Skip navigation
Tiered Security: Google Approach of "Just Enough" Security + Cloud Works For Employees

Tiered Security: Google Approach of "Just Enough" Security + Cloud Works For Employees

You’d think that you’d see nothing but Android devices at Google, a company that makes its own hardware and software for everything from laptops to phones. Pixel phones, Chromebooks, and assorted Android devices demonstrate just how deep Google’s reach is into our computing lives.

But internally, Google is as cross-platform as you can get. Employees can use Windows, Macs, or Chrome OS laptops. And there are plenty of iPhones to be found on the Googleplex alongside all of those Android phones.

What gives? The reality is that Google is rabidly cross-platform for a company that makes its own mobile and desktop operating systems. But instead of being just an academic discussion, there’s some practical benefit that comes from this knowledge that may be of use to you. A deeper look inside the Googleplex offers some strategies that might impact how to implement your own multiplatform computing environment.

Why to Use a Tiered-Access Approach to Security

The initial interest in this topic came from a talk by product manager Andrew Toy titled, “Google on Google: How Google manages its own employees' devices” (you can watch the full session if you’d like on YouTube).

The main takeaway is that Google takes a tiered access approach to security. The idea is that someone can do most of their work at a moderately trusted tier of security - the highest tier is only necessary for tasks that require much tighter controls.

Google examines three different strategies for how enterprises commonly handle employees' mobile devices.

“You shouldn't have to go all the way to fully trusted security tier to get your job done. Our approach is if you're doing a job,  you should be able to do the vast majority of your job day to day in a mostly trusted tier,” he said. “And you should be able to do most of your job sitting in a minimally trusted tier.”

Toy’s argument is that Google doesn’t take a binary approach to security. For example, he said no one should be keeping nuclear codes on mobile devices. So to that, some people react with “OK, it’s insecure!” and limit their employees’ mobile access. Instead, companies would benefit by taking a look at what level of security is needed for specific tasks, and work to make that happen while granting maximum freedom to one’s team. The ongoing balance between security and access is in a constant state of evaluation, he said.

Grab and go

The cross-platform approach was also an interesting peek inside the plex. Windows and macOS are fully supported for internal use, although the company uses its an internally built image to install on company-issued Mac and Windows PCs. Chrome OS, by comparison, meets the security guidelines out of the box given the minimal amount of onboard software it runs.

Google even has stations around the company where employees can pick up a loaner computer, sign in to their account, and access what they need. Video conferences are also rapidly available, no doubt inspiration for the Hangouts pivot to G Suite. While the necessary security key may be a step beyond many companies, it speaks to how much Google believes in working in the cloud.

Google enables its employees to grab a loaner Chrome device, a nice perk of living a cloud existence.

“I’ve never seen such a focus on security and a focus on giving as much access all the time to our employees,” he said. “We’re constantly working at how can we set up our security so that we give our employees the most access possible?

On the one hand, Google is trying to show that its approach to internal security is an ideal one, so of course sign up right away for one of those G Suite or Google Cloud Platform packages.

On the other hand, a company as big and successful as Google certainly offers some things to learn about an approach to security and device usage: Security doesn’t have to be zero-sum game. And you don’t need to stick exclusively to Google’s products to get the company’s support.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.