The concepts in this chapter don’t appear in the exam and are not part of the exam blueprint. As a Google Cloud security professional who will be responsible for securing enterprise workloads and making them compliant, it’s important that you gain a sound understanding of how Google secures its infrastructure. As a security practitioner myself, I have seen many customers who like to understand aspects such as how the underlying infrastructure is secured, how the hypervisor is secured, how Google achieves multi-tenancy, and which compliance objectives are and are not met. To be able to advise your customers or internal teams, it’s essential to know about these topics.

Google Cloud provides a very comprehensive set of security documentation on these topics and it’s highly recommended that you take the time to read them. This chapter is a summary of some of the key topics that you must know. There are links at the end of...

Google offers a range of services on its cloud platform, including traditional Infrastructure as a Service (IaaS) services such as Google Compute Engine, Platform as a Service (PaaS) services such as managed databases, and also Software as a Service (SaaS). Besides these, Google Cloud offers a rich set of security products and services that customers can use to secure their workloads on Google Cloud. Broadly, when we talk about security on the cloud, we divide it into two parts: security of the cloud and security in the cloud. These are standard industry terms, where security of the cloud refers to what the cloud service provider is responsible for and security in the cloud is about the customer having the responsibility to use security products and services offered natively in the cloud or third-party products. As shown in Figure 2.2, the boundaries of responsibility between the customer and the cloud provider change based on the services selected. If...

Google’s approach to security by design is to ensure that multiple technology stacks are deployed to secure the infrastructure, identities, services, and users. Figure 2.3 highlights the different layers of security that are built into the Google Cloud infrastructure.

Figure 2.3 – Google defense in depth

In this section, we will cover the key concepts, from operational security to physical security, that Google uses to deliver true defense in depth and at scale.

Operational security

Google’s operational security covers aspects such as how Google deploys software services, secures devices and credentials, addresses insider threats, and manages intrusion detection. Let’s look at each of these concepts briefly.

In order to securely deploy software services, Google has a secure central control and conducts two-way reviews. Furthermore, Google also provides libraries that prevent developers from introducing...

The reason for covering threat and vulnerability management at this point is that the components that form this domain, such as vulnerabilities, malware protection, incident response, and security monitoring, are key for customers adopting the cloud. Questions relating to how a cloud service provider manages threats and vulnerabilities are some of the top concerns of customers. Therefore, as security practitioners and engineers, it’s important to understand and be able to articulate how Google Cloud provides capabilities to manage threats and vulnerabilities.

As part of its vulnerability management program, to keep its infrastructure secure from cyber threats, Google has technological controls, techniques, and processes to address a multitude of attack vectors. Google actively scans for security-related threats and has manual and automated penetration testing, security assurance programs, and a very mature software security system that...

In this chapter, we gave an overview of Google Cloud’s core security infrastructure. We looked at how Google secures and makes its infrastructure compliant, and we covered what the shared security responsibility model and shared fate on Google Cloud are. Next, we looked at some security by design building blocks, covering operational security, data security, service and identity, and low-level security controls, such as physical security and boot stack security. Finally, we learned about threat and vulnerability management and how Google Cloud runs its malware protection, vulnerability management, security monitoring, and incident response.

In the next chapter, we will look at trust and compliance, which is an extension of the core security and compliance infrastructure of Google Cloud.

For more information on Google Cloud security, read the following whitepapers:

• Google security whitepaper: https://packt.link/uQ9Oq
• Google Infrastructure Security Design Overview: https://packt.link/Bf8JM
• Trusting your data with Google Cloud: https://packt.link/4hV6r
• Data incident response process: https://packt.link/zKPNf
• Encryption in transit: https://packt.link/PPPxJ