Overview of activating Security Command Center

You can activate Security Command Center for an entire organization (organization-level activation) or for individual projects (project-level activation).

The activation process is different for each activation level. Also, when you activate Security Command Center at the project level, certain detection modules and service integrations are not available, due to Security Command Center's reduced scope of access.

Each activation level supports both Security Command Center service tiers: the Standard tier, which offers a limited feature set for free, or the Premium tier, which offers the full feature set.

If you require data-residency control, which is currently released to Preview, you must enable it when you activate Security Command Center. Data residency control is supported only with organization-level activations of Security Command Center.

Overview of organization-level activation

Activating Security Command Center at the organization level is considered a best practice because it provides the most complete protection for your business by allowing Security Command Center to access and scan resources and assets across all of the folders and projects in the organization.

With the appropriate IAM permissions, you can activate the Standard tier for an organization yourself by using the Google Cloud console.

To activate the Premium tier for an organization, you must choose between usage-based pricing or a subscription. The usage-based pricing gives you the flexibility to base your Security Command Center charges on usage. Your usage is charged to the billing accounts associated with the projects in your organization. With the appropriate IAM permissions, you can activate the Premium tier using the usage-based option yourself by using the Google Cloud console. To purchase a subscription instead of the usage-based option, you can contact Google Cloud sales or your Google Cloud partner. For more information about the pricing options, see Pricing.

You use the Google Cloud console to enable and configure Security Command Center. If you are enabling Security Command Center for the first time, the Google Cloud console guides you through the setup.

For step-by-step instructions on enabling and configuring Security Command Center for an organization, see Activate Security Command Center for an organization.

Overview of project-level activation

Activating Security Command Center on an individual project gives you the flexibility to use Security Command Center for only the projects that matter to you most and to base your Security Command Center charges on the resource usage in that project alone.

For a project-level activation, you can activate either tier of Security Command Center—Standard or Premium—yourself in the Google Cloud console, as long as you have the appropriate IAM permissions. You do not need to contact Sales first.

With project-level activations, the charges for the Premium tier are based on the usage of certain Google Cloud resources in the project and are billed to the project by using a usage-based model.

When you activate Security Command Center at the project level, Security Command Center's access to logs, data, and other resources is limited to the project in which it is activated. Consequently, any services that require data from outside of the project are either not available or they cannot produce their full set of findings. For more information about the findings and services that are not available with a project-level activation, see Feature availability with project-level activations.

Data residency control is not supported with project-level activations of Security Command Center.

Optimize project-level activations by activating the Standard tier at the organization level

To optimize project-level activations of the Premium tier, we recommend that you activate the Standard tier of Security Command Center at the organization level.

Activating the Standard tier at the organization level allows you to manage multiple project-level activations globally and ensures that any Standard-tier detection modules or service integrations that require organization-level activation are available to the projects.

For more information, see Standard tier features that require an organization-level activation.

When to use project-level activation

Typically, you activate Security Command Center for a project in the following scenarios:

  • Your organization doesn't currently use Security Command Center at any tier. In this case, you can activate Security Command Center for a project at either the Standard tier or the Premium tier.
  • The organization is currently using the Standard tier. In this case, you can activate only the Premium tier for a project, because every project in the organization can already use the Standard tier.
  • The organization is currently using the Premium tier, but you only require Security Command Center Premium tier for particular projects. In this case, you must downgrade the organization-level activation to the Standard tier for the project-level Premium tier activation to take effect. If you are using an organization-level subscription, this change only comes into effect after the subscription expires.

View your current activation type

The activation type for Security Command Center determines whether Security Command Center is activated at the project level or the organization level, the tier, and the pricing option.

When you open a project in the Google Cloud console, the level at which Security Command Center is activated—the project level or the organization level—is not immediately obvious, because the project could be inheriting the use of Security Command Center from its parent organization.

To determine whether Security Command Center is already activated and to view your current activation type for Security Command Center, complete the following:

  1. In the Google Cloud console, open the Security Command Center dashboard:

    Go to Security Command Center

  2. Select the organization or project that you need to check.

  3. If Security Command Center is active in either the organization or the project, the Security Command Center Overview page displays. If it is not active in either, the Get Security Command Center page displays. For activation instructions, see Activate Security Command Center for an organization or Activate Security Command Center for a project.

  4. On the Security Command Center Overview page for the organization or project, select Settings.

  5. On the Settings page, select the Tier detail tab.

  6. On the Tier detail tab, determine your activation type by checking the Tier and Billing status rows:

    • Tier: Shows the tier (Premium or Standard) for the organization or project. If the organization is set to Premium tier, all projects inherit the Premium tier automatically and the Google Cloud console displays a banner that describes this inheritance. When the organization is set to Premium tier, then, at the project level, this setting shows the tier that the project will use if you downgrade the organization's tier to the Standard tier.

    • Billing row: One of the following:

      • Active: Indicates that your Premium tier pricing is using the usage-based option for the organization or project.

      • Paused: Indicates that the Premium tier is active at the organization level and being inherited by this project.

      • Expiry date: Indicates that your organization-level activation of Premium tier is using a subscription.

      • If the billing row isn't shown: Indicates that the Standard tier is active for the organization or project. Projects can inherit the Standard tier from the organization.

    Text above the Manage tier button in the Google Cloud console describes what tiers and activation options are available to you.