Jump to

Google Cloud security best practices center

Explore these best practices for meeting your security and compliance objectives as you deploy workloads on Google Cloud.

Best practices guides

Best practices guides provide specific, informed guidance on helping secure Google Cloud deployments and describe recommended configurations, architectures, suggested settings, and other operational advice.

Best practices for Google Cloud

Enterprise foundations blueprint guide

This comprehensive guide helps you build security into your Google Cloud deployments. It covers organization structure, authentication and authorization, resource hierarchy, networking, logging, detective controls, and more.

Best practices for enterprise organizations

This high-level guide helps enterprise architects and technology stakeholders understand the scope of security activities on Google Cloud and plan accordingly. It provides key actions to take and includes links for further reading.

Architecture center: security and compliance

Access our complete catalog of security and compliance reference architectures, guidance, and best practices for building or migrating your workloads on Google Cloud.

Best practices for cloud security products

Secured Data Warehouse security blueprint

Learn about and deploy key security best practices for BigQuery across data ingestion, storage, processing, classification, encryption, logging, monitoring and governance.

AI Platform Notebooks security blueprint

Learn best practices for protecting confidential data in your AI Platform Notebooks, extending your data governance practices and protecting your data from exfiltration.

Container security best practices

Learn about securing containers by reading our “Exploring container security” blog series.

DDoS protection and mitigation on Google Cloud

This guide contains best practices for helping to protect against and mitigate denial of service (DoS) attacks for your Google Cloud deployment.

How to best use Microsoft AD with Google Cloud

Learn the best practices related to networking, hybrid connectivity, security, and management when running Active Directory on and with Google Cloud.

Best practices for Identity and Access Management

These guides outline some of the best practices for using Cloud Identity & Access Management (IAM) to manage identities and permissions for your organization.

Security best practice checklists

Learn more about Google Workspace and Cloud Identity security best practices with these checklists for small, medium, and large businesses.

Deployable security blueprints and landing zones

Resources, including code and templates, that can be used to deploy cloud resources in recommended configurations.

Deployable blueprints

Security foundations deployable assets

Terraform modules that can be composed to build a security-centric Google Cloud foundation. The supplied structure and code is a starting point with pragmatic defaults based on our guide. You can customize the scripts to meet your own requirements.

Secured Data Warehouse blueprint GitHub repository

This repository contains Terraform configuration modules that allow you to quickly deploy a secured BigQuery data warehouse based on the opinionated guidance in our blueprint.

AI Platform Notebooks blueprint GitHub repository

The AI Platform Notebook security blueprints repository on GitHub, based on the guide, has resources and artifacts that can help you securely handle confidential data.

Cloud Foundation Toolkit deployable assets

The Cloud Foundation Toolkit provides a comprehensive set of production-ready resource templates that follow Google's best practices.

Anthos security blueprints GitHub repository

The Anthos security blueprints repository on GitHub has resources and artifacts that show you how to achieve a set of security postures when you create or migrate workloads that use Anthos clusters.

Secure serverless blueprints

Get opinionated guidance for DevOps engineers, security architects, and application developers on how to help protect serverless applications that use Cloud Run or Cloud Functions (2nd gen)

Deployable blueprints for industries

Government: FedRAMP-aligned workload blueprint

The solution guide and accompanying templates provide a reference architecture, leading practices, and recommendations for setting up a FedRAMP-aligned three-tier workload on Google Cloud.

Retail: PCI on GKE security blueprint

This blueprint enables you to quickly and easily deploy workloads on GKE that align with the Payment Card Industry Data Security Standard (PCI DSS) in a repeatable, supported, and secure way.

Security whitepapers and references

In-depth information about how Google Cloud’s infrastructure and services are designed, built, and operated with security in mind, as well as how Google Cloud can help you on your security transformation journey. 

Security transformation resources

CISO’s guide to cloud security transformation

Our whitepaper shares our thinking, based on our experiences of working with CISOs and their teams at our customers, on how best to drive security transformation with a move to the cloud.

Strengthening operational resilience for FinServ

Read about how financial services firms can leverage Google Cloud capabilities and solutions to manage operational risks and help ensure operational resilience.

Building secure and reliable systems

In this book, experts from Google share best practices to help your organization design scalable and reliable systems that are fundamentally secure.

Risk governance of digital transformation

Our whitepaper serves as a guide for risk, compliance, and audit teams on how to manage risk governance in your digital transformation journey to the cloud.

Google Cloud security whitepapers

Google security

This paper provides an overview of Google's approach to security and compliance for Google Cloud. It includes details on organizational and technical controls for data protection.

Google Workspace security

Learn more about Google’s approach to security and compliance for Google Workspace, our cloud-based productivity suite. This paper discusses Google Workspace's privacy and security-focused culture, encryption practices, and more.

Google infrastructure security design overview

Overview of how security is designed into Google's technical infrastructure. Covers physical security of our data centers, how the hardware and software that underlie the infrastructure are secured, and technical constraints and processes in place to support operational security.

Encryption at rest

This paper describes Google's approach to encryption at rest for Google Cloud, and how Google uses it to keep your information more secure.

Encryption in transit

Google Cloud automatically encrypts your data in transit outside of physical boundaries not controlled by Google. Learn more about how we use encryption in transit to keep your data secure.

Google Workspace encryption

A central part of Google Workspace's comprehensive security strategy is encryption. In this paper, you'll learn about Google Workspace's approach to encryption and how it keeps your sensitive information safe.

Cloud Key Management deep dive

Learn more about how Cloud KMS lets Google Cloud customers manage cryptographic keys in a central cloud service.

BeyondProd: New approach to cloud-native security

Read how Google protects its microservices with an initiative called BeyondProd. This protection includes how code is changed and how user data in microservices is accessed. 

Binary Authorization for Borg

Learn more about Binary Authorization for Borg: an internal deploy-time enforcement check that minimizes insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, particularly if that code has the ability to access user data.

BeyondCorp: A new approach to enterprise security

BeyondCorp is Google's implementation of the zero trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community.

Privileged access management in Google Cloud

This paper provides a deep dive into Google Cloud's privileged access philosophy, how customer data is protected, and what tools customers have to monitor and control Google's access to data.

Learning resources

Explore Google Cloud and third-party resources to further your knowledge of security best practices.

Google Cloud security showcase

The security showcase video series lays out top security use cases that customers can solve with Google Cloud.

Cloud Security Podcast

Google Cloud security experts talk with the industry's leaders on a variety of cloud security topics.

Google Cloud CIS Benchmarks™

CIS Benchmarks are consensus-based, best-practice security configuration guides developed and accepted by government, business, industry, and academia. This site provides CIS Benchmarks specific to Google Cloud.

Google Cloud MITRE ATT&CK®

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This site provides the MITRE ATT&CK® Matrix for Google Cloud.

Professional Cloud Security Certification

Learn how to become a Professional Cloud Security Engineer. Gain an understanding of security best practices and industry security requirements.

Coursera: Google Cloud Security

This self-paced training gives a broad study of security controls, best practices, and techniques on Google Cloud.

Security Summit 2022 recordings

Watch the full May 2022 Google Cloud Security Summit—keynote, demo, and session recordings—to learn from Google experts and customers about security and compliance capabilities across our product portfolio.

Security sessions from Next ’22

Watch the security track sessions from Google Cloud Next ’22 to learn from Google experts and customers about security and compliance capabilities across our product portfolio.