Stay organized with collections
Save and categorize content based on your preferences.
Security is a shared responsibility. Dataflow secures the scalable
infrastructure that you use to run your Dataflow pipelines and
provides you tools and security controls to protect your data, code, and models.
While not an exhaustive list, this document lists the responsibilities for both
Google and the customer.
Google's responsibilities
Protect the infrastructure: Google is responsible for providing secure
infrastructure for its services, including physical security of data centers,
network security, and application security.
Secure the platform: Google is responsible for securing its platform,
including managing access controls, monitoring for security incidents, and
responding to security events. Google also provides customers with tools to
manage their own security settings and configurations.
Maintain compliance: Google maintains compliance with relevant data
protection laws and regulations. Learn more about
Google Cloud compliance.
Harden and patch images: Google hardens and patches the operating system
of base images used by the
Dataflow-owned images. Google promptly makes any patches to
these images available.
Security bulletins are provided
for known vulnerabilities
Customer's responsibilities
Use and update your environment to the latest versions of
Dataflow containers and VM images:
Dataflow provides prebuilt containers and VM images to simplify
the use of its services. Google will create new versions of these images when
vulnerabilities are identified. It is your responsibility to monitor for
security bulletins and update your
environment promptly when new versions are available.
You are responsible for ensuring
that you properly configured your services to use the latest version, or to
manually upgrade to the latest version. To use the latest VMs, restart
long-running jobs by
updating the job. For more
information, see
Upgrade and patch Dataflow VMs.
To manage security issues responsively, it is recommended that you use
custom container images.
If you're using a
custom container image
or a
custom template,
you're responsible for scanning and patching the custom images to mitigate
vulnerabilities.
If you're using a
Flex Template base image,
to ensure security and reduce vulnerability risks, use Distroless base images
when possible.
Manage access controls: You are responsible for managing access
controls to your own data and services. This includes managing user access,
authentication, and authorization controls, and securing your own
applications and data. Learn more about
Dataflow security and permissions.
Secure applications: You are responsible for securing your own
applications running on Dataflow, including
implementing secure coding practices and regularly testing for
vulnerabilities.
Monitor for security incidents: You are responsible for monitoring
your own applications for security incidents, and reporting any
incidents to Google as necessary.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eSecurity within Dataflow is a shared responsibility between Google, which secures the infrastructure and platform, and the customer, who manages their own data and applications.\u003c/p\u003e\n"],["\u003cp\u003eGoogle ensures the security of its infrastructure, platform, compliance, and base images, while also providing tools for customers to manage their own security settings.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for updating their environment to the latest versions of Dataflow containers and VM images, including managing custom images and using distroless base images where applicable.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must manage access controls, secure their own applications, monitor for security incidents, and promptly report any vulnerabilities to Google.\u003c/p\u003e\n"],["\u003cp\u003eIt is important for customers to subscribe to Dataflow security bulletins, follow Dataflow release notes, follow Apache Beam release notes, and avoid the deprecated Monitoring agent option.\u003c/p\u003e\n"]]],[],null,["Security is a shared responsibility. Dataflow secures the scalable\ninfrastructure that you use to run your Dataflow pipelines and\nprovides you tools and security controls to protect your data, code, and models.\nWhile not an exhaustive list, this document lists the responsibilities for both\nGoogle and the customer.\n\nGoogle's responsibilities\n\n- **Protect the infrastructure**: Google is responsible for providing secure\n infrastructure for its services, including physical security of data centers,\n network security, and application security.\n\n- **Secure the platform**: Google is responsible for securing its platform,\n including managing access controls, monitoring for security incidents, and\n responding to security events. Google also provides customers with tools to\n manage their own security settings and configurations.\n\n- **Maintain compliance** : Google maintains compliance with relevant data\n protection laws and regulations. Learn more about\n [Google Cloud compliance](/security/compliance).\n\n- **Harden and patch images** : Google hardens and patches the operating system\n of [base images](/software-supply-chain-security/docs/base-images) used by the\n Dataflow-owned images. Google promptly makes any patches to\n these images available.\n [Security bulletins](/dataflow/docs/security-bulletins) are provided\n for known vulnerabilities\n\nCustomer's responsibilities\n\n- **Use and update your environment to the latest versions of\n Dataflow containers and VM images** :\n Dataflow provides prebuilt containers and VM images to simplify\n the use of its services. Google will create new versions of these images when\n vulnerabilities are identified. It is your responsibility to monitor for\n [security bulletins](/dataflow/docs/security-bulletins) and update your\n environment promptly when new versions are available.\n\n You are responsible for ensuring\n that you properly configured your services to use the latest version, or to\n manually upgrade to the latest version. To use the latest VMs, restart\n long-running jobs by\n [updating the job](/dataflow/docs/guides/updating-a-pipeline). For more\n information, see\n [Upgrade and patch Dataflow VMs](/dataflow/docs/concepts/security-and-permissions#upgrade-patch).\n To manage security issues responsively, it is recommended that you use\n custom container images.\n\n If you're using a\n [custom container image](/dataflow/docs/guides/using-custom-containers)\n or a\n [custom template](/dataflow/docs/guides/templates/creating-templates),\n you're responsible for scanning and patching the custom images to mitigate\n vulnerabilities.\n\n If you're using a\n [Flex Template base image](/dataflow/docs/reference/flex-templates-base-images),\n to ensure security and reduce vulnerability risks, use Distroless base images\n when possible.\n- **Manage access controls** : You are responsible for managing access\n controls to your own data and services. This includes managing user access,\n authentication, and authorization controls, and securing your own\n applications and data. Learn more about\n [Dataflow security and permissions](/dataflow/docs/concepts/security-and-permissions).\n\n- **Secure applications**: You are responsible for securing your own\n applications running on Dataflow, including\n implementing secure coding practices and regularly testing for\n vulnerabilities.\n\n Learn more about\n [Customer-managed encryption keys](/dataflow/docs/guides/customer-managed-encryption-keys),\n [networks and VPC Service Controls](/dataflow/docs/guides/specifying-networks),\n and [permissions best practices](/dataflow/docs/concepts/security-and-permissions#best-practices).\n- **Monitor for security incidents**: You are responsible for monitoring\n your own applications for security incidents, and reporting any\n incidents to Google as necessary.\n\n - Subscribe to the [Dataflow security bulletins](/dataflow/docs/security-bulletins).\n - Follow the [Dataflow release notes](/dataflow/docs/release-notes).\n - Follow the [Apache Beam release notes](/dataflow/docs/resources/release-notes-apache-beam).\n - Learn more about [Monitoring](/dataflow/docs/guides/using-cloud-monitoring) and [Audit logging](/dataflow/docs/audit-logging).\n\n | **Note:** When using the Monitoring agent, the `--experiments=enable_stackdriver_agent_metrics` option uses a deprecated container image that isn't maintained and might have unpatched vulnerabilities. We recommend that you don't use this option.\n\nWhat's next\n\n- Learn more about [shared responsibilities on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate).\n- Learn about how to [protect your software supply chain](/software-supply-chain-security/docs/practices)."]]
