Google Research plays a major role in how the company develops its security practices for its applications.

Ulfar Erlingsson runs security research for Google. He spoke earlier this year at the Google Faculty Summit. In this video he provides an overview of how Google treats the way people interact with apps. In that context, he explores the Chrome Web browser and how its design as a cloud-based app gives it inherent advantages over client-based browsers.

What’s of interest in this video:

  • Google’s definition of cloud security.
  • How Google views apps and the fine line between privacy and the use of data to develop additional products and services.
  • Chrome and the difference between it and older browsers.
  • Why computers obey software, not people.
  • The Native Client Project and the aim to make machine code as safe as running Javascript.
  • The New Application Model

We recommend watching the full video. But these snippets should give a perspective about his talk and how Google views security.

Defining Cloud Security

Erlingsson begins by providing historical context. He explores definitions for cloud computing security and the commonalities between apps in the Google ecosystem. In particular, he looks at apps and the centralization of user data.

A New Definition of Software

Interesting point: Every update to a page is showing a new version of the software, which is far different than old client-based software. This carries new definitions for software and new considerations for cloud security.

Computers Don’t Obey People

The relationship between apps is different. It’s not the users who grants access. It’s the application.

Native Client Project

Native Client Project: How Google views making machine code as safe as Javascript.

Anatomy of a Native Client Web App

If the app can be controlled down to the lowest layer, then to some degree the client can be controlled and protected from attacks.

The New Application Model

The new application model is one of logical applications with people using multiple clients and applications. What’s important is the statelessness and malleability of the software.

In the full context, Google is sending a message that verification of the device is an important factor in cloud computing security. The hardware is becoming stateless and the application is malleable, which is far different from the client-server age where the client was thick and the software hard-coded.

This presentation is pretty dense. We pulled out pieces that seem relevant but we again encourage you to view the presentation in its entirety to get a picture of how Google views security. There are some nuggets there.