Understanding your options for data residency, operational transparency, and privacy controls on Google Cloud Platform
VP, Google Cloud
At Google Cloud, the privacy and security of customer data are primary design criteria that underpin all the services we offer. At Google Cloud Next UK, we offered a series of commitments to our European customers that our platform will offer tools to meet their strict needs and preferences for enterprise data residency, operational transparency, and privacy controls. While this post focuses on our European customers, these requirements are not unique to Europe. Cloud users around the world have similar needs, and these principles apply to customers in every region. This post aims to provide further technical clarity around options customers have for configuring services to meet these requirements when using Google Cloud.
Configuring where your data is stored and where users can access it from
Google Cloud offers you the ability to control where your data is stored. Today you can choose to store your data in regions based in the UK, Belgium, Germany, Finland, Switzerland, and the Netherlands, with more regions announced and several others in-motion. When you choose to configure resources in these locations, for our key services, “Google will store that Customer Data at rest only in the selected Region” per our Service Specific Terms.
To strengthen these controls further, Google Cloud offers Organization Policy constraints which can be applied at the organization, folder, or project level. You can limit the physical location of a new resource with the Organization Policy Service resource locations constraint. When coupled with Cloud IAM configuration to enable or disable services for sets of users, you can prevent your employees from accidentally storing data in the wrong Google Cloud region.
You also have the ability to control the network locations from which users can access data by using VPC Service Controls. This product allows you to limit access to users in a specific region. You can even enforce this constraint if the user is authorized according to your Cloud IAM policy. Using VPC Service Controls, you create a service perimeter which defines the virtual boundaries from which a service can be accessed, preventing data from being moved outside those boundaries.
Controlling where your encryption keys are stored
If you are using Cloud KMS, your cryptographic keys will be stored in the region where you deploy the resource. You also have the option of storing those keys inside a physical Hardware Security Module located in the region you choose with Cloud HSM.
We recently announced beta availability of External Key Manager, which allows you to store and manage keys in a third-party key management product deployed outside of Google’s infrastructure. Using a third-party product allows you to place it in a geographic location of your choice.
Controlling cloud administrators’ access to your data
On Google Cloud Platform, you configure Cloud IAM permissions to limit access by your own administrators. We also allow you to control access by Google Support and Engineering personnel. Access Approval allows you to require explicit approval before Google employees access your data or configurations on Google Cloud Platform (unless those accesses are necessary to resolve a current service disruption or security incident or required by law). This product complements the visibility provided by Access Transparency, which generates near real-time logs when Google administrators interact with your data, including the office location of the administrator and the reason for the access. Coming soon, you’ll be able to enforce specific attributes for administrators who are allowed to access your data or configurations—including the geographic region from which they are operating and other compliance-relevant attributes.
Finally, we recently announced Key Access Justifications, a feature that works with Cloud KMS and External Key Manager. This feature provides a detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to approve or deny key access, using an automated policy that you set. Using all of these products and features together, you can deny Google the ability to decrypt your data for any reason. As a result, you are the ultimate arbiter of access to your data--a level of control not available from any other cloud provider.
Putting it all together
These capabilities create a solution that gives our customers control over the location of their data and overall access to that data - by Google or by anyone. With these considerations addressed, our customers in Europe and around the globe can confidently build mission critical workloads on Google Cloud. Even so, we’re not done yet: we continue to invest in data privacy and security innovations to anticipate the future needs of our customers so that they can adopt GCP today knowing that they are fortified for the future.