This page describes the data and infrastructure security that apply to Security Command Center.
When you enroll in Security Command Center, Google Cloud processes information related to the Google Cloud services you use, including the following:
- The configuration and metadata associated with your Google Cloud resources
- The configuration and metadata for your Identity and Access Management (IAM) policies and users
- Google Cloud-level API access patterns and usage
- Cloud Logging contents for your Google Cloud organization
- Security Command Center metadata, including service settings and security findings
Security Command Center processes data related to your cloud logs and assets that you configure to be scanned or monitored, including telemetry and other data therein, to provide findings and improve the service.
In order to protect your assets against new and evolving threats, Security Command Center analyzes data related to misconfigured assets, indicators of compromise in logs, and attack vectors. This activity may include processing to improve service models, recommendations for hardening customer environments, the effectiveness and quality of services, and user experience. If you prefer to use the service without your data being processed for purposes of improving the service, you can contact Google Cloud Support to opt out. Certain features that depend on security telemetry might not be available to you if you opt out. Examples of these are customized detections tailored to your environment, and service improvements that incorporate your service configurations.
Data is encrypted at rest and in transit between internal systems. Additionally, Security Command Center's data access controls are compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other Google Cloud compliance offerings.
Limiting sensitive data
Administrators and other privileged users in your organization must exercise appropriate care when adding data to Security Command Center.
Security Command Center lets privileged users add descriptive information to Google Cloud resources and the findings generated by scans. In some cases, users may unknowingly relay sensitive data when using the product, for example, adding customer names or account numbers to findings. To protect your data, we recommended that you avoid adding sensitive information when naming or annotating assets.
As an additional safeguard, Security Command Center can be integrated with Cloud Data Loss Prevention. Cloud DLP discovers, classifies, and masks sensitive data and personal information, such as credit card numbers, Social Security numbers, and Google Cloud credentials.
Depending on the quantity of information, Cloud DLP costs can be significant. Follow best practices for keeping Cloud DLP costs under control.
For guidance on setting up Security Command Center, including managing resources, see Optimizing Security Command Center.
Data that Security Command Center processes is captured and stored in findings that identify threats, vulnerabilities, and misconfigurations in the resources and assets within your organization, folders, and projects. Findings contain a series of snapshots that capture the state and properties of a finding each time the finding record is updated.
Security Command Center stores finding snapshots for 13 months. After 13 months, finding snapshots and their data are deleted from the Security Command Center database and cannot be recovered. This results in fewer snapshots in a finding, limiting the ability to view the history of a finding and how it's changed over time.
A finding persists in Security Command Center as long as it contains at least one snapshot that is less than 13 months old. To keep findings and all of their data for longer periods, export them to another storage location. To learn more, see Exporting Security Command Center data.
An exception to the 13-month retention period applies when an organization is deleted from Google Cloud. When an organization is deleted, all findings derived from the organization and its folders and projects are deleted within 30 days of the deletion of the organization.
If Security Command Center is activated in one or more projects within an organization, but not in the organization as a whole, findings for each individual project are retained for 13 months. If a project is deleted, the findings from the project are not deleted at the same time, but are instead retained for 13 months for the auditability of the organization that contained the deleted project.
If you delete a project and need to delete all of the findings for the project at the same time, contact Cloud Customer Care, who can initiate an early deletion of all findings in the project for you.
Security Command Center is built on top of the same infrastructure Google uses for its own consumer and enterprise services. The layered architecture provides strong authentication, encryption, and secure networking options, but users can opt for even stronger protections with products like Confidential Computing. This service allows users to keep data encrypted even when in use, adding to encryption at rest and encryption in transit protocols.
To learn more about Google's infrastructure security, see Google Infrastructure Security Design Overview.
To learn about Security Command Center's features and benefits, see Security Command Center overview.
Learn more about Using Security Command Center.