Wednesday, January 18, 2017

Today we continue to read up on how Google protects data.Google has incredible expertise in this area. Security is an integral part of their operations. They scan for security threats using tools, they use penetration testing, quality assurance processes, security reviews and external audit. They have a rigorous incident management process for security events that affect the confidentiality, integrity or availability of systems of data. They apply defense-in-depth perspective to securing their custom-designed servers, proprietary operating systems and geographically distributed data centers.Data is encrypted in transit, at rest and on backup media, moving over the internet or traveling between the data centers. They build redundancy into their server design, data storage, network and internet connectivity and even the software services.Their audits cover compliance standards such as ISO27001, ISO27017, ISO27018, SOC 2 and SOC 3 as well as the FedRAMP programs.
Let us take a look at what any of these certifications mean.
ISO27001 is a widely recognized independent certification. It covers 114 controls in 14 groups and 35 control objectives. These include information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environment security, operations security, communications security, System acquisition, development and maintenance, supplier relationships, Information security incident management, information security aspects of business continuity management, Compliance with internal requirements such as policies and with external requirements such as laws.
ISO27017 is an international standard based on the ISO 27002 which is part of the ISO27000 series standards. It is specifically for cloud services. ISO27018 is a standard of practice for protection of personally indentifiable information in public cloud services.
SOC 2/3 (Service Organization Controls) is an audit framework for non-privacy principles that include security, availability, processing integrity, and confidentiality.
FedRAMP or the Federal Risk and Authorization Management Program or FedRAMP is a government wide program that provides a standard approach to security assessment, authorization and continuous monitoring for cloud products and services. This approach uses a "do once, use many times" framework that is intended to expedite US government agency security assessments and help agencies move to secure cloud solutions.
Aside from the industry standards, any company that maintains customer data has an understanding with the user where the data belongs to the customer but the company handles it. The company scan it for advertisements or sell it to third parties. The company takes efforts to protect customer data. If the customer deletes their data, the company should purge it from their systems within 180 days. Finally the company must provide tools to let the customer take their data if they cannot choose to stop using their services. Data must be kept private and secure by isolation for each customer even if they are stored on the same server. Access to data must be on a need to know basis. Approvals should  be managed by workflow tools that audit records of all changes. What these certifications don't cover is how much of the traffic is configurable for encryption with an additional layer.

#codingexercise
Remove half nodes (nodes with one sibling from a binary tree)
Node RemoveHalfNodes(Node root)
{
if (root == null) return null;
root.left = RemoveHalfNode(root.left);
root.right = RemoveHalfNode(root.right);
if (root.left == null && root.right == null)
    return root;
if (root.left == null)
{
var temp = root.right;
delete root;
return temp;
}
if (root.right == null)
{
var temp = root.left;
delete root;
return temp;
}
return root;
}

No comments:

Post a Comment