Data protection and compliance

Google Cloud’s security model, world-scale infrastructure, and unique capability to innovate will help keep your organization secure and compliant. As a part of our commitment to transparency and privacy, we provide an insider view of Google Cloud’s security, risk, and compliance practices.

Encryption at rest

Encryption of data stored on a disk or backup both at the storage device and storage system layers: Google Cloud is the first major cloud provider who does this by default.

Deployment integrity

Helping to ensure code and configurations deployed to Google Cloud’s production environment are properly reviewed and authorized.

Privileged access

Management of Google Cloud personnel access to view or modify the customer data stored in Google Cloud.

Compliance

Auditing Google Cloud services regularly to help ensure compliance with regulatory requirements, frameworks, and guidelines.

Details

Last modified: May 21, 2020

Encryption at rest

Encryption at rest refers to the encryption of data stored on a disk or backup. Google Cloud is the first major cloud provider who provides encryption at rest by default, using a multilayered approach that includes encryption both at the storage-device level and at the storage-system level.

Why it’s important

Encryption at rest protects data from being disclosed to unauthorized individuals and systems when stored in a public cloud. While many cloud providers have storage-device level encryption which protects your data in the case of a physical compromise, Google Cloud provides storage-system level encryption as well. It allows Google Cloud to perform operational tasks such as backing up your data without Google Cloud engineers or support teams being able to access the content.

How Google Cloud implements it

Google uses several layers of encryption to protect customer data at rest in Google Cloud products.

Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with ("wrapped" by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service. Google's Key Management Service is redundant and globally distributed. Data stored in Google Cloud is encrypted at the storage level using either AES256 or AES128.

Google uses a common cryptographic library, Tink, to implement encryption consistently across almost all Google Cloud products. Because this common library is widely accessible, only a small team of cryptographers needs to properly implement and maintain this tightly controlled and reviewed code.

For more information, read the Encryption at Rest in Google Cloud Platform whitepaper.

Product suite

Cloud Storage

Fact

Our encryption practices are audited at least annually by external auditors. View our SOC 2 Audit report for additional details on encryption at rest for Google Cloud.

Privileged access

The proper management of privileged access within an organization can help prevent accidental disclosure of sensitive data and minimize the risk of an unauthorized user accessing this data.

Why it’s important

When storing your data in a public cloud, it is important not only to implement proper access management for your personnel but also to understand how the cloud provider ensures your data is only accessed for legitimate business purposes by their employees. The cloud provider should only access this data at the instruction of the customer, to ensure the operation of the service or to comply with a legal obligation.

How Google Cloud implements it

In addition to encryption, Google Cloud uses a combination of strong identities for individuals and service accounts, ACL systems, and an internal control similar to Binary Authorization to ensure that access to customer data is valid. For access to data stored in Access Transparency integrated services, additional technical controls are in place to ensure that a log of the business justification for each access is created. These accesses are monitored and audited regularly.

Learn more about minimizing insider risk in this video presentation.

Product suite
Fact

In some cases, Google personnel will access customer data predominantly as a result of customer-initiated events such as contacting customer support or reporting abuse on public G Suite documents. For Access Transparency–enabled services we tell you when Google Cloud personnel touch your customer data.

Deployment integrity

Deployment integrity refers to Google Cloud’s ability to ensure that code and configurations deployed to its production environment that interact with customer data are properly reviewed and authorized. Binary Authorization for Borg, or BinAuthz, is an internal deploy-time enforcement check that production software and configuration deployed at Google Cloud is properly reviewed and authorized, particularly if that code has the ability to access user data.

Why it’s important

BinAuthz ensures that code and configuration deployments meet certain minimum standards. It can also be used in a non-enforcing auditing mode to warn when certain requirements are not met. Adopting BinAuthz helps Google Cloud reduce insider risk, prevent possible attacks, and support the uniformity of Google Cloud’s production systems. While privileged access management focuses on ensuring all access to data by individuals is authorized, deployment integrity ensures that programmatic access to data is authorized. This verification ensures that every programmatic access to customer data and change to the production environment produces an audit trail.

How Google Cloud implements it

Our infrastructure is designed for high scalable systems using a cluster management system called Borg. We run hundreds of thousands of jobs from many different applications, across multiple clusters, each with up to tens of thousands of machines. As a result, our production environment is fairly homogenous allowing touchpoints for access to user data to be more easily controlled and audited. BinAuthz provides a deploy-time enforcement service to help prevent unauthorized jobs from starting, as well as an audit trail of the code and configuration used in BinAuthz-enabled jobs.

Learn more in the Binary Authorization for Borg whitepaper
Product suite
Fact

Every Google Cloud service in Preview or GA requires Binary Authorization for Borg enabled on jobs with access to customer data.

Compliance offerings

Moving to the cloud means protecting sensitive workloads while achieving and maintaining compliance with complex regulatory requirements, frameworks, and guidelines; different regions and industries have varying requirements. These requirements can be mandated by a regulatory authority or may be created by reputable standards organizations, among others. Google Cloud supports customers globally across many industries and understands the importance of supporting compliance needs in order to help ensure customers are able to do business. Google Cloud regularly undergoes independent verification of its security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards around the world. We’ve also created resource documents and mappings against frameworks and laws where formal certifications or attestations may not be required or applied.

See all compliance offerings
Why it’s important

We understand you need independent verification of our products’ security, privacy, and compliance controls, and our certifications, attestations of compliance, or audit reports against global standards help earn your trust. This means that an independent auditor has examined the controls present in our data centers, infrastructure, and operations. These certifications include the most widely recognized, internationally accepted independent security standards, including ISO/IEC 27001 for security controls, ISO/IEC 27017 for cloud security, and ISO/IEC 27018 for cloud privacy, as well as AICPA SOC 1, 2, and 3. These certifications help us meet the demands of industry standards such as CSA STAR and PCI-DSS, and many other regional standards as well. We continue to expand our list of compliance offerings globally to assist our customers with their compliance obligations.

How Google Cloud implements it

Our services regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards around the world. Each year we evaluate the services approaching general availability (GA) to scope them into our major audit cycles.

For more details on how we comply with a specific compliance offering, visit the Compliance Reports Manager page to view our third-party audit reports for some of our major compliance frameworks.

Product suite
Fact

100% of compliance offerings requiring formal attestation or certification are validated by an independent third party.

View our third-party audit reports