Shared responsibility model

Google Distributed Cloud (GDC) air-gapped appliance runs its administration clusters directly on the appliance bare metal servers. For maintenance and administrative purposes, you have been provided credentials for accessing these clusters as well as the underlying OS of the bare metal hosts.

Due to the lack of a strong security boundary between your workloads and the OS for the bare metal hosts, it's assumed that this model results in your workloads having access to the host OS. As a result, your workloads could potentially change OS settings, reducing overall device security. Additionally, you have access to any Google-managed applications on the appliance, with the potential to break those applications or their update mechanisms.

This is similar to the Shared Responsibility Model provided by GKE Enterprise products: Google provides secure binaries with secure defaults, and it's up to the customer to securely run and update them.

Component Google's responsibilities Customer's responsibilities
Hardware
  • Provide a tamper resistant device
  • Restrict physical device access
Firmware + OS
  • Provide a secure OS with frequent OS and firmware updates made available for download
  • Fix security vulnerabilities in a timely manner
  • Device is shipped with initial secure OS settings
  • Access credentials for initial setup provided in a secure manner
  • Review and install security updates when they are made available
  • Restrict and protect access to initial administrator credentials
  • Configure OS firewall rules as advised in initial setup and configuration documentation
  • Maintain secure settings, and/or take responsibility for any setting changes
  • Monitor device for OS security notifications, events, and alerts using GDC console
Workloads
  • Provide Google application binaries and updates
  • Provide secure Kubernetes distribution and container runtime
  • Google system software updates are made available for download
  • Review and install system software updates when they are made available
  • Avoid and protect against modifying Google-provided applications, such as changing settings or stopping processes. This includes modifying or blocking any system updates
  • Monitor device for software security notifications, events, and alerts using GDC console
Storage
  • Provide a means for securely transferring data and logs to/from the device
  • Monitor local device storage consumption, notifications, events, and alerts using GDC console
  • Develop and follow a process for maintaining available storage space consistent with the individual customer use case of the device
  • Set appropriate schedules for system log transfer to a customer determined centralized monitoring scheme, as required by individual customer use case
  • Configure, maintain, and restrict access credentials for data transfer tasks on the device