Planning for data residency

If you plan to enable data residency when you activate Security Command Center, the page provides information you need to know.

You can enable support for data residency only when you activate the Premium tier of Security Command Center for the first time in an organization. The Enterprise tier doesn't support data residency.

After data residency is enabled, you cannot disable it.

When you enable data residency in Security Command Center, Security Command Center automatically stores the findings that can contain or reference your data in the Security Command Center location that corresponds to the location of the resources.

Similarly, continuous export, BigQuery exports, and mute rule configurations, which can include your data in their filters, are stored in the Security Command Center location in which you create them, where they are applicable to only the findings in that location.

A finding is a record of a security issue that one of the Security Command Center detection services has detected in your environment. A finding record is made up of properties that describe the security issue and the resources that are affected by it.

A finding filter selects findings by referencing their properties and the property values. Finding filters are used and saved in the configurations of continuous exports (NotificationConfig) and of mute rules (muteConfig).

Within the context of data residency, the following definitions apply:

  • A location is a Google Cloud region or multi-region that corresponds to the location in which your data is stored.
  • The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.

The option to enable data residency is available with both the Standard and Premium tiers of Security Command Center.

Supported data locations

Security Command Center supports only the following Google Cloud multi-regions as a data location:

European Union (eu)
Data is stored in any Google Cloud region within member states of the European Union.
United States (us)
Data is stored in any Google Cloud region in the United States.
Global (global)
Data can be stored or processed in any Google Cloud region. If data residency is not enabled, Global is the only supported location.

For more information about Security Command Center locations, see Products available by location.

If you need to specify a default location for data residency that Security Command Center don't support, contact your account representative or a Google Cloud sales specialist.

Enable data residency during activation

You can enable data residency only when you activate Security Command Center for the first time in an organization.

If you don't enable data residency, the location of all Security Command Center resources is set to global, and Security Command Center does not restrict the storage of your data to any particular location.

An organization-level activation is required.

After data residency is enabled, you can't disable it or change your default location.

If you activate Security Command Center at either the project or organization level without enabling data residency at the same time, you cannot enable data residency in Security Command Center later. You would need to create a new Google Cloud organization to activate Security Command Center with data residency.

Default data location

When you enable Security Command Center data residency, the only location that you need to specify is your default Security Command Center location. This is because Security Command Center determines where it needs to store your data based on where your resources are deployed.

Security Command Center uses the default Security Command Center location only to store findings that apply to the following types of resources:

  • Resources that are not located in a location that Security Command Center supports
  • Resources that don't include a location specification in their metadata

You can select any supported data location as your default location.

If you are a global enterprise that deploys Google Cloud resources in multiple locations or multi-regions, you might choose the global location as your default.

If your business operates in only a single location, you might choose that location as your default Security Command Center location.

Security Command Center API and data residency

Data residency requires Security Command Center API v2.

If you use the Security Command Center API when data residency is enabled, v2 is the only available API that you can use.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residency controls to the resources that you use when working with Security Command Center:

Assets

Asset metadata is not subject to data residency control. Asset metadata is stored globally in Cloud Asset Inventory.

For this reason, the Security Command Center Assets page always displays all of the resources in your organization, folder, or project, regardless of their location or the location to which you set the Google Cloud console view. However, when data residency is enabled and you view an asset's details, information about any findings that might affect the asset is unavailable from the Assets page.

Attack exposure scores and attack paths

Attack exposure scores and attack paths are not subject to data residency control and are stored globally.

BigQuery exports

BigQuery export configurations are subject to data residency controls and are stored in the location in which you create them. They apply only to findings resident to the same location.

Continuous exports

Continuous export configurations are subject to data residency controls and are stored in the location in which you create them. They apply only to findings resident to the same location.

Findings

Findings are subject to data residency controls and are stored in the Security Command Center location where the affected resource is located. If an affected resource is located outside of a supported location or has no location identifier, any findings for the resource instance are stored in your default location.

Mute rules

Mute rule configurations are subject to data residency controls and are stored in the location in which you create them. They apply only to findings resident to the same location.

Security Command Center settings

Most Security Command Center settings, such as those that define which services are enabled or which tier is active, are not subject to data residency controls and are stored globally. An exception is the configuration settings for BigQuery exports, continuous exports to Pub/Sub, and mute rules. These settings are specific to the location in which you create them.

Viewing locational data in the Google Cloud console

When data residency is enabled and you select a location in the Google Cloud console, each Security Command Center page displays findings, mute rules, and continuous exports from only the selected location.

For example, when you select the global view, you see only global data. To see findings, mute rules, or continuous exports from another location, you must change the Google Cloud console view to the other location.

Determining data location after enablement

The location in which the Security Command Center findings and configurations that contain your data are stored is determined at a couple points after data residency is enabled:

  • When you or Security Command Center generates or creates a finding or configuration.
  • When you view or retrieve a finding or configuration.

Determining location when you create configurations

When you create a continuous export, BigQuery export, or a mute rule, Security Command Center stores the resulting configuration as a resource. A continuous export configuration is stored as a NotificationConfig resource, a BigQuery export configuration is stored as a BiqQueryExport resource, and a mute rule configuration is stored as a MuteConfig resource.

Before you create an export configuration or a mute rule, you must select the location in which to create them. The location you select is the location in which the findings that you want to export or mute reside.

In the Google Cloud console, you need to set the Google Cloud console view to the appropriate location before you create a continuous export or mute rule.

When you create a continuous exports or mute rule by using the Security Command Center API or the Google Cloud CLI, you specify the location in the API call or gcloud command that you use to create the notificationConfig or muteConfig configuration.

For more information about creating configurations, see:

Determining location when findings are generated

When one of the Security Command Center services detects a security issue in your environment, Security Command Center determines where to store the resulting finding based on the location of the affected resource.

If the affected resource is in a data location that Security Command Center supports, Security Command Center stores the finding in the same location.

If the affected resource is not in a supported data location or does not specify a location in its metadata, Security Command Center stores the finding in the default data location that you specified when data residency was enabled.

Determining location when you view Security Command Center data

To view the findings, mute rules, and continuous exports of a specific location in the Google Cloud console, you must first set the Google Cloud console view to that location.

You set your view location in the top-left corner of most Security Command Center pages in the Google Cloud console, directly below the project selector:

Screenshot of the location selector

When the Google Cloud console view is set to a location, the Google Cloud console displays only the findings, mute rules, and continuous exports that are resident to the location.

To retrieve findings or configurations by using the API or the gcloud CLI, you need to specify the location in which the findings or configurations are stored.

Data residency support for features and integrations

When data residency is enabled, the following features, functions, and integrations with other products are not supported:

  • AI summaries
  • Web Security Scanner
  • Rapid Vulnerability Detection

What's next

To learn how to activate Security Command Center with data residency enabled, see Activate Security Command Center for an organization for the first time.