Overview of Access Transparency

This page provides an overview of Access Transparency. Access Transparency is a part of Google's long-term commitment to transparency, user trust, and customer ownership of their data. Access Approval lets you authorize requests from Google personnel to access Customer Data, Access Transparency helps you discover information about when Customer Data is accessed. For customers who use access approvals that are signed with a customer-managed encryption key (CMEK), Google also provides users with visibility and control to key access requests through Key Access Justifications.

Together, each of these products provide access management capabilities that give you control over and context for administrative requests to access Customer Data.

Overview

Access Transparency logs record the actions that Google personnel take when accessing Customer Data. Access Transparency log entries include details such as the affected resource and action, the time of the action, the reason for the action, and information about the accessor. The information about the accessor includes details about the physical location, employing entity, and job category of the Google employee. For more information about the details covered in Access Transparency logs, see Log field descriptions.

Access Transparency logs are similar to Cloud Audit Logs; however, Cloud Audit Logs record the actions that members of your Google Cloud organization have taken in your Google Cloud resources, whereas Access Transparency logs record the actions taken by Google personnel. When used together, Cloud Audit Logs and Access Transparency logs provide you audit logging on both customer actions and Google administrative accesses to Customer Data.

When to use Access Transparency

You might need Access Transparency logs for the following reasons:

  • Verifying that Google personnel are accessing your content only for valid business reasons, such as fixing an outage or attending to your support requests.
  • Verifying that Google personnel access aligns to the products and data you're seeking assistance with on a customer support case.
  • Verifying and tracking compliance with legal or regulatory obligations.
  • Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool such as Google Security Operations.

Use Access Transparency logs to improve the overall security posture

Access Transparency logs are a valuable additional source of information in your security operations workstreams. By ingesting Access Transparency logs into your security information and event management (SIEM) tools for compliance or auditing purposes, you can augment any existing data, such as Security Command Center security findings. For more information about Access Transparency log ingestion, see Ingest Google Cloud data to Google Security Operations.

Google Cloud services that produce Access Transparency logs

For the list of Google Cloud services that produce Access Transparency logs, see Supported services.

When can Google personnel access customer content?

Google personnel are strictly restricted in what is visible to them. All access to Customer Data requires a valid justification for privileged access. See Justification reason codes for the list of valid business justifications.

How does Google train its employees on the confidentiality of customer content?

All Google employees are required to execute a confidentiality agreement and comply with Google's Code of Conduct. For more information on employee onboarding and security and privacy training, see the Google security whitepaper.

How does Google handle government requests for customer content?

If Google receives a government request for Customer Data, it is Google's policy to direct the government to request such data directly from the Google Cloud customer. For more information, see Google Cloud Government Requests whitepaper.

What's next