Cloud Security Best Practices within Google Cloud Platform

SADA Says | Cloud Computing Blog

By Simon Margolis | Associate CTO, AI & ML

While GCP is feature-rich and offers an array of functionality, much of what makes it such a compelling cloud solution its cloud security best practices. Application and data integration, collaboration ability among and between different groups of stakeholders, scalability, agility; GCP provides a better overall experience for its users than other solutions.

Setting the Standard for Cloud Security Best Practices

Cloud Security Part 3

Google is being used by more than 64 percent of the Fortune 500 for critical enterprise functionality and employs a team of more than 750 of the top cloud security experts on the planet. The combination helps make GCP a highly valuable, desirable solution for any organization that needs to ensure safe usage of their data and intellectual property.

What makes GCP interesting from a cloud security best practices standpoint is how Google organizes the utilization of cloud security best practices. Many vendors talk in terms of “wrappers” around their platform, as though their cloud were an impenetrable bubble. It’s surprising they do that because a bubble is probably the worst analogy for an enterprise cloud. A bubble pops when penetrated, while a cloud should judiciously, continuously, and proficiently welcome holes that enable information, applications, and users to benefit from its flexibility and agility to transact data. Those holes have to be secured, however, which GCP does by building a security structure according to its various layers.

Before we break down these layers, let’s consider what’s driving all of this in the first place. Cyber crime can lead to draconian results for organizations that get hacked. But know this first – hackers work a game of numbers, and they seek the path of least resistance. Once a hacker has a point of entry, the exploiting can begin. With that in mind, the right architecture for an enterprise cloud is one that enforces strict security guidelines across its entire surface area but remains flexible in how it’s used and managed.

Here’s how GCP applies cloud security best practices at its various layers, and what it means for enterprise customers:

Operational Security

Access to the physical locations of Google’s servers is strictly limited and managed as a critical priority. While many cloud vendors outsource the management of locations, Google has thought through, and applies, a multi-layered set of security safeguards to the buildings that host GCP’s servers.

Managed 24/7, and making use of biometric access, laser beam intrusion detection, perimeter fencing, on-premise access reviews, and other types of measures, Google embeds a security mindset across the entire physical representation of its cloud footprint. Here again, it may sound simple, but it’s an important component of GCP security, and it clearly works.

User Identity

Google treats identity as a way to manage the actors in the cloud. Some actors need access to only a small segment of data or to maybe a couple applications. Others are admins, while some have needs that change regularly. GCP uses OAuth tokens and ID credentials to authorize/deny access and integrates the functionality of customers’ multi-factor authentication (MFA) to support stricter access control.

GCP also uses their own identity tool, Google Cloud Identity and Access Management (Cloud IAM) to create and manage permissions for GCP assets and resources. Google has built Cloud IAM to unify different access tools into a single point of functionality so management is centralized, which gives it a better view and management ability for admins.

Web communication

Since so much is happening between and among different services, GCP ensures communication is secure at the transport layer, through secure TLS connection management and front-end controls to prevent DoS attacks. First off, Google owns their network, which means that communication and all digital traffic is done outside the public internet (with the exception of last-mile delivery). This enables Google to ensure secure delivery of communications, both in transit and at rest. It also applies to data that is contributed from third-parties.

Hardware infrastructure

Within Google’s hardware infrastructure are parameters that ensure the right layers “boot” when they need to in order to address the data and users who are accessing and transacting. With the use of crypto-hardware signatures, boot-loading, kernel, OS images, and BIOS, GCP maintains continuous protection within the entire hardware infrastructure that stores and maintains internal and third-party data. Google’s Titan chip establishes trust at the hardware root for all machines and assets in GCP. This is an additional layer to authenticate access for hardware handling your data.

Additionally, Google maintains tracking, analysis, and updates of all their hardware and infrastructure assets from deployment to destruction upon end-of-life. Baked into their cloud security best practices ethos is the notion that data and access must be managed for every component, at every stage of the footprint.

Application Layer

SADA has helped a variety of customers integrate third-party applications and APIs with Google applications to create robust, comprehensive systems. Because data among these apps can be sensitive, GCP maintains centralized app data management and enforces policies around access to certain apps. With personal public key certificates and multi-factor authentication, GCP maintains control and keeps a trail of usage to ensure compliance among those, and only those, who have legitimate access to applications at the application layer.

Services deployment

GCP operates according to a mindset that there is no inherent trust among services. This is precautionary and enables the platform to demand legitimate access to get into data repositories and to subsequently transact any information coming out of those repositories.

There’s flexibility for services used within GCP so that authenticated GCP accounts can access needed data, but to manipulate the data or perform any changes at the application layer would require much stricter requirements.

Google – Infrastructure Built on a Security Mindset

The GCP approach to security mirrors the way Google secures its own products and users. While very accessible and user-friendly, the Google style and mindset is embedded in GCP to give enterprise users a highly usable experience. The major purpose is to enable the sharing of information and allowing users to have a seamless experience with the data they need when they need it. Access is key to this idea, but with so many access points, Google has made the necessary moves to account for places where unintended holes might open up. Operating within the mindset of the various parts of the cloud landscape helps GCP provide an environment with rigorous protection for all customers.

Find out more button


Our expert teams of consultants, architects, and solutions engineers are ready to help with your bold ambitions, provide you with more information on our services, and answer your technical questions. Contact us today to get started.

Scroll to Top