Interview: How Google Meet tackles security in the remote working age
FYI, this story is more than a year old
2020 may well be the year of the videoconference, as business travellers leave their suitcases at home and look to the internet to cover those all-important meetings. Google Meet is one video platform that has risen to the top of the ranks, with the company recently announcing that it would make the platform free for everyone.
I spoke to Google Cloud’s Asia Pacific and China (APAC) head of security for networking and collaboration specialists, Mark Johnston.
His team works with customers across financial services, telecommunications and other regulated industries, as well as startups, to help address security, compliance and networking requirements when migrating to Google Cloud.
We’ve seen a huge shift to cloud communications tools over the last couple of months – what has it been like for Google Meet (particularly in Asia Pacific)?
Over the past few weeks, we’ve seen Google Meet help millions of people stay connected. Whether it is colleagues working from home, companies livestreaming to global employees or doctors providing remote care to patients — Google Meet is making this possible.
In fact, earlier this month we hit a new milestone with more than 2 million new users connecting on Google Meet every day, and spending two billion minutes together. We’re humbled by the huge responsibility that comes with this growth, and we’re determined to continue doing our part to help.
Have you modified your services to cater for an expected usage increase and if so, what kinds of things have you put in place?
We’re well within our ability to handle increased network loads. Our network is designed to perform during times of high demand — like streaming the World Cup or Cyber Monday online shopping surges, so we are well within our ability to handle the load.
Meet, and all of G Suite, runs on Google’s secure, resilient global infrastructure, which helps us reliably manage our capacity to keep our services up and running. We maintain considerable reserve capacity both inside our network and at hundreds of points of presence and thousands of edge locations.
Years of preparation has meant the performance of our infrastructure remains as high as it was before the pandemic. We also have proprietary hardware that helps satisfy capacity demands, so we remain prepared at this time.
How does Google Meet utilise Google Cloud’s capabilities, particularly in terms of security, data protection, and transparency?
Meet takes advantage of Google Cloud’s secure-by-design infrastructure to help protect your data and safeguard user privacy. The safety and security features are on by-default so you can be sure the right protections are in place from the get go.
For supported browsers (Chrome, Firefox, Safari, new Edge), we don't require or ask for any plugins to be installed. On mobile, we ask that you install the Meet app from App Store/Play Store. This limits the “attack surface” for Meet and reduces the amount of software users and specifically businesses need to patch with security updates on end-user machines.
We also ensure that only authorised users can use and access Meet services by using a 2-Step Verification option for accounts — making them secure and convenient. Google Meet users can enroll their accounts in our Advanced Protection Program (APP), which provides our strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts.
Karthik Lakshminarayanan mentioned in a recent blog that Google Meet includes anti-hijacking measures for web meetings and dial ins. Could you explain a little more about how attackers could hijack meetings (for example brute forcing numbers), and the potential effects?
Google Meet employs an array of counter-abuse protections to keep our customers meetings safe, including anti-hijacking measures for both web meetings and dial-ins — making it difficult to programmatically brute force meeting IDs.
A common way attackers hijack meetings is by guessing the meeting code. It’s why we made our meeting codes 10 characters long, with 25 characters in the set, making it harder to guess.
We also limit the ability of any participants to join the meeting more than 15 minutes in advance of the scheduled time, reducing the window in which a brute force attack can even be attempted.
How does Google protect its tools from these types of attacks?
We employ a vast array of safe-by-default measures to keep meetings safe for both web meetings and telephony dial-ins.
In addition to what is mentioned in responses above, all data between the user and Google for video meetings is encrypted by default. For every person and for every meeting, Google Meet generates a unique encryption key, which only lives as long as the meeting and is never stored to disk — meaning calls are secure and protected.
Our products, including Meet, also regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance and audits against standards around the world.
For G Suite and Google Meet users from admins right down to end users, what protections does Google Meet put in place to protect businesses and their staff?
As mentioned above, Google Meet takes advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to secure your information and safeguard your privacy.
We have a number of built-in features that are on by-default available to all users so you can be sure the right protections are in place from the get go.
To help ensure that only authorised users administer and access Meet services, we support multiple 2-Step Verification options for accounts that are secure and convenient. These include hardware and phone-based security keys and Google prompt. Additionally, Google Meet users can enroll their account in the Advanced Protection Program (APP), which provides our strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts.
For hosts, we offer additional capabilities for extra security. For example, only the meeting host will be able to admit participants not on the calendar invite and only they can remove or mute participants directly within a meeting. Also, meeting participants can’t rejoin nicknamed meetings once the final participant has left. This means if the instructor is the last person to leave a nicknamed meeting, people can’t join later without the host present.
We understand the importance our technology plays in keeping businesses and teams moving forward, and are committed to continually innovating with new features to make our tools helpful, secure, and safe.