The Security, Privacy and Compliance pillar in the Google Cloud Architecture Framework provides recommendations to help you design, deploy, and operate cloud workloads that meet your requirements for security, privacy, and compliance.
This document is designed to offer valuable insights and meet the needs of a range of security professionals and engineers. The following table describes the intended audiences for this document:
Audience | What this document provides |
---|---|
Chief information security officers (CISOs), business unit leaders, and IT managers | A general framework to establish and maintain security excellence in the cloud and to ensure a comprehensive view of security areas to make informed decisions about security investments. |
Security architects and engineers | Key security practices for the design and operational phases to help ensure that solutions are designed for security, efficiency, and scalability. |
DevSecOps teams | Guidance to incorporate overarching security controls to plan automation that enables secure and reliable infrastructure. |
Compliance officers and risk managers | Key security recommendations to follow a structured approach to risk management with safeguards that help to meet compliance obligations. |
To ensure that your Google Cloud workloads meet your security, privacy, and compliance requirements, all of the stakeholders in your organization must adopt a collaborative approach. In addition, you must recognize that cloud security is a shared responsibility between you and Google. For more information, see Shared responsibilities and shared fate on Google Cloud.
The recommendations in this pillar are grouped into core security principles. Each principle-based recommendation is mapped to one or more of the key deployment focus areas of cloud security that might be critical to your organization. Each recommendation highlights guidance about the use and configuration of Google Cloud products and capabilities to help improve your organization's security posture.
Core principles
The recommendations in this pillar are grouped within the following core principles of security. Every principle in this pillar is important. Depending on the requirements of your organization and workload, you might choose to prioritize certain principles.
- Implement security by design: Integrate cloud security and network security considerations starting from the initial design phase of your applications and infrastructure. Google Cloud provides architecture blueprints and recommendations to help you apply this principle.
- Implement zero trust: Use a never trust, always verify approach, where access to resources is granted based on continuous verification of trust. Google Cloud supports this principle through products like Chrome Enterprise Premium and Identity-Aware Proxy (IAP).
- Implement shift-left security: Implement security controls early in the software development lifecycle. Avoid security defects before system changes are made. Detect and fix security bugs early, fast, and reliably after the system changes are committed. Google Cloud supports this principle through products like Cloud Build, Binary Authorization, and Artifact Registry.
- Implement preemptive cyber defense: Adopt a proactive approach to security by implementing robust fundamental measures like threat intelligence. This approach helps you build a foundation for more effective threat detection and response. Google Cloud's approach to layered security controls aligns with this principle.
- Use AI securely and responsibly: Develop and deploy AI systems in a responsible and secure manner. The recommendations for this principle are aligned with guidance in the AI and ML perspective of the Architecture Framework and in Google's Secure AI Framework (SAIF).
- Use AI for security: Use AI capabilities to improve your existing security systems and processes through Gemini in Security and overall platform-security capabilities. Use AI as a tool to increase the automation of remedial work and ensure security hygiene to make other systems more secure.
- Meet regulatory, compliance, and privacy needs: Adhere to industry-specific regulations, compliance standards, and privacy requirements. Google Cloud helps you meet these obligations through products like Assured Workloads, Organization Policy Service, and our compliance resource center.
Organizational security mindset
A security-focused organizational mindset is crucial for successful cloud adoption and operation. This mindset should be deeply ingrained in your organization's culture and reflected in its practices, which are guided by core security principles as described earlier.
An organizational security mindset emphasizes that you think about security during system design, assume zero trust, and integrate security features throughout your development process. In this mindset, you also think proactively about cyber-defense measures, use AI securely and for security, and consider your regulatory, privacy, and compliance requirements. By embracing these principles, your organization can cultivate a security-first culture that proactively addresses threats, protects valuable assets, and helps to ensure responsible technology usage.
Focus areas of cloud security
This section describes the areas for you to focus on when you plan, implement, and manage security for your applications, systems, and data. The recommendations in each principle of this pillar are relevant to one or more of these focus areas. Throughout the rest of this document, the recommendations specify the corresponding security focus areas to provide further clarity and context.
Focus area | Activities and components | Related Google Cloud products, capabilities, and solutions |
---|---|---|
Infrastructure security |
|
|
Identity and access management |
|
|
Data security |
|
|
AI and ML security |
|
|
Security operations (SecOps) |
|
|
Application security |
|
|
Cloud governance, risk, and compliance |
|
|
Logging, auditing, and monitoring |
|
Contributors
Authors:
- Wade Holmes | Global Solutions Director
- Hector Diaz | Cloud Security Architect
- Carlos Leonardo Rosario | Google Cloud Security Specialist
- John Bacon | Partner Solutions Architect
- Sachin Kalra | Global Security Solution Manager
Other contributors:
- Anton Chuvakin | Security Advisor, Office of the CISO
- Daniel Lees | Cloud Security Architect
- Filipe Gracio, PhD | Customer Engineer
- Gary Harmson | Customer Engineer
- Gino Pelliccia | Principal Architect
- Jose Andrade | Enterprise Infrastructure Customer Engineer
- Kumar Dhanagopal | Cross-Product Solution Developer
- Laura Hyatt | Enterprise Cloud Architect
- Marwan Al Shawi | Partner Customer Engineer
- Nicolas Pintaux | Customer Engineer, Application Modernization Specialist
- Noah McDonald | Cloud Security Consultant
- Osvaldo Costa | Networking Specialist Customer Engineer
- Radhika Kanakam | Senior Program Manager, Cloud GTM
- Susan Wu | Outbound Product Manager