Data and infrastructure security overview

This page describes the data and infrastructure security that apply to Security Command Center.

Data processing

When you enroll in Security Command Center, Google Cloud processes information related to the Google Cloud services you use, including the following:

  • The configuration and metadata associated with your Google Cloud resources
  • The configuration and metadata for your Identity and Access Management (IAM) policies and users
  • Google Cloud-level API access patterns and usage
  • Cloud Logging contents for your Google Cloud organization
  • Security Command Center metadata, including service settings and security findings

Data in Security Command Center is encrypted at rest and in transit between internal systems. Additionally, Security Command Center's data access controls are compliant with the Health Insurance Portability and Accountability Act (HIPAA).

Limiting sensitive data

Administrators and other privileged users in your organization must exercise appropriate care when adding data to Security Command Center.

Security Command Center lets privileged users add descriptive information to Google Cloud resources and the findings generated by scans. In some cases, users may unknowingly relay sensitive data when using the product, for example, adding customer names or account numbers to findings. To protect your data, we recommended that you avoid adding sensitive information when naming or annotating assets.

As an additional safeguard, Security Command Center can be integrated with Cloud Data Loss Prevention. Cloud DLP discovers, classifies, and masks sensitive data and personal information, such as credit card numbers, Social Security numbers, and Google Cloud credentials.

Depending on the quantity of information, Cloud DLP costs can be significant. Follow best practices for keeping Cloud DLP costs under control.

For guidance on setting up Security Command Center, including managing resources, see Optimizing Security Command Center.

Infrastructure security

Security Command Center is built on top of the same infrastructure Google uses for its own consumer and enterprise services. The layered architecture provides strong authentication, encryption, and secure networking options, but users can opt for even stronger protections with products like Confidential Computing. This service allows users to keep data encrypted even when in use, adding to encryption at rest and encryption in transit protocols.

To learn more about Google's infrastructure security, see Google Infrastructure Security Design Overview.

What's next