Google Cloud security best practices center

Explore these best practices for meeting your security and compliance objectives as you deploy workloads on Google Cloud.

Contact us

Best practices guides

Best practices guides provide specific, informed guidance on helping secure Google Cloud deployments and describe recommended configurations, architectures, suggested settings, and other operational advice.

Best practices for Google Cloud

Google Cloud security foundations blueprint guide

This comprehensive guide helps you build security into your Google Cloud deployments. It covers organization structure, authentication and authorization, resource hierarchy, networking, logging, detective controls, and more.

Best practices for enterprise organizations

This high-level guide helps enterprise architects and technology stakeholders understand the scope of security activities on Google Cloud and plan accordingly. It provides key actions to take and includes links for further reading.

Best practices for cloud security products

Anthos security blueprints

The Anthos security blueprints provide prescriptive information and instructions for achieving a set of security postures when you create or migrate workloads that use Anthos clusters.

Container security best practices

Learn about securing containers by reading our “Exploring container security” blog series.

DDoS protection and mitigation on GCP

This guide contains best practices for helping to protect against and mitigate denial of service (DoS) attacks for your GCP deployment.

Best practices for using Microsoft AD and apps

Learn how to leverage Google Cloud to manage your cloud-based AD-dependent apps and servers, automate AD server maintenance and security configuration, and extend your AD domain to the cloud. 

Security best practice checklists

Learn more about Google Workspace and Cloud Identity security best practices with these checklists for small, medium, and large businesses.

Deployable security blueprints and landing zones

Resources, including code and templates, that can be used to deploy cloud resources in recommended configurations.

Deployable blueprints

Security foundations deployable assets

Terraform modules that can be composed to build a security-centric GCP foundation. The supplied structure and code is a starting point with pragmatic defaults based on our guide. You can customize the scripts to meet your own requirements.

Cloud Foundation Toolkit deployable assets

The Cloud Foundation Toolkit provides a comprehensive set of production-ready resource templates that follow Google's best practices.

Anthos security blueprints GitHub repository

The Anthos security blueprints repository on GitHub has resources and artifacts that show you how to achieve a set of security postures when you create or migrate workloads that use Anthos clusters.

Deployable blueprints for industries

Healthcare: Setting up a HIPAA-aligned project

This blueprint provides an example of how to configure and deploy Google Cloud resources to store and process healthcare data, including protected health information (PHI) as defined by the US Health Insurance Portability and Accountability Act (HIPAA).

Retail: PCI on GKE security blueprint

This blueprint enables you to quickly and easily deploy workloads on GKE that align with the Payment Card Industry Data Security Standard (PCI DSS) in a repeatable, supported, and secure way.

Security whitepapers and references

In-depth information about how Google Cloud’s infrastructure and services are designed, built, and operated with security in mind.

Google security

This paper provides an overview of Google's approach to security and compliance for Google Cloud. It includes details on organizational and technical controls for data protection.

Google infrastructure security design overview

Overview of how security is designed into Google's technical infrastructure. Covers physical security of our data centers, how the hardware and software that underlie the infrastructure are secured, and technical constraints and processes in place to support operational security.

Encryption at rest

This paper describes Google's approach to encryption at rest for Google Cloud, and how Google uses it to keep your information more secure.

Encryption in transit

Google Cloud automatically encrypts your data in transit outside of physical boundaries not controlled by Google. Learn more about how we use encryption in transit to keep your data secure.

Cloud Key Management deep dive

Learn more about how Cloud KMS lets Google Cloud customers manage cryptographic keys in a central cloud service.

BeyondProd: New approach to cloud-native security

Read how Google protects its microservices with an initiative called BeyondProd. This protection includes how code is changed and how user data in microservices is accessed. 

Binary Authorization for Borg

Learn more about Binary Authorization for Borg: an internal deploy-time enforcement check that minimizes insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, particularly if that code has the ability to access user data.

BeyondCorp: A new approach to enterprise security

BeyondCorp is Google's implementation of the zero trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community.

Building secure and reliable systems

In this book, experts from Google share best practices to help your organization design scalable and reliable systems that are fundamentally secure.

Learning resources

Explore Google Cloud and third-party resources to further your knowledge of security best practices.

GCP CIS Benchmarks™

CIS Benchmarks are consensus-based, best-practice security configuration guides developed and accepted by government, business, industry, and academia. This site provides CIS Benchmarks specific to GCP.


MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This site provides the MITRE ATT&CK® Matrix for GCP.

Professional Cloud Security Certification

Learn how to become a Professional Cloud Security Engineer. Gain an understanding of security best practices and industry security requirements.

Coursera: Google Cloud Security

This self-paced training gives a broad study of security controls, best practices, and techniques on Google Cloud.

Next OnAir Security session recordings 2020

Watch our security session recordings from Google Cloud Next OnAir 2020 to learn the latest in security innovations from Google Cloud's experts and customers.

Next Security session recordings 2019

Learn from Google Cloud's security experts and our customers in our 2019 security session recordings from Google Cloud Next.