories. Contacts Content of end users’ address books. Currents Posts, comments, photos. Drive Files uploaded to Drive via Drive File Stream, Backup and Sync, via the Drive web interfaces, Drive Mobile apps, Gmail, Google Drive API, and third-party services uploading files via the Drive API. File, folder, shared drive, and workspace metadata such as title, description, creator, and owner. Search indexes, Drive activity and audit logs, Drive metadata categories and values, Drive workspaces, and Drive approvals. Docs, Sheets, Content authored by the owner or collaborators as well as Forms responses (except, in Forms, and some cases, content embedded into the file that is hosted on other Google products not Slides referenced in this list; e.g. YouTube). Gmail Messages and attachments. Groups Group message archives. Jamboard Jam contents and embedded items (images, Drive files). Keep Note contents and attachments (images, drawings, recordings). Meet Recordings stored in Drive, text captions for recordings stored in Drive. See the Meet security help center for more information. Sites Content authored by the owners or collaborators of the site; except (i) content embedded into the site that is hosted on other Google products not referenced in this list (e.g., YouTube) (ii) content embedded into the site that remains hosted on other third-party websites, via Sites, Gadgets or image hotlinking. Vault Content created by Vault Admins, saved queries, and audit logs. Vault's exports of Gmail messages and attachments, Hangouts Classic conversations, Hangouts Chat, and Drive files. Voice Call history, messages and attachments, voicemails and transcriptions. €) Google Cloud 5 Key management and decryption process Managing keys safely and reliably, while allowing access to the keys only to authorized services and individuals, is central to encrypted data security. Google has built a robust proprietary service for the distribution, generation, rotation and management of cryptographic keys using industry standard cryptographic algorithms that are in alignment with strong industry practices. In the following sections, we'll outline our approach to managing the encryption keys used to protect Google Workspace customers’ information. Google's key management service As described in the previous section, files or data structures with customer-created content written by Google Workspace are subdivided into chunks, each of which is encrypted with its own chunk data encryption key (“chunk key”). Each chunk key is encrypted by another key known as the wrapping key, which is managed by a Google-wide key management service (KMS). The result is a “wrapped” (encrypted) chunk key, which is stored alongside the Customer-created encrypted data. The wrapping keys, needed to decrypt wrapped chunk keys, and content written by therefore to decrypt the chunk, are known only to the KMS and are never stored at . rest in unencrypted form. Google Workspace is subdivided into Decryption and encryption operations on chunk keys are performed within the o TP P 7 KMS. The wrapped chunk key is sent by a storage system to the KMS as a chunks,e each of request to be unwrapped (decrypted) in order to access the encrypted data. The which is encrypted KMS authenticates the requesting system and checks the request against both — with its own chunk system-level and per-wrapped-key ACLs. data encryption key If this request is authorized, the chunk key is decrypted in the KMS and returned to the storage system, which can now use that chunk key to decrypt that specific chunk of data. These chunk keys are encrypted in transit, as described below. This process is repeated until all the chunks that compose a specific file or data structure are decrypted, making the data available to the requesting application. Data cannot be decrypted without both the wrapping key and the wrapped chunk key. Decrypting data therefore requires the cooperation of the storage system (which holds the encrypted data and wrapped chunk key) and the KMS (which holds the wrapping key). The KMS wrapping keys that encrypt the chunk keys are 128-bit or stronger AES keys. AIl encryption and decryption operations by the KMS are controlled by ACLs which are checked against the cryptographic identity of the caller as provided by Google production identity management. Access is restricted to specific applications that require access and a limited number of individuals. Individuals are only provided access after demonstrating a recorded need and access requests to the KMS by employees are logged for auditing. €) Google Cloud , Rotating keys to limit risk Google has built a proprietary system to manage key rotation. Keys are rotated or replaced regularly, so that if a key were compromised it wouldn't remain useful for decrypting new data indefinitely. Keys are typically rotated at least every 90 days. This process reduces data exposure in the event of a key compromise or cryptanalytic attack by limiting the time window in which any given key is used. The key management server The KMS, like other Google production services, runs on custom, purpose-built servers that we design and manufacture ourselves. These servers run a custom-designed operating system based on a stripped-down and hardened version of Linux, and are designed for the sole purpose of providing Google services. Google servers use a homogeneous environment that is maintained by proprietary software that continually monitors systems for binary modifications to ensure that only approved Google software is installed and running on Google servers. The KMS server has the same proprietary software installed on it monitoring for any unapproved modification. If a modification is found on the KMS server that differs from a standard Google image, the server is automatically returned to its official standard image state. Google has built These automated, self-healing mechanisms are designed to enable Google to monitor and remediate destabilizing events, receive notifications about incidents, and slow a system to down potential compromise on the network or the KMS server. manage key rotation. Chunk The following diagram shows the flow for Google Drive, as an example of the related encryption mechanisms. The process begins with the user requesting access to some encryption keys of their Google Drive data (step 1). The connection between the user and Google is and wrapping encrypted (step 2). Google routes this request internally (steps 3, 4, 5). When the keys are rotated storage system needs access to an encrypted chunk, Google begins the decryption process (steps A-E) to decrypt the data the user has requested and make it available OY replaced to Google servers only in memory (i.e., not stored at rest in plaintext). Finally, it returns regularly. the data to the user (steps 6, 7, 8), again in an encrypted session. The data flow diagrams are similar for other Google Workspace products as well as for encrypting data when users create data. € Google Cloud Encryption at Rest flow An example of encryption in Google Drive USER DATA FLOW © initiate Request User authenticates to Google Workspace and requests Drive data. ©, Encrypted Tunnel ", TLS-based encryption dependent on user's browser capabilities. Google Data Center Infrastructure © Google Front End Directs traffic to AFES. © Application Front End (AFE) o Directs traffic to Application servers. G Requests User Data User's Drive data request goes from the Application to storage. (, Application (e.g. Drive) O Return Decrypted Data Send user data to Application. © Return User Data Return user data to user. = © Return User Data in Encrypted Tunnel Return user data to user. DATA DECRYPTION © Retrieve Data Gets Encrypted Chunk and Wrapped Key. © Request Key Unwrap o -0È Wrapped key is sent to KMS. d Key Mgmt Service G ACL Check ls the requester (e.g. Storage System) authorized to have key unwrapped? O Send Unwrapped Key ca KMS unwraps the encryption key data, which ca Storage System will use to decrypt chunk. CO Keys and data are encrypted at Encrypted Storage rest using AES-128 or stronger G Decrypt Data Storage System decrypts chunk. €) Google Cloud o Auditing and Access Control for keys data We complement encryption with rigorous procedures for assigning and removing access to the keys, and logging employee access to the keys and data. We regularly review these procedures and logs to ensure that they are operating in a secure manner and that only the people and applications requiring access are granted it. This process is also audited every year by an independent third party. Google authorizes only trusted individuals to have legitimate access to systems and data repositories containing customer data, including the KMS. This strict authorization extends to job duties including debugging and maintenance We complement activities that might expose decrypted customer data to a trusted employee. encryption with Access to these systems is under the umbrella of strict policies that are clearly rigorous procedures displayed for employees to read and also in the tools they use. Access to customer data is only allowed for a legitimate business purpose. As part of for assigning and Google's long-term commitment to security and transparency, you can use removing access to Access Transparency to review logs of actions taken by Google staff when the keys, and accessing user content. User-generated content consists of data such as . uploaded files and user-entered text entered into Gmail, Google Docs, Google logging employee Sheets, Google Slides, and other apps. access to the keys and data. To help ensure that only this limited set of trusted employees uses their given access as approved by Google, we use a combination of automated tools and manual reviews to examine employee access to customer data and detect any suspicious events. We strictly enforce our policies for customer data access. We have established an incident response team to investigate violations of misappropriation of customer data. We have established a disciplinary process for noncompliance with internal processes which can result in immediate termination from Google, lawsuits and criminal prosecution. €) Google Cloud ‘0 Data on backup media Google also encrypts all data stored on backup media. Backup media, as noted, are used as a recovery mechanism if there is a failure or corruption of the disk data and data needs to be restored. This means that backup media are accessed much less frequently than disks. Each medium contains one or more files, and each medium is protected from tampering with its own unique 256-bit secret. At backup time, a random seed is created for the medium, and the KMS is asked to encrypt the per-medium secret with a key known only to the KMS. The resulting per-medium secret is unique, and is only stored in encrypted form. This secret is used to prevent any modification of data in backups. The decryption key for the per-medium secret is known only to the KMS and never leaves it. In addition, only the backup service has permission to ask the KMS to decrypt a per-medium secret. This provides a double layer of access control: (1) only authorized personnel and services may read seeds from the backup system‘ database, and (2) a further authorization check is required to use such a seed to ask the KMS to decrypt a per-medium secret. This provides a further protection against modification of data on a backup medium. In addition, the backup media ciphertext contains no identifiable information about what is on that medium: all such information is contained in the encrypted files. An individual who steals a medium with the intent of determining what data is stored on it will be unable to do so. Finally, the backup system can also back up encrypted files for which it cannot read the plaintext. For such files, it backs up the ciphertext and the wrapped key. At restore time, both are restored, again without the backup system ever seeing the plaintext. Encryption of data in transit As we've shown, Google Workspace encrypts customer data stored at rest on both disks and backup media. But we also want to protect your information while it's en route from one machine to another data center, ensuring these data transmissions would still be protected should they be intercepted. Data in transit may be traveling over the Internet between the customer and Google or moving within Google as it shifts from one data center to another. Data traveling over the Internet When you use a Google service, your information travels over the Internet between your browser, Googles servers, and, sometimes, non-Google users you are communicating with. In these scenarios, encryption helps prevent attackers eavesdropping on internet connections from accessing sensitive content such as your credentials, emails and other personal data. €) Google Cloud ni Between you and Google To protect your information, the first step is having a secure browser that supports the latest encryption and security updates. When you're a Google Workspace customer, we encrypt traffic between your browser and our data centers — whether you're using public WiFi, logging in at the office, or working from home on your computer, phone or tablet. Google websites and properties use robust public key technologies: 2048-bit RSA or P-256 ECDSA TLS Forwar r certificates issued by a trusted authority (currently the Google Trust Service CA orward secrecy 101). technology helps 1 1 n . ensure that How this encryption works depends on each customer's client configuration. . . Google servers support ephemeral elliptic curve Diffie-Hellman cryptographic key information exchange signed with RSA and ECDSA (“ECDHE_RSA” and “ECDHE_ECDSA"”). encrypted today is These so-called forward secrecy methods help protect traffic between customers —|ess vulnerable to and Google servers from being intercepted and decrypted by a man-in-the-middle (MitM) attack. new methods of breaking encryption Forward secrecy by default helps ensure that information encrypted today is less . > P yP y in the future vulnerable to new methods of breaking encryption in the future. With forward secrecy, keys are rotated at least every other day. This limits the impact of a compromised encryption key to information a customer exchanged over a two-day period (instead of what could be several months of data). Without forward secrecy, in contrast, an adversary could record encrypted traffic and store it with the hope of compromising the HTTPS private key at a later date. If they succeededì, they would then be able to decrypt the data. Google servers generate a new Diffie-Hellman public key for each session, sign the public key, and use Diffie-Hellman to generate mutual private keys with the customer's browser. This helps prevent eavesdropping because every session between a customer and Google is encrypted with different public keys. An attacker would have to do two things: capture encrypted traffic and compromise the temporary private key before it's destroyed. Forward secrecy also prevents a connections private keys from being kept in persistent storage. Combined with key rotation, this feature stops adversaries who successfully compromise a single key from retrospectively decrypting data more than two days old. Between you and non-Google users We've now reviewed how traffic between a Google Workspace customer and Google servers is encrypted, but what happens when that customer has business beyond Google? Google has led the industry in using Transport Layer Security (TLS) for email routing, which allows Google and non-Google servers to communicate in an encrypted manner. When you send email from € Google Cloud 1) Google to a non-Google server that supports TLS, the traffic will be encrypted, preventing passive eavesdropping. We believe increased adoption of TLS is so important for the industry that we report TLS progress in our Email Encryption Transparency Report. We also improved email security in transit by developing and supporting the MTA-STS standard allowing receiving domains to require transport confidentiality and integrity protection for emails. Google Workspace customers also have the extra ability to only permit email to be transmitted to specific domains and email addresses if those domains and addresses are covered by TLS. This can be managed through the TLS compliance setting. Data moving between data centers We operate a highly secure and resilient private network that encircles the globe and connects our data centers to each other—ensuring that your data stays safe. Trust is built on transparency and we publish the locations of all our data centers. Our network is designed to minimize latency and maximize availability, helping to ensure uninterrupted access to your information with no scheduled downtime. In order to achieve this level of performance and conduct upgrades or maintenance, we often move data from one data center to another. These shifts of data centers are imperceptible to our customers and carried out in a secure manner. Namely, data is always encrypted when it moves between data centers. Connections between internal Google servers are cryptographically authenticated between machines. Certain connections (including those to and from the KMS) are encrypted with a TLS-like proprietary transport protocol that uses AES 128-bit or higher. Encryption protocols used by Google Workspace: TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.07 QUIC " This list of protocols is subject to change at any time. 2 Google is working to deprecate old protocols and primitives as quickly as users allow. For example, TLS 1.0 and 1.1 have been deprecated in Chrome 72 and removed in Chrome 84. Google Chrome and servers support TLS_FALLBACK_SCSV to prevent attackers from inducing browsers to use lesser protocol versions. Further information is available on the Google Online Security Blog and Google Chromium Group. 25 Google Cloud ‘3 Encryption is only part of our comprehensive security strategy Google Workspace customers’ data is encrypted when it's on a disk, stored on backup media, moving over the Internet or traveling between data centers. Providing cryptographic solutions that address customers’ data security concerns is our commitment. But it's important to note that, while encryption is important and necessary, it's not enough, by itself, to protect your information. Instead, it has to be part of an in-depth, well-organized, and executable security and privacy strategy — like the one we have at Google, which is outlined in the Google Workspace Security page. This comprehensive data protection approach is rare and not typically present in many centralized local computing centers. Indeed, security has always been central to our daily operations and culture. Our custom hardware and unique data storage architecture are designed with security in mind. We constantly invest in security innovation, employing many highly trained security experts and supporting their extensive and intensive research efforts. We also operate in a manner that helps us quickly respond to newly identified threats and develop better ways to align the protection of customer information with the ever-evolving risk that typifies modern computing. By design our systems restrict access to customer data to only a limited number of individuals and specific applications that require access. For more information on our security practices, please see our Google Workspace Security page. | z = E= j Ss s È È Dé Sa!