What Is Google Cloud Platform Security? A Full Guide 2024

What Is a Shared Responsibility Model in GCP?

The shared responsibility model in Google Cloud Platform (GCP) describes how security duties are split between Google and its customers. 

Google secures the cloud’s infrastructure, including its physical buildings and software systems. Customers, on the other hand, must protect their own data and manage the settings of the cloud services they use. This division of responsibilities helps ensure that both Google and its customers actively contribute to keeping the cloud environment secure.

GCP and customer responsibilities across different cloud
service models.

Infrastructure Security

Infrastructure security in Google Cloud Platform (GCP) refers to the protection of physical and virtual components that support cloud services. Infrastructure security in GCP covers multiple layers, ensuring comprehensive protection of cloud services. 

These infrastructure layers are:

  • Low-level infrastructure: This includes physical components like data centers, servers and networking hardware. Google secures these with physical protections and security protocols.
  • Service deployment: This layer involves the software and systems that deploy and manage cloud services. Security measures are applied to ensure these systems are reliable.
  • Data storage: This covers the storage systems where data is kept. Encryption and other security measures are used to protect stored data.
  • Internet communication: This includes the networks and connections that transfer data over the internet. Security measures are implemented to prevent unauthorized access.
  • Operations: This involves the ongoing management and monitoring of all the above layers. Continuous monitoring and security checks are used to maintain infrastructure safety and functionality.

Customers can fulfill their responsibility by securely configuring and managing their data and applications. They should use GCP products like Virtual Private Cloud (VPC) for network isolation, Cloud Security Scanner for vulnerability detection and Cloud IAM to control permissions. 

Not properly implementing these measures can lead to data breaches, unauthorized access and service disruptions. These risks can lead to significant security incidents and impact business operations.

Security layers

Security layers in the Google Cloud Platform infrastructure.

Network Security

Network security in GCP entails the measures taken to protect data as it travels across networks, such as securing data in transit, ensuring network isolation and protecting against external threats. GCP secures the underlying infrastructure, such as data centers and global networks, and provides tools and services to secure data as it moves across the infrastructure. 

Customers, on the other hand, are tasked with configuring and managing their own network security settings. They can use Virtual Private Cloud (VPC) to create isolated network environments, Cloud Armor for protection against DDoS attacks and Cloud VPN for secure connections between on-premises networks and GCP.

virtual private network

VPCs isolate and secure cloud resources by creating private
networks within the Google Cloud Platform.

Application Security

Application security refers to the measures taken to protect applications running in the cloud from threats. It involves securing the application code, managing access and protecting against vulnerabilities. GCP provides a secure infrastructure and tools to help developers build secure applications, such as automatic security updates for managed services and security monitoring. 

Platform-as-a-Service products like App Engine GCP handle security tasks like patching and system maintenance. Customers must secure the app code, configure security settings and regularly update their applications. They can use Cloud Web Security Scanner to detect vulnerabilities, Cloud IAM to control access and reCAPTCHA to prevent bots and abusive acts.

cloud web security scanner

Cloud Web Security Scanner proactively identifies security vulnerabilities in web applications deployed on Google Cloud Platform.

Software Supply Chain Security

The software supply chain is the entire process of developing, building and deploying software applications, including all components, tools and services involved. Software supply chain security in GCP ensures the integrity and security of software from development through deployment, covering all phases of the software development life cycle (SDLC). 

Software supply chain security in GCP is a shared responsibility, with Google providing tools like Software Delivery Shield and customers implementing secure practices. Key GCP products include Cloud Build, Artifact Registry and Binary Authorization for secure CI/CD pipelines and container management. 

cloud build

Cloud Build secures the software supply chain by automating builds and tests while enforcing security checks throughout the development process.

Customers must configure these tools, implement secure coding practices and manage access controls. Neglecting supply chain security can lead to vulnerabilities through compromised dependencies or unauthorized code changes, potentially resulting in data breaches or system compromises.

Data Security

Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its life cycle. In Google Cloud Platform (GCP), this involves safeguarding data both when it is stored (data at rest) and while it is being transmitted (data in transit) through encryption and secure communication protocols. 

Google provides built-in encryption services and tools like the Cloud Key Management Service for encryption key management and Persistent Disk for data storage security. Customers are responsible for implementing their own security measures, such as setting appropriate access controls and managing encryption keys. Tools like Cloud IAM can help control access to data. 

Some of the encryption methods Google Cloud offers include the following:

  • Customer-supplied encryption keys (CSEK): Customers provide their own encryption keys, which Google uses but does not manage or store long term.
  • Cloud Key Management Service (KMS): This allows customers to manage and rotate encryption keys themselves within Google Cloud’s infrastructure.
  • Cloud Hardware Security Module (HSM): This offers a secure environment for customers to manage cryptographic operations using dedicated hardware.
  • Cloud External Key Manager (EKM): This lets customers manage encryption keys outside of Google’s infrastructure using supported external key management services.
Data Security in Google Cloud

Encryption methods protect sensitive data in Google Cloud Platform
by encoding information at rest and in transit.

Identity and Access Management

Identity and Access Management (IAM) is a framework of policies and technologies that ensures users have appropriate access to technology resources. 

It involves the identification, authentication and authorization of users and systems within the Google Cloud environment. Google Cloud provides the IAM framework and tools that facilitate secure and granular access control through services such as Cloud Identity, Cloud IAM and Identity-Aware Proxy (IAP).

identity aware proxy

Identity-Aware Proxy enforces access controls for web applications
and resources based on user identity and context.

Customers must configure and manage access controls to ensure users have the right level of access to resources. This responsibility includes applying the principle of least privilege, which dictates that permissions should be limited to only what is necessary for users to perform their tasks. 

The following security risks may emerge if these IAM policies are not properly configured:

  • Over-privileged users: Users with excessively broad access can unintentionally or maliciously harm resources.
  • Stale accounts: Outdated user credentials can provide an entry point for attackers if not promptly deactivated.
  • Misconfiguration: Incorrectly configured IAM policies can lead to unauthorized access and potential data breaches.

Endpoint Security

An endpoint is any device that connects to a network, such as a computer, smartphone, server or tablet. Endpoint security in cloud computing involves protecting these devices from cyber threats as they access Google Cloud services and data.

In GCP, the endpoint is a shared responsibility. Google’s role in endpoint security involves providing tools and technologies that help protect the devices that access its cloud infrastructure, ensuring they are safeguarded against cyber threats. 

Some tools that GCP provides include Cloud Endpoints and BeyondCorp Enterprise. However, it’s up to customers to ensure their devices are protected when they connect to Google Cloud. Capabilities include setting up secure network environments via virtual private clouds (VPCs), keeping security software updated and teaching users about safe online behavior.

beyondcorp api

BeyondCorp Enterprise implements Google’s zero-trust security model, enabling secure access to applications and resources without a traditional VPN.

Security Monitoring and Operating

Security monitoring and operating refers to the continuous process of overseeing and managing a network’s security posture by tracking, analyzing and responding to security threats and vulnerabilities to protect data and resources. 

Google provides the infrastructure and tools necessary for continuous security monitoring and threat detection within its cloud environment. This includes automated security assessments and real-time threat detection services.

These GCP monitoring and operating tools include:

  • Google Cloud Security Command Center: This offers a comprehensive view of the security status of cloud resources, enabling customers to detect and respond to threats.
  • Cloud Logging and Cloud Monitoring: This allows customers to collect, view and analyze security logs from across Google Cloud services.
  • Google Cloud anomaly detection: This automatically detects unusual activity that may indicate a security threat.
google cloud logging

Cloud Logging records and analyzes security-related events across Google Cloud
Platform resources to detect and investigate potential threats.

Customers are responsible for configuring these tools to suit their specific security needs, actively monitoring their own environments and responding to alerts. They must also establish their own security operations protocols to manage and mitigate incidents. 

The following security risks could emerge without proper monitoring:

  • Undetected threats: Without effective monitoring, some security threats might go unnoticed, potentially leading to data breaches or compromised systems.
  • Delayed response: Inadequate monitoring can result in slow responses to security incidents, increasing the damage caused by attacks.
  • Insufficient data analysis: Failure to properly configure and use monitoring tools can lead to gaps in security data analysis, hindering effective threat detection and response.

Governance, Risk and Compliance

Governance, risk and compliance (GRC) in cloud computing refers to the set of practices and processes used to ensure an organization’s IT operations align with business goals and adhere to regulatory requirements. It involves managing the risks associated with cloud environments and ensuring all cloud activities comply with both internal policies and external laws.

Failure to comply can lead to these risks:

  • Non-compliance fines and penalties: Failure to comply with relevant regulations can result in significant fines and legal consequences.
  • Data breaches due to inadequate policies: Without proper governance and risk management, organizations might face increased vulnerabilities, leading to potential data breaches.
  • Reputation damage: Non-compliance and poor governance practices can damage an organization’s reputation and trustworthiness.