Google Outlines Incident Response Process for Cloud Customers

The four-phased approach is designed to quickly identify incidents, mitigate damage and restore services, the company says.

Google cloud

In its ongoing campaign to build trust through transparency, Google this week released a white paper describing the company's process for responding to incidents impacting the confidentiality, integrity or availability of customer data.

The paper shows that Google has implemented a four-phased approach for responding to data incidents, which it describes as a breach of Google security that results in the disclosure, alteration or destruction of customer data in its care.

The first stage involves incident identification. This is the stage when Google's automated and manual processes detect potential vulnerabilities and incidents and report it back to Google's incident response team.

The second phase involves response coordination. Members of a triage team evaluate the incident report, make an initial assessment of its severity and assign an incident commander to lead the response. The commander is responsible for assembling an incident response team from relevant groups, based on a more detailed assessment of the original incident report.

At this point the response process shifts to the incident resolution phase. Members of the response team are responsible for investigating the incident, gathering relevant facts and figuring out what additional resources might be necessary to contain the incident.

A designated operation lead is responsible for implementing measures to contain damage, fix the issue that caused the breach, and restore impact systems and services. A communication lead separately assesses the incident to determine if the breach triggered any notification requirements and develops a communication plan if that indeed happens to be the case.

The fourth phase is when members of the response team assess the incident and the response to it to see if there are any lessons to be learned and to be applied from them.

Google's incident response team itself comprises members from across multiple specialized functions. It can include members that are specialists in cloud incident management, site reliability engineering, cloud security and privacy, signals detection, digital forensics, customer support and legal.

"Every data incident is unique, and the goal of the data incident response process is to protect customers’ data, restore normal service as quickly as possible, and meet both regulatory and contractual compliance requirements," said Noela Nakos, lead technical program manager at Google, in a blog Sept. 12.

Effective response is key to managing and recovering from incidents and preventing future ones. The combination of subject matter experts and the processes that Google uses ensures that incidents are mitigated quickly, Nakos said.

Importantly, Google has also implemented a continuous improvement process as part of its incident response program. The goal is to use each incident to gain new insights for preventing such incidents and to improve the tools and processes that Google uses to ensure the security and privacy of customer data, Nakos noted.

Google’s efforts at greater transparency are part of a broader effort to assuage customer concerns about the security of data in the cloud. Just this week, for instance, the company announced general availability of a tool that gives companies a way to monitor and audit access to their data by Google's administrators and support staff. Google also has for several years now been making available a so-called Transparency Report giving details on requests for customer data by government and law enforcement officials in the United States and elsewhere.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.