Google Inc. has just published a white paper that details how it secures the data centers for its public cloud services and internal operations, sending a clear message: Don’t even think about trying to hack us.

In order to physically infiltrate one of Google’s facilities, one will need to contend with security cameras, laser intrusion systems, biometric identification. Meanwhile, cyberattackers’ efforts are bedeviled by a maze of encryption and authentication services designed to ward off the most even the most determined of hackers.

Google’s Infrastructure Security Design Overview sheds light on the full gamut of security measures the company has initiated to keep its data safe, including custom-designed security chips within every server, a 24/7 investigation and incident response team, as well as its facilities’ physical defenses.

Actually, the more likely message Google is sending is to large enterprises that it’s trying to woo to its cloud. They really care about the security of their data, so it’s no surprise that a good portion of the white paper is devoted to how the company secures the Google Cloud Platform.

The revelation that Google designs customized chips is a new one. The paper describes a “hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.”

The chips work in tandem with cryptographic signatures used to identify low-level components such as the BIOS, bootloader, kernel and base operating system image, Google said. Those signatures are validated during each boot or update, and the components are all designed and built by Google itself.

“With each new generation of hardware we strive to continually improve security: for example, depending on the generation of server design, we root the trust of the boot chain in either a lockable firmware chip, a microcontroller running Google-written security code, or the above mentioned Google-designed security chip,” the paper says.

Another tactic Google employs is that services running on its infrastructure never assume that another service running on the same infrastructure is legitimate. Instead, all services go through cryptographic authentication and authorization before being able to communicate. “The infrastructure does not assume any trust between services running on the infrastructure. In other words, the infrastructure is fundamentally designed to be multi-tenant,” the paper notes.

Moreover, each individual service is configured so that only specific Google engineers can access them. Every service, engineer and machine is given an individual identity, which are stored in a global name space maintained by Google. This incorporates a sophisticated identity management workflow system, Google explains, allowing secure access to management processes to scale to the thousands of different services running on its cloud infrastructure.

Google also employs application-layer protocols embedded inside the same security mechanisms, for infrastructure-layer communication. This level of defense ensures that even if an attacker does manage to hack into its data center network, they have to contend with a second layer of encryption. In other words, the security of data inside Google’s network is separated from the security of the network itself.

Image credit: RyanMcGuire via pixabay