This document in the Google Cloud Architecture Framework explains core principles for running secure and compliant services on Google Cloud. Many of the security principles that you're familiar with in your on-premises environment apply to cloud environments.
Build a layered security approach
Implement security at each level in your application and infrastructure by applying a defense-in-depth approach. Use the features in each product to limit access and configure encryption where appropriate.
Design for secured decoupled systems
Simplify system design to accommodate flexibility where possible, and document security requirements for each component. Incorporate a robust secured mechanism to account for resiliency and recovery.
Automate deployment of sensitive tasks
Take humans out of the workstream by automating deployment and other admin tasks.
Automate security monitoring
Use automated tools to monitor your application and infrastructure. To scan your infrastructure for vulnerabilities and detect security incidents, use automated scanning in your continuous integration and continuous deployment (CI/CD) pipelines.
Meet the compliance requirements for your regions
Be mindful that you might need to obfuscate or redact personally identifiable information (PII) to meet your regulatory requirements. Where possible, automate your compliance efforts. For example, use Cloud Data Loss Prevention (Cloud DLP) and Dataflow to automate the PII redaction job before new data is stored in the system.
Comply with data residency and sovereignty requirements
You might have internal (or external) requirements that require you to control the locations of data storage and processing. These requirements vary based on systems design objectives, industry regulatory concerns, national law, tax implications, and culture. Data residency describes where your data is stored. To help comply with data residency requirements, Google Cloud lets you control where data is stored, how data is accessed, and how it's processed.
Shift security left
DevOps and deployment automation let your organization increase the velocity of delivering products. To help ensure that your products remain secure, incorporate security processes from the start of the development process. For example, you can do the following:
- Test for security issues in code early in the deployment pipeline.
- Scan container images and the cloud infrastructure on an ongoing basis.
- Automate detection of misconfiguration and security anti-patterns. For example, use automation to look for secrets that are hard-coded in applications or in configuration.
Learn more about core security principles with the following resources:
- Manage risks with controls (next document in this series)
- Google Cloud security foundations guide
- Google security paper
- Google Infrastructure Security Design Overview
- Build a collaborative incident management process
- Deployable blueprints for industries