Google Cloud Architecture Framework: Security, privacy, and compliance

Last reviewed 2025-02-05 UTC

The Security, Privacy and Compliance pillar in the Google Cloud Architecture Framework provides recommendations to help you design, deploy, and operate cloud workloads that meet your requirements for security, privacy, and compliance.

This document is designed to offer valuable insights and meet the needs of a range of security professionals and engineers. The following table describes the intended audiences for this document:

Audience What this document provides
Chief information security officers (CISOs), business unit leaders, and IT managers A general framework to establish and maintain security excellence in the cloud and to ensure a comprehensive view of security areas to make informed decisions about security investments.
Security architects and engineers Key security practices for the design and operational phases to help ensure that solutions are designed for security, efficiency, and scalability.
DevSecOps teams Guidance to incorporate overarching security controls to plan automation that enables secure and reliable infrastructure.
Compliance officers and risk managers Key security recommendations to follow a structured approach to risk management with safeguards that help to meet compliance obligations.

To ensure that your Google Cloud workloads meet your security, privacy, and compliance requirements, all of the stakeholders in your organization must adopt a collaborative approach. In addition, you must recognize that cloud security is a shared responsibility between you and Google. For more information, see Shared responsibilities and shared fate on Google Cloud.

The recommendations in this pillar are grouped into core security principles. Each principle-based recommendation is mapped to one or more of the key deployment focus areas of cloud security that might be critical to your organization. Each recommendation highlights guidance about the use and configuration of Google Cloud products and capabilities to help improve your organization's security posture.

The recommendations in this pillar are grouped within the following core principles of security. Every principle in this pillar is important. Depending on the requirements of your organization and workload, you might choose to prioritize certain principles.

  • Implement security by design: Integrate cloud security and network security considerations starting from the initial design phase of your applications and infrastructure. Google Cloud provides architecture blueprints and recommendations to help you apply this principle.
  • Implement zero trust: Use a never trust, always verify approach, where access to resources is granted based on continuous verification of trust. Google Cloud supports this principle through products like Chrome Enterprise Premium and Identity-Aware Proxy (IAP).
  • Implement shift-left security: Implement security controls early in the software development lifecycle. Avoid security defects before system changes are made. Detect and fix security bugs early, fast, and reliably after the system changes are committed. Google Cloud supports this principle through products like Cloud Build, Binary Authorization, and Artifact Registry.
  • Implement preemptive cyber defense: Adopt a proactive approach to security by implementing robust fundamental measures like threat intelligence. This approach helps you build a foundation for more effective threat detection and response. Google Cloud's approach to layered security controls aligns with this principle.
  • Use AI securely and responsibly: Develop and deploy AI systems in a responsible and secure manner. The recommendations for this principle are aligned with guidance in the AI and ML perspective of the Architecture Framework and in Google's Secure AI Framework (SAIF).
  • Use AI for security: Use AI capabilities to improve your existing security systems and processes through Gemini in Security and overall platform-security capabilities. Use AI as a tool to increase the automation of remedial work and ensure security hygiene to make other systems more secure.
  • Meet regulatory, compliance, and privacy needs: Adhere to industry-specific regulations, compliance standards, and privacy requirements. Google Cloud helps you meet these obligations through products like Assured Workloads, Organization Policy Service, and our compliance resource center.

Organizational security mindset

A security-focused organizational mindset is crucial for successful cloud adoption and operation. This mindset should be deeply ingrained in your organization's culture and reflected in its practices, which are guided by core security principles as described earlier.

An organizational security mindset emphasizes that you think about security during system design, assume zero trust, and integrate security features throughout your development process. In this mindset, you also think proactively about cyber-defense measures, use AI securely and for security, and consider your regulatory, privacy, and compliance requirements. By embracing these principles, your organization can cultivate a security-first culture that proactively addresses threats, protects valuable assets, and helps to ensure responsible technology usage.

Focus areas of cloud security

This section describes the areas for you to focus on when you plan, implement, and manage security for your applications, systems, and data. The recommendations in each principle of this pillar are relevant to one or more of these focus areas. Throughout the rest of this document, the recommendations specify the corresponding security focus areas to provide further clarity and context.

Focus area Activities and components Related Google Cloud products, capabilities, and solutions
Infrastructure security
  • Secure network infrastructure.
  • Encrypt data in transit and at rest.
  • Control traffic flow.
  • Secure IaaS and PaaS services.
  • Protect against unauthorized access.
Identity and access management
  • Use authentication, authorization, and access controls.
  • Manage cloud identities.
  • Manage identity and access management policies.
Data security
  • Store data in Google Cloud securely.
  • Control access to the data.
  • Discover and classify the data.
  • Design necessary controls, such as encryption, access controls, and data loss prevention.
  • Protect data at rest, in transit, and in use.
AI and ML security
  • Apply security controls at different layers of the AI and ML infrastructure and pipeline.
  • Ensure model safety.
Security operations (SecOps)
  • Adopt a modern SecOps platform and set of practices, for effective incident management, threat detection, and response processes.
  • Monitor systems and applications continuously for security events.
Application security
  • Secure applications against software vulnerabilities and attacks.
Cloud governance, risk, and compliance
  • Establish policies, procedures, and controls to manage cloud resources effectively and securely.
Logging, auditing, and monitoring
  • Analyze logs to identify potential threats.
  • Track and record system activities for compliance and security analysis.

Contributors

Authors:

  • Wade Holmes | Global Solutions Director
  • Hector Diaz | Cloud Security Architect
  • Carlos Leonardo Rosario | Google Cloud Security Specialist
  • John Bacon | Partner Solutions Architect
  • Sachin Kalra | Global Security Solution Manager

Other contributors: