This is a comprehensive list of Google Cloud Platform’s (GCP) primary security controls and services, categorized by their function within the cloud architecture.
Google Cloud operates under a "Shared Responsibility Model." Google secures the infrastructure "of" the cloud (underlying hardware, data centers, fiber network), while these controls are the tools customers use to secure their data and applications "in" the cloud.
These controls form the primary security perimeter in GCP, managing "who" (identity) can do "what" (roles/permissions) on "which" resource.
Cloud IAM: The core service for managing access control. It uses:
Identities: Users (Google Accounts), Groups, Service Accounts, and Domains.
Roles: Collections of permissions (Primitive, Predefined, Custom).
Policies: Bind roles to identities on specific resources.
Service Accounts: Special identities used by applications or workloads (not humans) to make authorized API calls. Secure management of service account keys is a critical control.
Identity-Aware Proxy (IAP): A critical component of Google’s Zero Trust approach (BeyondCorp). It controls access to web applications and VMs running on GCP based on user identity and context (like device state or location), rather than relying on network perimeter firewalls.
Cloud Identity: An Identity as a Service (IDaaS) solution used to manage users, groups, and security settings (like MFA and single sign-on) centrally, even if they don't use GCP resources.
Organization Policy Service: Provides centralized, programmatic control over the organization's cloud resources. It allows administrators to enforce constraints across the entire project structure (e.g., "Disable external IP addresses on VMs," "Restrict resource usage to specific regions").
Titan Security Keys: FIDO2 compliant physical hardware keys supported by Google for the strongest form of Multi-Factor Authentication (MFA) to prevent phishing and account takeovers.
These controls protect the GCP network infrastructure, isolate workloads, and manage traffic flow, largely relying on Google’s specialized Andromeda network virtualization stack.
Virtual Private Cloud (VPC): Provides isolated, private network environments for GCP resources.
VPC Firewall Rules: Stateful, distributed firewall rules that control ingress and egress traffic to and from VM instances based on protocol, port, and IP address.
Hierarchical Firewall Policies: Allow organizational administrators to create and enforce consistent firewall rules across multiple projects within the organization hierarchy.
Cloud Armor: Google’s Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) protection service. It works with Cloud Load Balancing to protect applications from OWASP Top 10 risks, malicious bots, and volumetric attacks.
VPC Service Controls: Defines a security perimeter around sensitive data in Google managed services (like Cloud Storage, BigQuery). It prevents data exfiltration by restricting access to those services from outside the perimeter, even if IAM permissions allow it.
Cloud NAT (Network Address Translation): Allows VM instances without public IP addresses to access the internet for updates or validation, while preventing Internet hosts from initiating connections with those VMs.
Cloud DNS Security (DNSSEC): Protects your DNS domain from spoofing and cache poisoning attacks.
These controls focus on data security at rest (storage), in transit (network), and increasingly, in use (compute).
Encryption and Key Management
Encryption by Default: Google Cloud encrypts customer data at rest and in transit by default using Google-managed keys.
Cloud Key Management Service (Cloud KMS): A managed service that allows customers to generate, use, rotate, and destroy cryptographic keys. These keys can be used to encrypt data in other GCP services.
Customer-Managed Encryption Keys (CMEK): Allows customers to use their own keys generated in Cloud KMS to protect data in supported GCP services (e.g., Cloud Storage, Compute Engine disks).
Cloud Hardware Security Module (Cloud HSM): A cloud-hosted HSM service that allows customers to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified hardware.
External Key Manager (EKM): Allows customers to maintain encryption keys within their own on-premises or third-party key management system, while granting GCP services permission to use those keys to encrypt data.
Data Governance and Isolation
Sensitive Data Protection (formerly Cloud DLP): A service to discover, classify, and redact sensitive data (like PII, credit card numbers) within text, images, and storage repositories (BigQuery, Cloud Storage).
Confidential Computing: Encrypts data in use (while it's being processed in RAM). This protects sensitive workloads from exposure to the underlying infrastructure or cloud providers.
These controls are designed to protect compute instances, containers, and serverless environments.
Security Command Center (SCC): A centralized security and risk management platform for GCP. It provides:
Security Health Analytics: Identifies misconfigurations in GCP resources (e.g., open firewall ports, public storage buckets).
Event Threat Detection: Monitors logs (Cloud Audit Logs, VPC Flow Logs) for malicious activity using threat intelligence.
Container Threat Detection: Detects suspicious behavior within GKE clusters.
Shielded VMs: Virtual machines with verifiable integrity, protecting against boot-level or kernel-level malware (rootkits). Features include Secure Boot, measured boot, and Virtual Trusted Platform Module (vTPM).
Binary Authorization: A deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. It requires images to be signed by trusted authorities during the CI/CD pipeline.
GKE Sandbox: Provides an extra layer of isolation between container workloads and the host kernel on GKE, minimizing the impact of a container escape.
These controls provide visibility, auditing, and ensure compliance across the GCP environment.
Cloud Logging: Collects, stores, and analyzes log data from GCP services and resources. VPC Flow Logs (network traffic audit) and Cloud Audit Logs (API activity audit) are essential for security analysis.
Cloud Monitoring: Provides visibility into the performance, uptime, and overall health of cloud-powered applications. It can be used to set alerts on security-related metrics.
Chronicle (SIEM): A cloud-native Security Information and Event Management (SIEM) platform (now part of Google Cloud Security) that ingests massive amounts of security telemetry and normalizes it for rapid detection and investigation.