Planning for data residency

Data residency gives you more control over where your Security Command Center data is located. This page provides essential information about how Security Command Center supports data residency.

The following definitions apply to this page:

• A location is a Google Cloud region or multi-region that corresponds to the location in which your data resides.
• The meaning of the term your data is equivalent to the meaning of the term "Customer Data" in the Data Location item in the Google Cloud General Service Terms.

Supported data locations

Security Command Center supports only the following Google Cloud multi-regions as data locations:

European Union (eu)

Data resides in any Google Cloud region within member states of the European Union.

United States (us)

Data resides in any Google Cloud region in the United States.

Kingdom of Saudi Arabia (KSA) (sa)

Data resides in any Google Cloud region in KSA.

Global (global)

Data can reside in any Google Cloud region. If data residency is not enabled, then Global (global) is the only supported location.

For more information about Security Command Center locations, see Products available by location.

If you need to specify a default location for data residency that Security Command Center doesn't support, then contact your account representative or a Google Cloud sales specialist.

Requirements for data residency

You can enable data residency only when you activate the Standard or Premium tier of Security Command Center in an organization for the first time. The Enterprise tier doesn't support data residency.

After data residency is enabled, you can't disable it or change your default location. Also, Gemini summaries of findings and attack paths are not available.

Data residency requires you to use the Security Command Center v2 API. If data residency is enabled, then you can't use earlier versions of the Security Command Center API.

If you don't enable data residency when you activate Security Command Center, then Security Command Center does not restrict your data to any particular location, and it's stored in accordance with the Google Cloud Platform Terms of Service.

Regional URLs

For the Kingdom of Saudi Arabia (KSA) location, you must use location-specific URLs to access the jurisdictional Google Cloud console, as well as some methods and commands in the gcloud CLI, the Cloud Client Libraries, and the Security Command Center API:

gcloud config set api_endpoint_overrides/securitycenter \
    https://securitycenter.me-central2.rep.googleapis.com/

gcloud config unset api_endpoint_overrides/securitycenter

import (
	"context"
	"fmt"

	securitycenter "cloud.google.com/go/securitycenter/apiv2"
	"google.golang.org/api/option"
)

// createClientWithEndpoint creates a Security Command Center client for a
// regional endpoint.
func createClientWithEndpoint(repLocation string) error {
	// Assemble the regional endpoint URL using provided location.
	repEndpoint := fmt.Sprintf("securitycenter.%s.rep.googleapis.com:443", repLocation)
	// Instantiate client for regional endpoint. Use this client to access resources that
	// are subject to data residency controls, and that are located in the region
	// specified in repLocation.
	repCtx := context.Background()
	repClient, err := securitycenter.NewClient(repCtx, option.WithEndpoint(repEndpoint))
	if err != nil {
		return err
	}
	defer repClient.Close()

	return nil
}

import com.google.cloud.securitycenter.v2.SecurityCenterClient;
import com.google.cloud.securitycenter.v2.SecurityCenterSettings;
import java.io.IOException;

public class CreateClientWithEndpoint {

  public static void main(String[] args) throws IOException {
    // TODO: Replace the value with the endpoint for the region in which your
    // Security Command Center data resides.
    String regionalEndpoint = "securitycenter.me-central2.rep.googleapis.com:443";
    SecurityCenterClient client = createClientWithEndpoint(regionalEndpoint);
    System.out.println("Client initiated with endpoint: " + client.getSettings().getEndpoint());
  }

  // Creates Security Command Center client for a regional endpoint.
  public static SecurityCenterClient createClientWithEndpoint(String regionalEndpoint)
      throws java.io.IOException {
    SecurityCenterSettings regionalSettings =
        SecurityCenterSettings.newBuilder().setEndpoint(regionalEndpoint).build();
    return SecurityCenterClient.create(regionalSettings);
  }
}

When data residency is enforced

When you enable data residency for Security Command Center, some Security Command Center data is kept within a specified location when it's in one of the following states:

• At rest: All supported locations
• In use: KSA (sa) only
• In transit: KSA (sa) only

Data residency at rest

Data is at rest when all of the following criteria are met:

• The data is for a resource type that is subject to data residency controls.
• You have not requested an operation that requires the data to be accessed.
• The data is not being accessed in a way that produces audit logs or Access Transparency logs.

When you enable data residency, Security Command Center does the following:

Data residency in use

Data is in use when all of the following criteria are met:

• The data is for a resource type that is subject to data residency controls.
• Google Cloud is completing an operation that was initiated at your request—for example, because your application called the Security Command Center API—or an operation that produces audit logs or Access Transparency logs.
• It's possible for Google Cloud to operate on the data in a way that requires knowledge of the data's meaning—for example, by updating specific fields in a configuration resource. This includes any case where data is unencrypted in memory.

When you enable data residency, Security Command Center does the following:

Data residency in transit

Data is in transit when all of the following criteria are met:

• The data is for a resource type that is subject to data residency controls.
• The data is being transmitted, with encryption, within Google's network, or the data is in memory, with encryption, for the purpose of transmitting it within Google's network.

When you enable data residency, Security Command Center does the following:

Default data location

For the EU, US, and Global locations, when you enable Security Command Center data residency, you specify a default Security Command Center location. You can select any supported data location as your default location.

Security Command Center uses the default location only to store findings at rest that apply to the following types of resources:

• Resources that are not located in a supported data location for Security Command Center
• Resources that don't specify a location in their metadata

If you deploy Google Cloud resources in multiple locations or multi-regions, then you might choose the Global (global) location as your default.

If you deploy resources only in a single location, then you might choose the multi-region that includes that location as your default.

Security Command Center resources and data residency

The following list explains how Security Command Center applies data residency controls to Security Command Center resources. If a resource isn't listed here, then it's not subject to data residency controls and is stored in accordance with the Google Cloud Platform Terms of Service.

Assets

Asset metadata is stored by Cloud Asset Inventory and is not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.

For this reason, the Security Command Center Assets page in the Google Cloud console always displays all of the resources in your organization, folder, or project, regardless of their location or the location that you select in the Google Cloud console. However, when data residency is enabled, and you view an asset's details, the Assets page does not show information about findings that affect the asset.

Attack exposure scores and attack paths

Attack exposure scores and attack paths are not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.

BigQuery exports

BigQuery export configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents BigQuery export configurations as BiqQueryExport resources.

Continuous exports

Continuous export configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents continuous export configurations as NotificationConfig resources.

Findings

Findings are subject to data residency controls.

EU, US, and Global

When a finding is created, it resides in the Security Command Center location where the affected resource is located.

If an affected resource is located outside of a supported location or has no location identifier, then findings for the resource reside in your default location.

KSA

When a finding is created for a resource that resides in the KSA location, that finding always resides in the KSA location.

When a finding is created for a resource that resides in another location, the finding eventually resides in the KSA location. However, the finding might reside in a different region at the time that it's created.

To help ensure that findings always reside in the KSA location, create all of your resources in the KSA location.

Mute rules

Mute rule configurations are subject to data residency controls.

EU, US, and Global

When you create these resources, you specify the location where they reside. These configurations apply only to findings that reside in the same location.

KSA

Use the regional URLs to create and manage these configuration resources. They reside in the KSA location, along with your findings.

The Security Command Center API represents mute rule configurations as MuteConfig resources.

Other Security Command Center resources and settings

Security Command Center resources and settings that aren't listed here, such as those that define which services are enabled or which tier is active, are not subject to data residency controls. This data is stored in accordance with the Google Cloud Platform Terms of Service.

Create or view data in a location

When data residency is enabled, you must specify a location when you create or view any data that's subject to data residency controls. Security Command Center automatically chooses a location for findings that it creates.

You can create or view data in only one location at a time. For example, if you list findings in the Global (global) location, then you won't see findings in the European Union (eu) location.

To create or view data that resides in a Security Command Center location, do the following:

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

gcloud scc findings list ORGANIZATION_ID --location=LOCATION

gcloud config set api_endpoint_overrides/securitycenter \
    https://securitycenter.me-central2.rep.googleapis.com/

gcloud scc findings list ORGANIZATION_ID --location=sa

gcloud scc findings list ORGANIZATION_ID --location=sa

gcloud scc findings list ORGANIZATION_ID --location=sa

GET https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycenter.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/LOCATION/findings" | Select-Object -Expand Content

GET https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://securitycenter.me-central2.rep.googleapis.com/v2/organizations/ORGANIZATION_ID/sources/-/locations/sa/findings" | Select-Object -Expand Content

What's next

• Learn how to activate Security Command Center with data residency enabled.
• Enable Security Command Center to stream findings to BigQuery.
• Set up continuous exports from Security Command Center to Pub/Sub.
• Create a mute rule for findings.