Overview of administrative access controls
This page provides an overview of the core underlying principles based on which Google Cloud's administrative access controls are designed.
What is administrative access
Administrative access includes access to customer content by Google personnel by administrative means. For example, a Google employee utilizing an internal support tool to access the contents of a Spanner database to diagnose a customer-raised support case that cites database functionality issues.
An example of non-administrative access is granting a Google employee direct IAM access at the project-level by assigning standard user permissions in the user space. Access by this Google employee in the project where you explicitly granted access doesn't constitute administrative access.
The objective of the administrative access controls is to ensure that customer content on Google Cloud isn't accessible to Google employees without an auditable justification, and optionally, an explicit approval.
Core principles
This section describes the core principles that customer content access at Google Cloud adheres to.
Deny access by default: User content belongs explicitly to the user organization
Google Cloud is strongly committed to ensuring that customer content belongs to the customers. This stance is the default posture of every Google employee towards customer content.
Content owner's control over administrative access is a core commitment
Access events are a standard operational element of any cloud-based business. For example, support personnel might need to access customer content to provide the requested support, and engineers might need to do it to dig deeper to resolve an issue discovered during the support request investigation. Google Cloud's philosophy is to provide complete logging and approval support for content access with the Access Transparency and Access Approval features.
The following table explains the difference between automated and human access:
Automated access | Human access |
---|---|
No humans can access, view, or export any content handled by these systems. These content accesses are out of scope for the generation of Access Transparency logs. For example, access through programs that periodically hash customer content to check for data corruption. | Human access consists of any access that grants or can grant a human access to user content. This access includes a human using an automated access path to grant indirect access to content. This content access is completely in scope for Access Transparency and Access Approval. |
The following table explains the difference between emergency and non-emergency access:
Emergency access | Non-emergency access |
---|---|
This type of access occurs when
there is an urgent threat to the
integrity of Google's services,
infrastructure, or to any customer
services or content. An access with
one of these justifications can
override an organization's
Access Approval policy.
This rare type of access is logged
in Access Approval with the
auto-approved status. For more
information about the
auto-approved status, see Status
of an access
request. |
This type of access consists of any you have filed a support request, and support personnel must look at customer content to be able to help. access that doesn't meet the requirements of an emergency access. |
Every access consists a justification
Administrative access is gated behind an auditable, valid business justification with some exceptions.
For the complete list of business justifications for accessing customer content, see Justification reason codes.
Access logging is universal
Administrative access to customer content is logged by default. After you have enabled Access Transparency, near real-time audit logs of any access by Google personnel to user content in the organization are published to each project's logs. These accesses are monitored internally by Google's auditors and are visible externally through Access Transparency logs. For information about viewing these logs, see Understanding and using Access Transparency logs.
Use Assured Workloads for further coverage
Assured Workloads can provide administrative controls that meet the more stringent guidelines laid out by US government certifications, including restrictions on data access by non-US personnel.
For more information, see Personnel data access and support controls.
What's next
- Privileged access at Google Cloud
- Whitepaper about managing and safeguarding your content stored on Google Cloud
- Whitepaper about data residency, operational transparency, and privacy for European customers
- Overview of Key Access Justifications
- Overview of Access Transparency
- Overview of Access Approval