Data and infrastructure security overview

This page describes the data and infrastructure security that apply to Security Command Center.

Data processing

When you enroll in Security Command Center, Google Cloud processes information related to the Google Cloud services you use, including the following:

  • The configuration and metadata associated with your Google Cloud resources
  • The configuration and metadata for your Identity and Access Management (IAM) policies and users
  • Google Cloud-level API access patterns and usage
  • Cloud Logging contents for your Google Cloud organization
  • Security Command Center metadata, including service settings and security findings

Security Command Center processes data related to your cloud logs and assets that you configure to be scanned or monitored, including telemetry and other data therein, to provide findings and improve the service.

In order to protect your assets against new and evolving threats, Security Command Center analyzes data related to misconfigured assets, indicators of compromise in logs, and attack vectors. This activity may include processing to improve service models, recommendations for hardening customer environments, the effectiveness and quality of services, and user experience. If you prefer to use the service without your data being processed for purposes of improving the service, you can contact Google Cloud Support to opt out. Certain features that depend on security telemetry might not be available to you if you opt out. Examples of these are customized detections tailored to your environment, and service improvements that incorporate your service configurations.

Data is encrypted at rest and in transit between internal systems. Additionally, Security Command Center's data access controls are compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other Google Cloud compliance offerings.

Limiting sensitive data

Administrators and other privileged users in your organization must exercise appropriate care when adding data to Security Command Center.

Security Command Center lets privileged users add descriptive information to Google Cloud resources and the findings generated by scans. In some cases, users may unknowingly relay sensitive data when using the product, for example, adding customer names or account numbers to findings. To protect your data, we recommended that you avoid adding sensitive information when naming or annotating assets.

As an additional safeguard, Security Command Center can be integrated with Cloud Data Loss Prevention. Cloud DLP discovers, classifies, and masks sensitive data and personal information, such as credit card numbers, Social Security numbers, and Google Cloud credentials.

Depending on the quantity of information, Cloud DLP costs can be significant. Follow best practices for keeping Cloud DLP costs under control.

For guidance on setting up Security Command Center, including managing resources, see Optimizing Security Command Center.

Infrastructure security

Security Command Center is built on top of the same infrastructure Google uses for its own consumer and enterprise services. The layered architecture provides strong authentication, encryption, and secure networking options, but users can opt for even stronger protections with products like Confidential Computing. This service allows users to keep data encrypted even when in use, adding to encryption at rest and encryption in transit protocols.

To learn more about Google's infrastructure security, see Google Infrastructure Security Design Overview.

What's next