Let’s see how Google Cloud provides capabilities across the various layers of security.

Infrastructure Security

Google’s stack builds security through progressive layers that deliver true defense in depth at scale. Google’s hardware infrastructure is custom-designed “from chip to chiller” to precisely meet specific requirements. Its software and OS are stripped-down, hardened versions of Linux. Titan purpose-built chips help establish a hardware root of trust. This end-to-end provenance and attestation helps Google greatly reduce the “vendor in the middle” problem.

Network Security

Network security is partly the cloud provider’s responsibility and partly yours. Providers work to make sure the traffic is secure and encrypted and that the communication with other services on the public Internet are secure. They also offer strong baseline protection against network attacks.

You are responsible for defining and enforcing your application perimeter, segmentation of your projects between teams and organizations, managing remote access for your employees, and implementing additional DoS defense.

• Google Cloud Virtual Private Cloud (VPC) offers private connectivity between multiple regions without communicating across the public Internet. You can use a single VPC for an entire organization, isolated within projects.
• VPC flow logs capture information about IP traffic to and from network interfaces and help with network monitoring, forensics, real-time security analysis, and expense optimization.
• Shared VPC helps configure a VPC network to be shared across several projects in your organization. Connectivity routes and firewalls are managed centrally. You can also segment your networks with a global distributed firewall to restrict access to instances.
• Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules.
• VPC Service Controls extend the perimeter security to manage Google Cloud services by preventing access from unauthorized networks.

Application Security

When building an application or API on the cloud, you are responsible for the application’s security, including scanning and testing. Adopt practices such as these:

• Allow and deny traffic based on authentication and authorization of the user.
• Use or implement services to block bot and fraudulent users from your website.

You can protect your Internet-facing applications against attacks by using Web App and API protection (WAAP) solutions. This solution is a combination of:

• Cloud Load Balancing: Provides automatic defense against Layer 3 and Layer 4 DDoS attacks.
• Cloud Armor: Filter incoming web requests by geography or a host of L7 parameters like request headers, cookies, or query strings.
• reCAPTCHA Enterprise: Provides protection against bots and fraudulent users.
• Apigee API Gateway: Protects API backend by throttling API traffic against DDoS attack and controls access to APIs with OAuth, API key validation, and other threat-protection capabilities.

Software Supply Chain Security

Securing your software requires establishing, verifying, and maintaining a chain of trust, to establish the provenance or origin trail of your code, via attestations, generated and checked throughout your software development and deployment process. Open source SLSA (Supply Chain Levels for Software Artifacts) is an end-to-end framework for supply chain integrity that you can adopt incrementally to increase your security posture.

In Google, the Cloud Binary Authorization service establishes, verifies, and maintains a chain of trust through attestations and policy checks across different steps of the SDLC process.

• Code: Use Open Source Insights to identify dependencies, security advisory, and license across open source code.
• Build: Cloud Build captures another set of attestations (tests run, build tools used, etc.) that add to your chain of trust.
• Test and scan: Complete build when stored in Artifact Registry is automatically scanned for vulnerabilities.
• Deploy and run: Binary Authorization verified for authenticity and deploys when attestations meet organization policy. It even continuously validates conformance to the policy after deployment.

Data Security

Data security is a shared responsibility between you and the cloud provider. The cloud provider offers some capabilities built into the infrastructure such as data encryption at rest and in transit, whereas you are responsible for your applications’ data security. This includes secure key and secret management, finding sensitive data, enforcing controls, preventing exfiltration, and preventing data loss.

Google Cloud offers data encryption at rest and in transit with the option to encrypt data in use using Confidential Computing. If you need the data to be encrypted via your own keys, you can bring your own key (CSEK), use Google’s managed Key Management Service (KMS), use a hardware security module (HSM), or use an external key manager (EKM). Data Loss Prevention (Cloud DLP) helps discover, classify, and protect sensitive data.

Identity and Access Management (IAM)

IAM requires securely managing the user life cycle and application access, including authentication of the user and authorization of those users to appropriate services.

In Google Cloud, Cloud Identity is the IdP that provides the authentication options. It stores and manages digital identities for cloud uses, and it also provides two-step verification and SSO integration with third-party identity providers such as Okata, Ping, ADFS, and Azure AD.

Once authenticated, Cloud IAM provides the authorization (who can do what and where on Google Cloud) by providing fine-grained access control and visibility for centrally managing cloud resources. IAM policies manage access control for Google Cloud resources, and IAM Roles help set fine-grained permissions.

BeyondCorp Enterprise enacts a zero-trust model for access to your applications and resources. No one can access your resources unless they meet all the rules and conditions codified in per-resource access policies.

Endpoint Security

Endpoint security is critical for protecting users and access. You need to make sure you apply patches, prevent compromises, and manage user devices, including the policies that define which device has access to which resources in your application or projects.

Safe Browsing or Web Risk API: Lets client applications check URLs against Google’s constantly updated lists of unsafe web resources. With Safe Browsing you can:

• Check pages against Google’s Safe Browsing lists based on platform and threat types.
• Warn users before they click links in your site that may lead to infected pages.
• Prevent users from posting links to known infected pages from your site.

Device Management: To ensure corporate data is controlled, Device Management lets you administer mobile devices, such as smartphones, tablet computers, laptops, and desktop computers that are associated with your organization.

Security Monitoring and Operations

From a security operations (SecOps) perspective, you need to prevent, detect, respond to, and remediate threats in the cloud. In Google Cloud you can achieve this using these features:

• Security Command Center: Continuously monitors your Google Cloud environment for misconfigurations, detects threats and malicious activity, and helps maintain compliance. More on Security Command Center here.
• Audit Logs: Cloud Logging offers audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer “who did what, where, and when?”
• Access Transparency: Logs record the actions that Google personnel take when accessing customer content.
• Cloud IDS: Cloud Intrusion Detection System provides managed, cloud-native network threat detection from malware, spyware, and command-and-control attacks.

Governance, Risk, and Compliance

Google Cloud is compliant with major security certifications such as PCI DSS, FedRAMP, HIPAA, and more. Google Cloud products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations, and audit reports to demonstrate compliance.