Google Cloud FedRAMP implementation guide

This guide is intended for security officers, compliance officers, IT admins, and other employees who are responsible for Federal Risk and Authorization Management Program (FedRAMP) implementation and compliance on Google Cloud. This guide helps you understand how Google is able to support FedRAMP compliance and which Google Cloud tools, products, and services to configure to help meet your responsibilities under FedRAMP.

Overview

Google Cloud supports FedRAMP compliance, and provides specific details on the approach to security and data protection in the Google security whitepaper and in the Google Infrastructure Security Design Overview. Although Google provides a secure and compliant cloud infrastructure, you are ultimately responsible for evaluating your own FedRAMP compliance. You're also responsible for ensuring that the environment and applications that you build on top of Google Cloud are properly configured and secured according to FedRAMP requirements.

This document outlines the FedRAMP Authority to Operate (ATO) phases at a high level, explains the Google Cloud shared responsibility model, highlights customer-specific responsibilities, and suggests how to meet these requirements and guidelines on Google Cloud.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes how the Federal Information Security Modernization Act (FISMA) applies to cloud computing. It establishes a repeatable approach to security assessment, authorization, and continuous monitoring for cloud-based services.

Using FedRAMP's standards and guidelines, you can secure sensitive, mission-essential, and mission-critical data in the cloud, making it possible to detect cybersecurity vulnerabilities quickly.

At a high level, FedRAMP has the following goals:

  • Ensure that cloud services and systems used by government agencies have adequate safeguards.
  • De-duplicate efforts and reduce risk management costs.
  • Enable government agencies to rapidly and cost effectively procure information systems and services.

In adherence to FedRAMP, federal government agencies must do the following:

  • Ensure that all cloud systems which process, transmit, and store government data use the FedRAMP security controls baseline.
  • Use the security assessment framework when granting security authorizations under FISMA.
  • Enforce FedRAMP requirements through contracts with cloud service providers (CSPs).

Authority to Operate (ATO)

Successful implementation and execution of the FedRAMP accreditation process culminates with an Authority to Operate (ATO) in the cloud. There are two paths for FedRAMP ATO: P-ATO and Agency ATO.

P-ATO, or Provisional Authority to Operate, is granted by the FedRAMP Joint Authorization Board (JAB). The JAB is composed of CIOs from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). The board defines the baseline FedRAMP security controls and establish the FedRAMP accreditation criteria for third-party assessment organizations (3PAOs). Organizations and agencies request to have their information system security package processed by the JAB, and the JAB then issues P-ATO to use cloud services.

With Agency ATO, the internal organization or agency designates authorizing officials (AOs) to conduct a risk review of the information system security package. The AO can engage 3PAOs or non-accredited, independent assessors (IAs) to review the information system security package. The AO, and later the agency or organization, then authorizes the information system's use of cloud services. The security package is also sent to the FedRAMP Program Management Office (PMO) for review; GSA is the PMO for FedRAMP. After review, the PMO publishes the security package for other agencies and organizations to use.

Security assessment framework

Authorizing Officials (AOs) at agencies and organizations must incorporate the FedRAMP security assessment framework (SAF) into their internal authorization processes to ensure that they meet FedRAMP requirements for cloud services use. The SAF is implemented in four phases:

Four phases of the security assessment framework.

You or your AO categorize your information system as a Low, Moderate, or High impact system according to FIPS PUB 199 security objectives for confidentiality, integrity, and availability.

Based on the system's FIPS categorization, select the FedRAMP security controls baseline that correlates with the FIPS 199 categorization level of low, moderate, or high. You must then implement the security controls captured in the respective controls baseline. Alternative implementations and justification for why a control can't be met or implemented is also acceptable.

Capture the details of the security controls implementation in a System Security Plan (SSP). We recommend that you select the SSP template according to the FedRAMP compliance level—Low, Moderate, or High.

The SSP does the following:

  • Describes the security authorization boundary.
  • Explains how the system implementation addresses each FedRAMP security control.
  • Outlines system roles and responsibilities.
  • Defines expected system user behavior.
  • Exhibits how the system is architected and what the supporting infrastructure looks like.

You use the FedRAMP authorization review template to track your ATO progress.

For more details about the implementation phases, see the FedRAMP's agency authorization process.

Cloud responsibility model

Conventional infrastructure technology (IT) required organizations and agencies to purchase, physical data center or colocation space, physical servers, networking equipment, software, licenses, and other devices for building systems and services. With cloud computing, a CSP invests in the physical hardware, data center, and global networking, while also providing virtual equipment, tools, and services for customers to use.

Three cloud computing models exist: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS):

  • In the IaaS model, CSPs essentially supply a virtual data center in the cloud, and they deliver virtualized computing infrastructure such as servers, networks, and storage. Although CSPs manage the physical equipment and data centers for these resources, you are responsible for configuring and securing any of the platform or application resources that you run on the virtualized infrastructure.

  • In the PaaS model, CSPs not only provide and manage the infrastructure and virtualization layer, they also provide customers with a pre-developed, pre-configured platform for creating software, applications, and web services. PaaS makes it easy for developers to create applications and middleware without worrying about security and configuration of the underlying hardware.

  • In the SaaS model, CSPs manage the physical and virtual infrastructure and the platform layer while delivering cloud-based applications and services for customers to consume. Internet applications that run directly from the web browser or by going to a website are SaaS applications. With this model, organizations and agencies don't have to worry about installing, updating, or supporting applications; they simply manage system and data access policies.

The following figure highlights CSP responsibilities and your responsibilities both on-premises and across cloud computing models:

CSP and customer responsibilities.

FedRAMP responsibility

You can view the cloud IT stack relative to four layers: the physical infrastructure layer, the cloud infrastructure layer, the cloud platform layer, and the cloud software layer. The following diagram shows these layers.

Layers in the cloud IT stack.

The numbered layers in the diagram correspond to the following:

  1. Software as a service. Google Workspace is also certified as FedRAMP Moderate. In order to inherit these SaaS security controls, you can request a copy of Google's ATO package from the JAB and include a copy of Google's attestation letter in your package.
  2. Platform as a service. In addition to Google Cloud's FedRAMP certified physical infrastructure, additional PaaS products and services are covered by FedRAMP, including App Engine, Cloud Storage, and database services. Use these pre-certified products and services wherever possible.
  3. Infrastructure as a service. In addition to Google Cloud's FedRAMP certified physical infrastructure, additional IaaS products and services are covered by FedRAMP, including Google Kubernetes Engine (GKE) and Compute Engine. Use these pre-certified products and services wherever possible.
  4. Physical infrastructure. Google Cloud is certified by JAB as FedRAMP Moderate. In order to inherit these physical security controls, you can request a copy of Google's ATO package and include Google's attestation letter in your package.

With respect to FedRAMP ATO, each layer of the cloud IT stack is considered an independent control boundary, and each control boundary requires a separate ATO. This means that despite Google Cloud's FedRAMP compliance and having dozens of Google Cloud services that are covered by FedRAMP, you are still required to implement FedRAMP security baseline controls and the SAF process to qualify your cloud systems and workloads as FedRAMP compliant.

There are two types of FedRAMP security controls across Low, Moderate, and High compliance baselines: controls implemented by the information system, and controls implemented by the organization. As your organization or agency builds out FedRAMP-compliant systems on Google Cloud, you inherit the physical infrastructure security controls that Google meets under its FedRAMP certification. You also inherit any physical infrastructure, IaaS, and PaaS security controls that are built into Google's FedRAMP compliant products and services, and into all SaaS controls when using Google Workspace. However, you are required to implement all other security controls and configurations at the IaaS, PaaS, and SaaS levels, as defined by the FedRAMP security controls baseline.

FedRAMP implementation recommendations

As mentioned, you inherit some security controls from the CSP. For other controls, you must specifically configure them and create organization-defined policies, rules, and regulations to meet each control.

This section recommends aids for implementing NIST 800-53 security controls in the cloud by using organization-defined policies with Google Cloud tools, services, and best practices.

Access control

To manage access control in Google Cloud, define organization admins who will manage information system accounts in the cloud. Place those admins in access control groups using Cloud Identity, Admin Console, or some other identity provider (for example, Active Directory or LDAP), ensuring that third-party identity providers are federated with Google Cloud. Use Identity and Access Management (IAM) to assign roles and permissions to administrative groups, implementing least privilege and separation of duties.

Develop an organization-wide access control policy for information system accounts in the cloud. Define the parameters and procedures by which your organization creates, enables, modifies, disables, and removes information system accounts.

Account management, separation of duties, and least privilege

In the access control policy, define the parameters and procedures by which your organization will create, enable, modify, disable, and remove information system accounts. Define the conditions under which information system accounts should be used.

Also, identify the time period of inactivity in which users will be required to log out of a system (for example, after *x* minutes, hours, or days). Use Cloud Identity, Admin Console, or application configurations to force users to sign out or re-authenticate after the defined time period.

Define what actions should be taken when privileged role assignments are no longer appropriate for a user in your organization. Google's *Policy Intelligence has an IAM Recommender feature that helps you remove unwanted access to Google Cloud resources by using machine learning to make smart access control recommendations.

Define conditions under which groups accounts are appropriate. Use Cloud Identity or Admin Console to create groups or service accounts. Assign roles and permissions to shared groups and service accounts by using IAM. Use service accounts whenever possible. Specify what atypical use of an information system account is for your organization. When you detect atypical use, use tools such as the Google Cloud's operations suite, *Security Command Center, or *Forseti Security to alert information system admins.

Follow these guidelines to aid in implementing these security controls: AC-02, AC-02 (04), AC-02 (05), AC-02 (07), AC-02 (09), AC-02 (11), AC-02 (12), AC-05, AC-06 (01), AC-06 (03), AC-06 (05), AU-2, AU-3, AU-6, AU-12, SI-04, SI-04 (05), SI-04 (11), SI-04 (18), SI-04 (19), SI-04 (20), SI-04 (22), SI-04 (23).

Information flow enforcement and remote access

In the organization-wide access control policy, define information-flow control policies for your organization. Identify prohibited or restricted ports, protocols, and services. Define requirements and restrictions for interconnections to internal and external systems. Use tools such as Virtual Private Cloud to create firewalls, logically isolated networks, and subnetworks. Help control the flow of information by implementing Cloud Load Balancing, *Traffic Director, and VPC Service Controls.

When setting information-flow control policies, identify controlled network access points for your organization. Use tools such as Identity-Aware Proxy to provide context-based access to cloud resources for remote and onsite users. Use Cloud VPN or Cloud Interconnect to provide secure, direct access to VPCs.

Set organization-wide policies for executing privileged commands and accessing secure data over remote access. Use IAM and VPC Service Controls to restrict access to sensitive data and workloads.

Follow these guidelines to aid in implementing these security controls: AC-04, AC-04 (08), AC-04 (21), AC-17 (03), AC-17 (04), CA-03 (03), CA-03 (05), CM-07, CM-07(01), CM-07(02).

Logon attempts, system-use notification, and session termination

In the access control policy, specify how long a user should be delayed from accessing a login prompt when 3 unsuccessful login attempts have been attempted in a 15-minute period. Define conditions and triggers under which user sessions are terminated or disconnected.

Use Cloud Identity Premium Edition or Admin Console to manage mobile devices that connect to your network, including BYOD. Create organization-wide security policies that apply to mobile devices. Outline requirements and procedures for purging and wiping mobile devices after consecutive unsuccessful login attempts.

Develop organization-wide language and system-use notifications that provide privacy policies, terms of use, and security notices to users who are accessing the information system. Define the conditions under which organization-wide notifications are displayed before granting users access. Pub/Sub is a global messaging and event ingestion system that you can use to push notifications to applications and end users. You can also use *Chrome Enterprise Suite, including *Chrome Browser and *Chrome OS, with the *Push API and *Notifications API to send notifications and updates to users.

Follow these guidelines to aid in implementing these security controls: AC-07, AC-07 (02), AC-08, AC-12, AC-12 (01).

Permitted actions, mobile devices, information sharing

In the access control policy, define user actions that can be performed on an information system without identification and authentication. Use IAM to regulate user access to view, create, delete, and modify specific resources.

Develop organization-wide policies for information sharing. Determine circumstances under which information can be shared and when user discretion is required for sharing information. Employ processes to assist users with sharing information and collaborating across the organization. Google Workspace has a great feature set for controlled collaboration and engagement across teams.

Follow these guidelines to aid in implementing these security controls: AC-14, AC-19 (05), AC-21.

Awareness and training

Create security policies and associated training materials to disseminate to users and security groups across your organization at least annually. Google offers Professional Services options for educating users on cloud security, including but not limited to a Cloud Discover Security engagement and a Google Workspace Security Assessment.

Update security policies and training at least annually.

Follow these guidelines to aid in implementing security control AT-01.

Auditing and accountability

Create organization-wide auditing policies and accountability controls that address procedures and implementation requirements for auditing personnel, events, and actions that are tied to cloud information systems.

In the organization-wide auditing policy, outline events that should be audited in your organization's information systems, and the auditing frequency. Examples of logged events include successful and unsuccessful account login events, account management events, object access, policy change, privilege functions, process tracking, and system events. For web applications, examples include admin activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. Define additional events of interest for your organization.

For the auditing policy, we also recommend that you specify indications of inappropriate or unusual activity for your organization. Monitor, log, and flag these activities regularly (at least weekly).

Use Google Cloud's operations suite to manage logging, monitoring, and alerting for your Google Cloud, on-premises, or other cloud environments. Use Google Cloud's operations suite to configure and track security events in your organization. You can also use Cloud Monitoring to set custom metrics to monitor for organization-defined events in audit records.

Enable information systems to alert admins of audit processing failures. You can implement these alerts by using tools like Pub/Sub and alerting.

Set standards for alerting admins within a set time period (for example, within 15 minutes), in the event of a system or functional failure, to include when audit records reach a set threshold or volume capacity. Determine an organization-wide granularity of time measurement, by which audit records should be time-stamped and logged. Define the level of tolerance for time-stamped records in the information system audit trail (for example, nearly real-time or within 20 minutes).

Set VPC resource quotas to establish the capacity thresholds for audit record storage. Configure budget alerts to notify admins when a percentage of a resource limit has been reached or exceeded.

Define organization-wide storage requirements for audit data and records, to include audit log availability and retention requirements. Use Cloud Storage to store and archive audit logs, and BigQuery to perform further log analysis.

Follow these guidelines to aid in implementing these security controls: AU-01, AU-02, AU-04, AU-05, AU-05 (01), AU-06, AU-07 (01), AU-08, AU-08 (01), AU-09 (04), AU-09 (04), AU-12, AU-12 (01), AU-12 (03), CA-07.

Security assessment and authorization

Develop an organization-wide security assessment and authorization policy that defines the procedures and implementation requirements of organization security assessments, security controls, and authorization controls.

In the security assessment and authorization policy, define the level of independence required for security assessment teams to conduct impartial assessments of information systems in the cloud. Identify the information systems that need to be assessed by an independent assessor.

Security assessments should minimally cover the following:

  • In-depth monitoring
  • Vulnerability scanning
  • Malicious user testing
  • Insider threat assessment
  • Performance and load testing

Your organization should define additional requirements and forms of security assessment.

Make sure that your security assessment and authorization policy specifies security system classifications and requirements, including requirements for unclassified and non-national security systems.

In the information flow control policies for your organization, outline requirements and restrictions for interconnections to internal and external systems. Set VPC firewall rules to allow and deny traffic to information systems, and use VPC Service Controls to protect sensitive data by using security parameters.

Set organization-wide auditing and accountability policies that enforce continuous monitoring requirements (CA-07).

Follow these guidelines to aid in implementing these security controls: CA-01, CA-02, CA-02 (01), CA-02 (02), CA-02 (03), CA-03 (03), CA-03 (05), CA-07, CA-07 (01), CA-08, CA-09.

Configuration management

Create an organization-wide configuration management policy that defines the procedures and implementation requirements for organization-wide configuration management controls, roles, responsibilities, scope, and compliance.

Standardize configuration setting requirements for organization-owned information systems and system components. Provide operational requirements and procedures for configuring information systems. Explicitly call out how many previous versions of a baseline configuration the system admins are required to retain for information system rollback support. Use Google's suite of configuration management tools to control IT system configurations as code, and monitor configuration changes by using *Policy Intelligence, *Security Command Center, or *Forseti Security.

Specify configuration requirements for each type of information system in your organization (for example, cloud, on-premises, hybrid, unclassified, controlled unclassified information (CUI), or classified). Also define security safeguard requirements for organization-owned and Bring Your Own Device (BYOD) devices to include identifying safe and unsafe geographic locations. Use Identity-Aware Proxy to enforce context-based access controls to organization-owned data, including access controls by geographic location. Use Cloud Identity Premium edition or Admin Console to enforce security configurations on mobile devices that connect to the corporate network.

In the configuration management policy, define an organization-wide configuration change-control element, such as a change-control committee or board. Document how frequently the committee meets and under which conditions. Establish a formal body for reviewing and approving configuration changes.

Identify the configuration management approval authorities for your organization. These admins review requests for changes to information systems. Define the time period that authorities have to approve or disapprove change requests. Provide guidance for change implementers to notify approval authorities when information system changes have been completed.

Set restrictions on the use of open source software across your organization, to include the specification of what software is approved and not approved for use. Use Cloud Identity or Admin Console to enforce approved applications and software for your organization. With Cloud Identity Premium, you can enable single sign-on and multi-factor authentication for third-party applications.

Use tools such as alerting to send notifications to security admins when configuration changes are logged. Give admin access to tools like *Security Command Center, or *Forseti Security to monitor configuration changes in near real-time. Using *Policy Intelligence, you can use machine learning to study configurations defined by your organization, raising awareness about when configurations change from the baseline.

Enforce least functionality across your organization using information-flow control policies.

Follow these guidelines to aid in implementing these security controls: CM-01, CM-02 (03), CM-02 (07), CM-03, CM-03 (01), CM-05 (02), CM-05 (03), CM-06, CM-06 (01), CM-06 (02), CM-07, CM-07 (01), CM-07 (02), CM-07 (05), CM-08, CM-08 (03), CM-10 (01), CM-11, CM-11 (01), SA-10.

Contingency planning

Develop a contingency plan for your organization that defines the procedures and implementation requirements for contingency planning controls across your organization. Identify key contingency personnel, roles, and responsibilities across organizational elements.

Highlight the mission-essential and business-essential information system operations within your organization. Outline recovery time objectives (RTO) and recovery point objectives (RPO) for resuming essential operations when the contingency plan has been activated.

Document critical information systems and associated software. Identify any additional security-related information, and provide guidance and requirements for storing backup copies of critical system components and data. Deploy Google's global, regional, and zonal resources and world-wide locations for high availability. Use Cloud Storage classes for multi-regional, regional, backup, and archive options. Implement global network autoscaling and load balancing with Cloud Load Balancing.

Follow these guidelines to aid in implementing these security controls: CP-01, CP-02, CP-02 (03), CP-07, CP-08, CP-09 (03).

Identification and authentication

Create an identification and authentication policy for your organization that specifies identification and authentication procedures, scopes, roles, responsibilities, management, entities, and compliance. Specify identification and authentication controls that your organization requires. Use Cloud Identity Premium or Admin Console to identify corporate and personal devices that can connect to your organization's resources. Use Identity-Aware Proxy to enforce context-aware access to resources.

Include guidance around authenticator content for your organization, authentication reuse conditions, standards for protecting authenticators, and standards for changing or refreshing authenticators. Also, capture requirements for using cached authenticators. Specify time limits for using cached authenticators and create definitions for when to expire cached authenticators. Define the minimum and maximum lifetime requirements and refresh time periods that should be enforced by information systems in your organization.

Use Cloud Identity or Admin Console to enforce password policies for sensitivity, character usage, new password creation or reuse, password lifetime, storage, and transmission requirements.

Outline hardware and software token authentication requirements for authentication across your organization, including but not limited to PIV card and PKI requirements. You can use *Titan Security Keys to enforce additional authentication requirements for admins and privileged personnel.

In the identification and authentication policy, outline the Federal Identity, Credential, and Access Management (FICAM) information system components that are allowable for accepting third parties in your organization. Google's Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to applications that are being accessed by external entities.

Follow these guidelines to aid in implementing these security controls: IA-01, IA-03, IA-04, IA-05, IA-05 (01), IA-05 (03), IA-05 (04), IA-05 (11), IA-05 (13), IA-08 (03).

Incident response

Establish an incident response policy for your organization, including procedures to facilitate and implement incident response controls. Create security groups for your organization's incident response teams and authorities. Use tools such as Cloud Operations Suite or *Security Command Center to share incident events, logs, and details. *Incident Response Management (IRM) lets admins investigate and resolve information system security incidents end-to-end.

Develop an incident response test plan, procedures and checklists, and requirements and benchmarks for success. Specify classes of incidents that your organization should recognize, and outline the associated actions to take in response to such incidents. Define the actions that you expect authorized personnel to take if an incident occurs. These actions might be steps for managing information spills, cybersecurity vulnerabilities, and attacks.Take advantage of capabilities in Google Workspace to scan and quarantine email content, block phishing attempts, and set restrictions on attachments. Use Cloud Data Loss Prevention (Cloud DLP) to inspect, classify, and de-identify sensitive data to help restrict exposure.

Specify organization-wide requirements for incident response training, including training requirements for general users and privileged roles and responsibilities. Enforce time-period requirements for taking training (for example, within 30 days of joining, quarterly, or annually).

Follow these guidelines to aid in implementing these security controls: IR-01, IR-02, IR-03, IR-04 (03), IR-04 (08), IR-06, IR-08, IR-09, IR-09 (01), IR-09 (03), IR-09 (04).

System maintenance

Create a system maintenance policy for your organization, documenting system maintenance controls, roles, responsibilities, management, coordination requirements, and compliance. Define parameters for controlled maintenance, including approval processes for conducting off-site maintenance and repairs, and organization-wide turnaround times for replacing failed devices and parts. Your organization will benefit from Data deletion on Google Cloud data and equipment sanitization, and Google's data center security and innovation for off-site maintenance and repairs.

Follow these guidelines to aid in implementing these security controls: MA-01, MA-02, MA-06.

Media protection

As part of Google Cloud's FedRAMP ATO, we meet media protection requirements for physical infrastructure. Review Google's Infrastructure Security Design and Security Overview. You are subsequently responsible for meeting virtual infrastructure security requirements.

Develop a media protection policy for your organization, documenting media controls, protection policies and procedures, compliance requirements, and management roles and responsibilities. Document procedures for facilitating and implementing media protections across your organization. Create security groups that identify personnel and roles for managing media and their protections.

Specify approved media types and accesses for your organization, including digital and nondigital media restrictions. Set media markings and media-handling exceptions that must be implemented across your organization, including security marking requirements inside and outside of controlled access areas. Use *Data Catalog to manage cloud resource metadata, simplifying data discovery. Control cloud resource compliance across your organization, regulating the distribution and discovery of cloud resources with *Private Catalog.

Identify how to sanitize, dispose, or reuse media that your organization manages. Outline use cases and circumstances where sanitization, disposal, or reuse of media and devices is required or acceptable. Define the media safeguard methods and mechanisms that your organization deems acceptable.

With Google, you'll benefit from data deletion on Google Cloud data and equipment sanitization, and Google's data center security and innovation. In addition, Cloud KMS and Cloud HSM provide FIPS-compliant cryptographic protection, and you can use *Titan Security Keys to enforce additional physical authentication requirements for admins and privileged personnel.

Follow these guidelines to aid in implementing these security controls: MP-01, MP-02, MP-03, MP-04, MP-06, MP-06 (03), MP-07.

Physical and environmental protection

As part of Google Cloud's FedRAMP ATO, we meet physical and environmental protection requirements for physical infrastructure. Review Google's Infrastructure Security Design and Security Overview. You are subsequently responsible for meeting virtual infrastructure security requirements.

Establish a physical and environmental protection policy for your organization, outlining protection controls, protection entities, compliance standards, roles, responsibilities, and management requirements. Outline how to implement physical and environmental protection across your organization.

Create security groups that identify personnel and roles for managing physical and environmental protections. Require admins who are accessing sensitive computational resources to use *Titan Security Keys or some other form of MFA to verify access integrity.

In the physical and environmental protection policy, define physical access control requirements for your organization. Identify facility entry and exit points for information system sites, access-control safeguards for such facilities, and inventory requirements. Take advantage of tools such as *Google Maps Platform to visually display and track facilities and entry and exit points for locational mappings. Use Resource Manager and *Private Catalog to control access to cloud resources, making them organized and easily discoverable.

Use Cloud Monitoring to configure loggable events, accesses, and incidents. Define organization-wide physical access events that should be logged in Cloud Logging. Use *Incident Response Management to address physical security incidents that have been triggered, and consolidate findings in *Security Command Center.

Use the physical and environmental protection policy to account for emergency situations, such as emergency shutoff of information systems, emergency power, fire suppression, and emergency response. Identify points of contact for emergency response, including local emergency responders and physical security personnel for your organization. Outline requirements and locations for alternate work sites. Specify security controls and personnel for primary and alternate work sites. Deploy Google's global, regional, and zonal resources and world-wide locations for high availability. Use Cloud Storage classes for multi-regional, regional, backup, and archive options. Implement global network autoscaling and load-balancing with Cloud Load Balancing. Create declarative deployment templates to establish a repeatable, template-driven deployment process.

Follow these guidelines to aid in implementing these security controls: PE-01, PE-03, PE-03 (01), PE-04, PE-06, PE-06 (04), PE-10, PE-13 (02), PE-17.

System security planning

Develop a security-planning policy for your organization, outlining security-planning controls, roles, responsibilities, management, security-planning entities for your organization, and compliance requirements. Outline how you expect security planning to be implemented across your organization.

Create groups to define security-planning personnel accordingly. Specify security groups for security assessments, audits, hardware and software maintenance, patch management, and contingency planning for your organization. Use tools such as Google Cloud's operations suite, *Security Command Center or *Forseti Security to monitor security, compliance, and access control across your organization.

Follow these guidelines to aid in implementing these security controls: PL-01, PL-02, PL-02 (03).

Personnel security

Create a personnel security policy that identifies security personnel, their roles and responsibilities, how you expect personnel security to be implemented, and what personnel security controls to enforce across your organization. Capture conditions that would require individuals to go through organizational security screening, re-screening, and investigation. Outline requirements for security clearances in your organization.

Include guidance for addressing personnel termination and transfer. Define needs and parameters for exit interviews and the security topics that should be discussed during such interviews. Specify when you expect security and admin entities in your organization to be notified of personnel termination, transfer, or reassignment (for example, within 24 hours). Specify the actions that you expect personnel and the organization to complete for a transfer, reassignment, or termination. Also, cover requirements for enforcing formal employee sanctions. Explain when you expect security personnel and admins to be notified of employee sanctions, and explain sanction processes.

Use IAM to assign roles and permissions to personnel. Add, remove, disable, and enable personnel profiles and accesses in Cloud Identity or Admin Console. Enforce additional physical authentication requirements for admins and privileged personnel using *Titan Security Keys.

Follow these guidelines to aid in implementing these security controls: PS-01, PS-03, PS-04, PS-05, PS-07, PS-08.

Risk assessment

Implement a risk assessment policy that identifies risk assessment personnel, risk assessment controls that you expect to be enforced across your organization, and procedures for carrying out risk assessments in your organization. Define how you expect risk assessments to be documented and reported. Use tools such as *Forseti Security and *Security Command Center to automatically notify security personnel of security risks and the overall security posture of your organization.

Leverage Google's suite of risk assessment tools such as Web Security Scanner, Container Analysis, Google Cloud Armor, and Google Workspace phishing and malware protection to scan for and report on vulnerabilities across your organization's information systems. Make these tools available to risk assessment personnel and admins to help identify and eliminate vulnerabilities.

Following these guidelines will set the foundation for implementing the following security controls: RA-01, RA-03, RA-05.

System and services acquisition

Develop a system and services acquisition policy that outlines key personnel's roles and responsibilities, acquisition and services management, compliance, and entities. Outline system and services acquisition procedures and implementation guidelines for your organization. Define your organization's system development lifecycle for information systems and information security. Outline information security roles and responsibilities, personnel, and how you expect your organization's risk assessment policy to drive and influence system development life-cycle activities.

Highlight procedures that you expect to be carried out within your organization when information system documentation is not available or undefined. Engage your organization's information system admins and system services personnel as required. Define any required training for admins and users that are implementing or accessing information systems in your organization.

Use tools such as *Security Command Center and *Forseti Security to track security compliance, findings, and security control policies for your organization. Google outlines all of its security standards, regulations, and certifications to help educate customers on how to meet compliance requirements and laws on Google Cloud. In addition, Google offers a suite of security products to help customers continuously monitor their information systems, communications, and data both in the cloud and on-premises.

Specify any locational restrictions for your organization's data, services, and information processing, and under which conditions data can be stored elsewhere. Google offers global, regional, and zonal options for data storage, processing, and services utilization in Google Cloud.

Leverage the configuration management policy to regulate developer configuration management for system and services acquisition controls, and use the security assessment and authorization policy to enforce developer security testing and evaluation requirements.

Follow these guidelines to aid in implementing these security controls: SA-01, SA-03, SA-05, SA-09, SA-09 (01), SA-09 (04), SA-09 (05), SA-10, SA-11, SA-16.

System and communications protection

Create a system and communications protection policy that outlines key personnel's roles and responsibilities, implementation requirements for systems communication protection policies, and required protection controls for your organization. Identify the types of denial of service attacks your organization recognizes and monitors for, and outline DoS protection requirements for your organization.

Use Google Cloud's operations suite to log, monitor, and alert on predefined security attacks against your organization. Implement tools such as Cloud Load Balancing and Google Cloud Armor to safeguard your cloud perimeter, and leverage VPC services such as firewalls and network security controls to protect your internal cloud network.

Identify your organization's resource availability requirements; define how you expect cloud resources to be allocated across your organization and what constraints to implement in order to restrict over-utilization. Use tools such as Resource Manager to control access to resources at the organization, folder, project, and individual resource level. Set resource quotas to manage API requests and resource utilization in Google Cloud.

Establish boundary protection requirements for your information systems and system communications. Define requirements for internal communications traffic and how you expect internal traffic to engage with external networks. Specify requirements for proxy servers and other network routing and authentication components.

Take advantage of *Traffic Director to manage network traffic and communications flow for your organization. Use Identity-Aware Proxy to control access to cloud resources based on authentication, authorization, and context—including geographic location or device fingerprint. Implement *Private Google Access, *Cloud VPN, or *Cloud Interconnect to secure network traffic and communications between internal and external resources. Use VPC to define and secure your organization's cloud networks; establish subnetworks to further isolate cloud resources and network perimeters.

Google offers global software-defined networks with multi-regional, regional, and zonal options for high availability and failover. Define failure requirements for your organization to ensure that your information systems fail to a known state. Capture requirements for preserving information system state information. Use managed instance groups and Deployment Manager templates to re-instantiate failed or unhealthy resources. Give admins access to *Security Command Center or *Forseti Security to actively monitor your organization's confidentiality, integrity, and availability posture.

In the policy, outline your organization's requirements for managing cryptographic keys, including requirements for key generation, distribution, storage, access, and destruction. Use Cloud KMS and Cloud HSM to manage, generate, use, rotate, store, and destroy FIPS-compliant security keys in the cloud.

Google encrypts data at rest by default; however, you can use Cloud KMS with Compute Engine and Cloud Storage to further encrypt data by using cryptographic keys. You can also deploy Shielded VMs to enforce kernel-level integrity controls on Compute Engine

Follow these guidelines to aid in implementing these security controls: SC-01, SC-05, SC-06, SC-07 (08), SC-07 (12), SC-07 (13), SC-07 (20), SC-07 (21), SC-12, SC-24, SC-28, SC-28 (01).

System and information integrity

Implement a system and information integrity policy that outlines key personnel's roles and responsibilities, integrity implementation procedures and requirements, compliance standards, and security controls for your organization. Create security groups for the personnel in your organization that are responsible for system and information integrity. Outline flaw-remediation requirements for your organization, to include guidelines for monitoring, assessing, authorizing, implementing, planning, benchmarking, and remediating security flaws across your organization and its information systems.

Take advantage of Google's suite of security tools, including but not limited to the following:

Use these tools to do the following:

  • Protect against malicious code, cyber attacks, and common vulnerabilities.
  • Quarantine spam and set spam and malware policies.
  • Alert admins about vulnerabilities.
  • Gain insights across your organization for central management.

Use tools such as Google Cloud's operations suite, *Security Command Center or *Forseti Security to centrally manage, alert on, and monitor your organization's security controls and findings. More specifically, use Google Cloud's operations suite to log administrative actions, data accesses, and system events initiated by privileged users and personnel across your organization. Notify admins about error messages and information system error handling.

Define security-relevant events relative to your organization's software, firmware, and information (for example, zero-day vulnerabilities, unauthorized data deletion, installation of new hardware, software, or firmware). Explain the steps to take when these types of security-relevant changes occur. Specify monitoring objectives and indicators of attack for admins to pay special attention to, to include essential information that should be monitored within information systems across your organization. Define system and information monitoring roles and responsibilities, as well as monitoring and reporting frequency (for example, real-time, every 15 minutes, every hour, or quarterly).

Capture requirements for analyzing communications traffic for information systems across your organization. Specify requirements for discovering anomalies, including system points for monitoring. *Google's Network Intelligence Center services make it possible to conduct in-depth network performance and security monitoring. Google also has strong third-party partnerships that integrate with Google Cloud for scanning and protecting cloud endpoints and hosts, such as +Aqua Security and +Crowdstrike. Shielded VMs make it possible to harden devices, verify authentication and ensure secure boot processes.

Define how you expect your organization to check and safeguard against security anomalies and integrity violations. Use tools such as *Security Command Center, *Forseti Security, or *Policy Intelligence to monitor and detect configuration changes. Use +configuration management tools or Deployment Manager templates to re-instantiate or to halt changes to cloud resources.

In the system information and integrity policy, specify requirements for authorizing and approving network services in your organization. Outline approval and authorization processes for network services. VPC is essential for defining cloud networks and subnetwork using firewalls to protect network perimeters. VPC Service Controls makes it possible to enforce additional network security perimeters for sensitive data in the cloud.

On top of all of this, you automatically inherit Google's secure boot stack and trusted, defense-in-depth infrastructure.

Follow these guidelines to aid in implementing these security controls: SI-01, SI-02 (01), SI-02 (03), SI-03 (01), SI-04, SI-04 (05), SI-04 (11), SI-04 (18), SI-04 (19), SI-04 (20), SI-04 (22), SI-04 (23), SI-05, SI-06, SI-07, SI-07 (01), SI-07 (05), SI-07 (07), SI-08 (01), SI-10, SI-11, SI-16.

Conclusion

Security and compliance in the cloud is a joint effort on behalf of you and your CSP. While Google ensures that the physical infrastructure and corresponding services support compliance against dozens of third-party standards, regulations and certifications, you are required to ensure that anything you build in the cloud is compliant.

Google Cloud supports you in your compliance efforts by providing the same set of security products and capabilities that Google uses to protect its infrastructure.

What's next

  • Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.