Security posture overview

A security posture lets you define and manage the security status of your cloud assets, including your cloud network and cloud services. You can use a security posture to evaluate your current cloud security against defined benchmarks and maintain the level of security that your organization requires. A security posture helps you detect and mitigate any drift from your defined benchmark. By defining and maintaining a security posture that matches your business's security needs, you can minimize cybersecurity risks to your organization and help prevent attacks from occurring.

In Google Cloud, you can use the security posture service in Security Command Center to define and deploy a security posture, monitor the security status of your Google Cloud resources, and address any drift (or unauthorized change) from your defined posture.

Security posture service overview

The security posture service is a built-in service for the Security Command Center that lets you define, assess, and monitor the overall status of your security in Google Cloud. The security posture service is only available to you if you purchase a subscription of the Security Command Center Premium tier or the Enterprise tier and activate Security Command Center at the organization level.

You can use the security posture service to perform the following:

  • Ensure that your workloads conform to security standards, compliance regulations, and your organization's custom security requirements.
  • Apply your security controls to Google Cloud projects, folders, or organizations before you deploy any workloads.
  • Continuously monitor for and resolve any drift from your defined security controls.

The security posture service is automatically enabled when you activate Security Command Center at the organization level.

Security posture service components

The security posture service includes the following components:

  • Posture: One or more policy sets that enforce the preventative and detective controls that your organization requires to meet its security standard. You can deploy postures at the organization level, folder level, or project level. For a list of posture templates, see Predefined posture templates.
  • Policy sets: A set of security requirements and associated controls in Google Cloud. Typically, a policy set consists of all the policies that let you meet the requirements of a particular security standard or compliance regulation.
  • Policy: A particular constraint or restriction that controls or monitors the behavior of resources in Google Cloud. Policies can be preventative (for example, organization policy constraints) or detective (for example, Security Health Analytics detectors). Supported policies are the following:

  • Posture deployment: After you create a posture, you deploy it so that you can apply the posture to the organization, folders, or projects that you want to manage using the posture.

The following diagram shows the components of an example security posture.

Components in the security posture service.

Predefined posture templates

The security posture service includes predefined posture templates that adhere to a compliance standard or to a Google-recommended standard like the enterprise foundations blueprint recommendations. You can use these templates to create security postures that apply to your business. The following table describes the posture templates.

Posture template Template name Description

Secure by default, essentials

secure_by_default_essential

This template implements the policies that help prevent common misconfigurations and common security issues caused by default settings. You can deploy this template without making any changes to it.

Secure by default, extended

secure_by_default_extended

This template implements the policies that help prevent common misconfigurations and common security issues caused by default settings. Before you deploy this template, you must customize it to match your environment.

Secure AI recommendations, essentials

secure_ai_essential

This template implements policies that help you secure Gemini and Vertex AI workloads. You can deploy this template without making any changes to it.

Secure AI recommendations, extended

secure_ai_extended

This template implements policies that help you secure Gemini and Vertex AI workloads. Before you deploy this template, you must customize it to match your environment.

BigQuery recommendations, essentials

big_query_essential

This template implements policies that help you secure BigQuery. You can deploy this template without making any changes to it.

Cloud Storage recommendations, essentials

cloud_storage_essential

This template implements policies that help you secure Cloud Storage. You can deploy this template without making any changes to it.

Cloud Storage recommendations, extended

cloud_storage_extended

This template implements policies that help you secure Cloud Storage. Before you deploy this template, you must customize it to match your environment.

VPC Service Controls recommendations, essentials

vpcsc_essential

This template implements policies that help you secure VPC Service Controls. You can deploy this template without making any changes to it.

VPC Service Controls recommendations, extended

vpcsc_extended

This template implements policies that help you secure VPC Service Controls. Before you deploy this template, you must customize it to match your environment.

Center for Internet Security (CIS) Google Cloud Computing Platform Benchmark v2.0.0 recommendations

cis_2_0

This template implements policies that help you detect when your Google Cloud environment doesn't align with the CIS Google Cloud Computing Platform Benchmark v2.0.0. You can deploy this template without making any changes to it.

NIST SP 800-53 standard recommendations

nist_800_53

This template implements policies that help you detect when your Google Cloud environment doesn't align with the National Institute of Standards and Technology (NIST) SP 800-53 standard. You can deploy this template without making any changes to it.

ISO 27001 standard recommendations

iso_27001

This template implements policies that help you detect when your Google Cloud environment doesn't align with the International Organization for Standards (ISO) 27001 standard. You can deploy this template without making any changes to it.

PCI DSS standard recommendations

pci_dss_v_3_2_1

This template implements policies that help you detect when your Google Cloud environment doesn't align with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 and version 1.0. You can deploy this template without making any changes to it.

Deploy postures and monitor drift

To enforce a posture with all its policies on a Google Cloud resource, you deploy the posture. You can specify which level of the resource hierarchy (organization, folder, or project) that the posture applies to. You can only deploy one posture to each organization, folder, or project.

Postures are inherited by child folders and projects. Therefore, if you deploy postures at the organization level and at the project level, all the policies within both postures apply to the resources in the project. If there are any differences in policy definitions (for example, a policy is set to Allow at the organization level and to Deny at the project level), the lower-level posture is used by the resources in that project.

As a best practice, we recommend that you deploy a posture at the organization level that includes policies that can apply to your entire business. You can then apply more stringent policies to folders or projects that require them. For example, if you use the enterprise foundations blueprint to set up your infrastructure, you create certain projects (for example, prj-c-kms) that are specifically created to contain the encryption keys for all the projects in a folder. You can use a security posture to set the constraints/gcp.restrictCmekCryptoKeyProjects organization policy constraint on the common folder and environment folders (development, nonproduction, and production) so that all projects only use keys from the key projects.

After you deploy your posture, you can monitor your environment for any drift from your defined posture. Security Command Center reports instances of drift as findings that you can review, filter, and resolve. In addition, you can export these findings in the same way that you export any other findings from Security Command Center. For more information, see Integration options and Exporting Security Command Center data.

Use security postures with Vertex AI and Gemini

You can use security postures to help you maintain the security for your AI workloads. The security posture service includes the following:

  • Predefined posture templates that are specific to AI workloads.

  • A pane on the Overview page that lets you monitor for vulnerabilities that were found by the Security Health Analytics custom modules that apply to AI, and lets you view any drift from the Vertex AI organization policies that are defined in a posture.

Security posture service limits

The security posture service includes the following limits:

  • A maximum of 100 postures in an organization.
  • A maximum of 400 policies in a posture.
  • A maximum of 1000 posture deployments in an organization.

What's next