Privileged access at Google

Google Cloud systems are built with a focus on protecting customer content using controls and monitoring. Customer content stored on Google Cloud completely belongs to the customer.

Occasionally, Google personnel might need to access customer content but these accesses are never without a valid business justification. The most common reason for which Google personnel request access to customer content is for resolving a customer support ticket. For example, if you create a customer support request, then a Google personnel might be required to request access to your content. Access Transparency exists to provide customers visibility into these accesses, but rest assured, the privacy of customer content is secure regardless of whether you enable Access Transparency.

Google personnel's access to customer data to fulfill an obligation to provide a contracted service is called privileged access. Access to customer data in Google Cloud is usually because a customer accesses their own data or a service they are using is accessing data on their behalf. When requested to provide a contracted service, Google personnel acting as a privileged administrator can access customer data.

Google Cloud's privileged access management strategy strictly limits what a single Google staff member can view and do with customer data. Google's privileged access philosophy is based on the following principles:

  • Least privilege: Access to customer data is denied by default for all Google personnel. When access is granted, it is temporary and no greater than what is absolutely necessary to provide the contracted service.
  • Limit singular access to data: It should be extremely difficult for any and every Google personnel to singularly access customer data without another individual involved.
  • All access must be justified: Google personnel by default don't have access to customer data. It is only due to a valid business justification that a Google personnel can access customer data. For the list of valid business justifications, see Justification reason codes.
  • Monitor and alerting: Monitoring and response processes exist to identify, triage, and remediate violations of these principles.

For more information about Google Cloud's privileged access philosophy, see the whitepaper on Privileged Access Management in Google Cloud.

Google Cloud products regularly undergo independent, third-party audits and certifications to verify that their data protection practices match their controls and commitments. For more information about how Google Cloud products provide customers with transparency and control over their content, see the whitepaper on Trusting your data with Google Cloud.

What's next

  • To know more about Google Cloud's commitment towards protecting the privacy of data stored by customers, see Google Cloud Trust Principles.
  • For the list of business justifications for which Google personnel can request to access customer data, see Justification reason codes.