World's most internetty firm tries life off the net, and it's sillier than it seems
What do you call an air-gapped Googler? Anything you like, they can't hear you
Opinion It seems intuitively obvious. Disconnect your PC from the internet, and it's safe from attack. Google thinks enough of the idea to try cutting off a couple of thousand workstations from the pestilential swamp. The air gap is an experiment in increasing the cost of mounting an attack, says the company.
Trying new approaches to security is a good idea, as is understanding the economic logic behind threats. Good for you, Google. It's just a shame it can't possibly work. It may even cause much more harm than good.
Start with the obvious. It isn't an air gap. A true air-gapped device has no connection to any other, wired or wireless. If you need to be really sure, you have to put it in a Faraday cage to muffle the broadcasts any digital processing makes – put an old AM radio next to a smartphone to hear how much screams into the ether.
At a stretch, a network can be air gapped if it has no internet working, but that's already intrinsically less safe. Any device on that network will compromise all of them if an accidental, surreptitious or illicit connection is made. That's what brought down the ultra-high security Iranian centrifuges purifying uranium: no direct internet connection needed if a Stuxnet-infected device is plugged in. And it's not as if the Brain boot sector virus couldn't spread across a globe full of impeccably air-gapped 1988 vintage PC clones.
Of course, the Google air gap is extremely virtual. Workers will still be on Google's internal network and have access to the normal tools and office software. Which brings in all those lovely attack vectors of email and shared documents. Exactly how the air gap will be implemented isn't clear, whether there are isolated network segments or user-mapped firewall whitelists, or some other approach. It doesn't matter. It won't work.
The ultimate reason is the ultra-dense irony of Google trying to cut itself off from the internet. It's so concentrated it collapses in on itself to a singularity of self-contradiction. No company has done more than Google to make our lives at work and outside completely dependent on the internet. Try turning your computer's network off and see how far you get. Unless the modern workplace is completely reinvented, cutting off the internet is cutting off the work.
This is where so much of the damage caused by everyday corporate IT security comes from. Like air gaps, it's easy to understand the basic principle of restricting users to things that the company can secure. Like air gaps, it supposes any such thing is possible. Instead of building a fortress of security, this approach has produced the biggest conspiracy of silence in the corporate world. Employees are made to do security awareness courses and given conditions of employment that mandate compliance with rules and the use of approved IT only. This is enough for management to comply with their own compliance rules. All boxes are ticked and the company can report a responsible and effective cybersecurity policy.
- Goodbye Azure AD, Entra the drag on your time and money
- The AI arms race could give us the cool without the cruel
- The number's up for 999. And 911. And 000. And 111
- Whose line is it anyway, GitHub? Innovation, not litigation, should answer
If only. The users pay lip service to the rules because they'll be sacked if they don't. But where the tools and policies get in the way of doing their jobs they use their own tools, moving data across, in and out of the corporate control zone in unorthodox ways. Corporate tools and protocols are usually terrible at helping people do their jobs because who asks users what they need? Besides, diversity is hard to manage.
Yet people need to do those damned jobs so find ways to do them. Their line managers do the same. Nobody admits to it, and as asking for help from support is dangerous, who knows how insecure it actually is? If you think diversity is expensive to secure, try not securing it at all.
An effective air-gap policy in general use will be this writ large. The stricter the lockdown, the more inventive the workarounds. You can't do as the vendors and analysts say, re-engineering businesses to see data as oxygen firing fast iteration based on analytics if you choke off the movement of that data. We're supposed to be removing silos, not welding them shut within Faraday cages.
The attack surface is the same membrane the business breathes through. It needs to be designed to be both permeable and resistant to infection, but little kills as surely and swiftly as suffocation.
There are few absolute rules in computing. Data has to move into and out of processors. There is no fundamental difference between data and instructions, whether a processor computes or obeys depends entirely on context. A perfectly secure computer is perfectly useless – but fortunately, it's also perfectly impossible.
Google knows all this. It would be far better advised to ignore the feelgood implausibility of the air gap and concentrate on making business IT that understands what users need, and helps them make good security decisions. Somebody has to. ®
Biting the hand that feeds IT
