Google operates a global infrastructure designed to
provide state-of-the-art security through the entire
information processing lifecycle. This infrastructure is
built to provide secure deployment of services, secure
storage of data with end-user privacy safeguards, secure
communications between services, secure and private
communication with customers over the Internet, and safe
operation by administrators. Google Workspace and Google
Cloud Platform run on this infrastructure.
We designed the security of our infrastructure in
layers that build upon one another, from the physical
security of data centers, to the security protections of
our hardware and software, to the processes we use to
support operational security. This layered protection
creates a strong security foundation for everything we
do. A detailed discussion of our Infrastructure Security
can be found in
our Google Infrastructure Security Design Overview Whitepaper.
Availability, Integrity & Resilience
Google designs the components of our platform to be
highly redundant. Google’s data centers are
geographically distributed to minimize the effects of
regional disruptions on global products such as natural
disasters and local outages. In the event of hardware,
software, or network failure, services are automatically
and instantly shifted from one facility to another so
that operations can continue without interruption. Our
highly redundant infrastructure helps customers protect
themselves from data loss.
Equipment Testing and Security
Google utilizes barcodes and asset tags to track the
status and location of data center equipment from
acquisition to installation, retirement, and
destruction. If a component fails to pass a performance
test at any point during its lifecycle, it is removed
from inventory and retired. Google hard drives leverage
technologies, such as Full Disk Encryption (FDE) and
drive locking, to protect data at rest.
Disaster Recovery Testing
Google conducts disaster recovery testing on an annual
basis to provide a coordinated venue for infrastructure
and application teams to test communication plans,
fail-over scenarios, operational transition, and other
emergency responses. All teams that participate in the
disaster recovery exercise develop testing plans and
post mortems which document the results and lessons
learned from the tests.
Encryption
Google uses encryption to protect data in transit and
at rest. Google Workspace data in transit between
regions is protected using HTTPS, which is activated by
default for all users. Google Workspace and Google Cloud
Platform services encrypt customer content stored at
rest, without any action required from customers, using
one or more encryption mechanisms.
Access Controls
For Google employees, access rights and levels are
based on job function and role, using the concepts of
least-privilege and need-to-know to match access
privileges to defined responsibilities. Requests for
additional access follow a formal process that involves
a request and an approval from a data or system owner,
manager, or other executives, as dictated by Google’s
security policies. Data centers that house Google Cloud
systems and infrastructure components are subject to
physical access restrictions and equipped with 24 x 7
on-site security personnel, security guards, access
badges, biometric identification mechanisms, physical
locks and video cameras to monitor the interior and
exterior of the facility.
Incident Management
Google has a dedicated security team responsible for
security and privacy of customer data and managing
security 24 hours a day and 7 days a week worldwide.
Individuals from this team receive incident-related
notifications and are responsible for helping resolve
emergencies 24 x 7. Incident response policies are in
place and procedures for resolving critical incidents
are documented. Information from these events is used to
help prevent future incidents and can be used as
examples for information security training. Google
incident management processes and response workflows are
documented. Google’s incident management processes are
tested on a regular basis as part of our ISO/IEC 27017,
ISO/IEC 27018, ISO/IEC 27001, PCI-DSS, SOC 2 and FedRAMP
programs to provide our customers and regulators with
independent verification of our security, privacy, and
compliance controls. More information on our incident
response process can be found in
our Data incident response process whitepaper.
Vulnerability Management
We scan for software vulnerabilities using a
combination of commercially available and purpose-built
in-house tools, intensive automated and manual
penetration testing, quality assurance processes,
software security reviews, and external audits. We also
rely on the broader security research community and
greatly value their help identifying any vulnerabilities
in Google Workspace, Google Cloud Platform, and other
Google products. Our Vulnerability Reward Program
encourages researchers to report design and
implementation issues that may put customer data at
risk.
Product Security: Google Workspace - To learn more,
please
visit https://workspace.google.com/security
Product Security: GCP - To learn more, please
visit https://cloud.google.com/security/
For full terms, see below
GCP - Data Processing and Security Terms (DPST)
Data Security
| Section 7
Security Measures
| Appendix 2
------------------------------------------------------------------------
GOOGLE WORKSPACE - Data Processing Terms
Data Security
| Section 7
Security Measures
| Appendix 2
Related
Content: Google Cloud Security & Compliance Whitepaper
