The Security, Privacy and Compliance pillar in theGoogle Cloud Well-Architected Framework provides recommendations to help you design, deploy, and operate cloud workloadsthat meet your requirements for security, privacy, and compliance.

This document is designed to offer valuable insights and meet the needs of arange of security professionals and engineers. The following table describesthe intended audiences for this document:

To ensure that your Google Cloud workloads meet your security, privacy,and compliance requirements, all of the stakeholders in your organization mustadopt a collaborative approach. In addition, you must recognize that cloudsecurity is a shared responsibility between you and Google. For moreinformation, seeShared responsibilities and shared fate on Google Cloud.

The recommendations in this pillar are grouped into core security principles.Each principle-based recommendation is mapped to one or more of thefocus areas of cloud security that might be critical to your organization. Eachrecommendation highlights guidance about the use and configuration ofGoogle Cloud products and capabilities to help improve your organization'ssecurity posture.

Core principles

The recommendations in this pillar are grouped within the following coreprinciples of security. Every principle in this pillar is important. Dependingon the requirements of your organization and workload, you might choose toprioritize certain principles.

• Implement security by design:Integrate cloud security and network security considerations starting fromthe initial design phase of your applications and infrastructure.Google Cloud provides architecture blueprints and recommendations tohelp you apply this principle.
• Implement zero trust:Use anever trust, always verify approach, where access to resources isgranted based on continuous verification of trust. Google Cloudsupports this principle through products like Chrome Enterprise Premium andIdentity-Aware Proxy (IAP).
• Implement shift-left security:Implement security controls early in the software development lifecycle.Avoid security defects before system changes are made. Detect and fixsecurity bugs early, fast, and reliably after the system changes arecommitted. Google Cloud supports this principle through products likeCloud Build, Binary Authorization, and Artifact Registry.
• Implement preemptive cyber defense:Adopt a proactive approach to security by implementing robust fundamentalmeasures like threat intelligence. This approach helps you build afoundation for more effective threat detection and response.Google Cloud'sapproach to layered security controls aligns with this principle.
• Use AI securely and responsibly:Develop and deploy AI systems in a responsible and secure manner. Therecommendations for this principle are aligned with guidance in theAI and ML perspective of the Well-Architected Framework and in Google'sSecure AI Framework (SAIF).
• Use AI for security:Use AI capabilities to improve your existing security systems and processesthroughGemini in Security and overall platform-security capabilities. Use AI as a tool to increasethe automation of remedial work and ensure security hygiene to make othersystems more secure.
• Meet regulatory, compliance, and privacy needs:Adhere to industry-specific regulations, compliance standards, and privacyrequirements. Google Cloud helps you meet these obligations throughproducts like Assured Workloads, Organization Policy Service, and ourcompliance resource center.

Organizational security mindset

A security-focused organizational mindset is crucial for successful cloudadoption and operation. This mindset should be deeply ingrained in yourorganization's culture and reflected in its practices, which are guided by coresecurity principles as described earlier.

An organizational security mindset emphasizes that you think about securityduring system design, assume zero trust, and integrate security featuresthroughout your development process. In this mindset, you also think proactivelyabout cyber-defense measures, use AI securely and for security, and consideryour regulatory, privacy, and compliance requirements. By embracing theseprinciples, your organization can cultivate a security-first culture thatproactively addresses threats, protects valuable assets, and helps to ensureresponsible technology usage.

Focus areas of cloud security

This section describes the areas for you to focus on when you plan,implement, and manage security for your applications, systems, and data. Therecommendations in each principle of this pillar are relevant to one or more ofthese focus areas. Throughout the rest of this document, the recommendationsspecify the corresponding security focus areas to provide further clarity andcontext.

Contributors

Authors:

• Wade Holmes | Global Solutions Director
• Hector Diaz | Cloud Security Architect
• Carlos Leonardo Rosario | Google Cloud Security Specialist
• John Bacon | Partner Solutions Architect
• Sachin Kalra | Global Security Solution Manager

Other contributors:

• Anton Chuvakin | Security Advisor, Office of the CISO
• Daniel Lees | Cloud Security Architect
• Filipe Gracio, PhD | Customer Engineer, AI/ML Specialist
• Gary Harmson | Principal Architect
• Gino Pelliccia | Principal Architect
• Jose Andrade | Customer Engineer, SRE Specialist
• Kumar Dhanagopal | Cross-Product Solution Developer
• Laura Hyatt | Customer Engineer, FSI
• Marwan Al Shawi | Partner Customer Engineer
• Nicolas Pintaux | Customer Engineer, Application Modernization Specialist
• Noah McDonald | Cloud Security Consultant
• Osvaldo Costa | Networking Specialist Customer Engineer
• Radhika Kanakam | Program Lead, Google Cloud Well-Architected Framework
• Samantha He | Technical Writer
• Susan Wu | Outbound Product Manager