This content was last updated in July 2024, and represents the status quoas of the time it was written. Google's security policies and systems may changegoing forward, as we continually improve protection for our customers.

Download PDF versiondownload

Introduction

Traditionally, businesses have looked to the public cloud to save costs,experiment with new technology, and provide growth capacity. Increasingly,businesses are also looking to the public cloud for their security, realizingthat cloud providers can invest more than the businesses can in technology,people, and processes to deliver a more secure infrastructure.

As a cloud innovator, Google understands security in the cloud. Our cloudservices are designed to deliver better security than many on-premisesapproaches. We make security a priority in our operations—operations that serveusers across the world.

Security drives our organizational structure, culture, training priorities, andhiring processes. It shapes the design of our data centers and the technologythat they house. It's central to our everyday operations and disasterplanning, including how we address threats. It's prioritized in the way wehandle customer data, our account controls, our compliance audits, and ourcertifications.

This document describes our approach to security, privacy, and compliance forGoogle Cloud, which is our suite of public cloud products and services. Thedocument focuses on the physical, administrative, and technical controls that wehave deployed to help protect your data.

Google's security and privacy-focused culture

Google's culture stresses the importance of protecting the large volume ofinformation that belongs to our customers. This culture influences our hiringprocesses and employee onboarding. We advance and reinforce data protectionguidelines and technologies through ongoing training and events that are focusedon security and privacy.

Our dedicated security team

Our dedicated security team includes some of the world's foremost experts ininformation security, application security, cryptography, and network security.This team maintains our defense systems, develops security review processes,builds security infrastructure, and implements our security policies. The teamactively scans for security vulnerabilities using commercial and custom tools.The team also conducts penetration tests and performs quality assurance andsecurity reviews.

Members of the security team review security plans for our networks andservices, and they provide project-specific consulting services to our productand engineering teams. For example, our cryptography engineers review productlaunches that include cryptography implementations. The security team monitorsfor suspicious activity on our networks and addresses information securitythreats as needed. The team also performs routine security evaluations andaudits, which can involve engaging outside experts to conduct regular securityassessments.

Collaboration with the security research community

We have long enjoyed a close relationship with the security research community,and we greatly value their help with identifying potential vulnerabilities inGoogle Cloud and other Google products. Our security teams take part inresearch and outreach activities to benefit the online community. For example,we runProject Zero,which is a team of security researchers who are dedicated to researchingzero-day vulnerabilities. Some examples of this research are the discovery oftheSpectre exploit, theMeltdown exploit, thePOODLE SSL 3.0 exploit,andcipher suite weaknesses.

Google's security engineers and researchers actively participate andpublishin the academic security community and the privacy research community. They alsoorganize and participate inopen-source projectsand academic conferences. Google's security teams have published an in-depthaccount of our practices and experience in theBuilding Secure and Reliable Systemsbook.

OurVulnerability RewardProgramoffers rewards in the tens of thousands of dollars for each confirmedvulnerability. The program encourages researchers to report design andimplementation issues that might put customer data at risk. In 2023, we awardedresearchers over 10 million dollars in prize money. To help improve the securityof open-source code, the Vulnerability Reward Program also provides avarietyof initiatives toresearchers. For more information about this program, including the rewards thatwe've given, seeBug Hunters KeyStats.

Our world-class cryptographers participate in industry-leading cryptographyprojects. For example, we designed theSecure AI Framework (SAIF)to help secure AI systems. In addition, to protect TLS connections againstquantum computer attacks, we developed thecombined elliptic-curve and post-quantum (CECPQ2) algorithm.Our cryptographers developedTink,which is an open-source library of cryptographic APIs. We also use Tink in ourinternal products and services.

For more information about how you can report security issues, seeHow Google handles security vulnerabilities.

Internal security and privacy training

All Google employees undergo security and privacy training as part of theorientation process, and they receive ongoing security and privacy trainingthroughout their Google careers. During orientation, new employees agree to ourCode of Conduct,which highlights our commitment to keeping customer data safe and secure.

Depending on their job role, employees might be required to take additionaltraining on specific aspects of security. For example, the information securityteam instructs new engineers on secure coding practices, product design, andautomated vulnerability testing tools. Engineers attend regular securitybriefings and receive security newsletters that cover new threats, attackpatterns, mitigation techniques, and more.

Security and privacy are an ever-changing area, and we recognize that dedicatedemployee engagement is a key means of raising awareness. We host regularinternal conferences that are open to all employees to raise awareness and driveinnovation in security and data privacy. We host events across global offices toraise awareness of security and privacy in software development, data handling,and policy enforcement.

Our dedicated privacy team

Our dedicated privacy team supports internal privacy initiatives that helpimprove critical processes, internal tools, products, and privacyinfrastructure. The privacy team operates separately from product developmentand security organizations. They participate in Google product launches byreviewing design documentation and performing code reviews to ensure thatprivacy requirements are followed. The team helps release products thatincorporate strong privacy standards around the collection of user data.

Our products are designed to provide users and administrators with meaningfulprivacy configuration options. After products are launched, the privacy teamoversees ongoing automated processes to verify that data collected by theproducts is handled appropriately. In addition, the privacy team conductsresearch on privacy best practices for our emerging technologies. To understandhow we stay committed to user data privacy and to compliance with applicableprivacy regulations and laws, seeour commitment to complying with dataprotection laws. For moreinformation, see thePrivacy ResourceCenter.

Internal audit and compliance specialists

We have a dedicated internal audit team that reviews our products' compliancewith security laws and regulations around the world. As new auditing standardsare created and existing standards are updated, the internal audit teamdetermines what controls, processes, and systems are needed in order to helpmeet them. This team supports independent audits and assessments by thirdparties. For more information, seeSupport for compliance requirementslater in this document.

Operational security

Security is an integral part of our cloud operations, not an afterthought. Thissection describes our vulnerability management programs, malware preventionprogram, security monitoring, and incident management programs.

Vulnerability management

Our internal vulnerability management process actively scans for securitythreats across technology stacks. This process uses a combination ofcommercial, open-source, and purpose-built in-house tools, and includes thefollowing:

• Quality assurance processes
• Software security reviews
• Intensive automated and manual penetration efforts, including extensiveRed Team exercises
• External audits

The vulnerability management organization and its partners are responsible fortracking and following up on vulnerabilities. Because security improves onlyafter issues are fully addressed, automation pipelines continually reassess thestate of patch deployment to mitigate vulnerabilities and flag incorrect orpartial deployment.

To help improve detection capabilities, the vulnerability managementorganization focuses on high-quality indicators that separate noise from signalsthat indicate real threats. The organization also fosters interaction with theindustry and with the open-source community. For example, they run aPatch Reward Programfor theTsunaminetwork security scanner, which rewards developers who create open-sourcedetectors for vulnerabilities.

For more about vulnerabilities that we have mitigated, seeGoogle Cloud security bulletins.

Malware prevention

Google maintains malware protections for our core products (like Gmail,Google Drive, Google Chrome, YouTube, Google Ads, andGoogle Search) that use a variety of malware detectiontechniques. To discover malware files proactively, we use web crawling, filedetonation, custom static detection, dynamic detection, and machine-learningdetection. We also use multiple antivirus engines.

To help protect our employees, we use the built-in advanced securitycapabilities of Chrome Enterprise Premium and the Enhanced Safe Browsing feature inGoogle Chrome. These capabilities enable proactive detection of phishing andmalware sites as our employees browse the web. We also enable the most rigoroussecurity settings that are available in Google Workspace, such asGmail Security Sandbox, to proactively scan suspicious attachments.Logs from these capabilities feed into our security monitoring systems, asdescribed in the following section.

Security monitoring

Our security monitoring program is focused on information that's gathered frominternal network traffic, from employee actions on systems, and from outsideknowledge of vulnerabilities. A core Google principle is to aggregate and storesecurity telemetry data in one location for unified security analysis.

At many points across our global network, internal traffic is inspected forsuspicious behavior, such as the presence of traffic that might indicate botnetconnections. We use a combination of open-source and commercial tools to captureand parse traffic so that we can perform this analysis. A proprietarycorrelation system built on top of our technology also supports this analysis.We supplement network analysis by examining system logs to identify unusualbehavior, such as attempts to access customer data.

Our security engineers review inbound security reports and monitor publicmailing lists, blog posts, and wikis. Automated network analysis and automatedanalysis of system logs helps determine when an unknown threat might exist; ifthe automated processes detect an issue, they escalate it to our security staff.

Incident management

We have a rigorous incident-management process for security events that mightaffect the confidentiality, integrity, or availability of systems or data. Oursecurity incident-management program aligns with the NIST guidance on handlingincidents (NIST SP800–61). Keymembers of our staff are trained in forensics and in handling evidence inpreparation for an event, including the use of third-party and proprietarytools.

We test incident response plans for key areas, such as systems that storecustomer data. These tests consider various scenarios, including insiderthreats and software vulnerabilities. To help ensure the swift resolution ofsecurity incidents, the Google security team is available 24/7 to all employees.If an incident impacts your data, Google or its partners inform you andour team investigates the incident. For more information about our data incidentresponse process, seeData incident response process.

Technology with security at its core

Google Cloud runs on a technology platform that is designed and built tooperate securely. We are an innovator in hardware, software, network, and systemmanagement technologies. We design our servers, our proprietary operatingsystem, and our geographically distributed data centers. Using the principles ofdefense in depth, we've created an IT infrastructure that is more secure andeasier to manage than more conventional technologies.

State-of-the-art data centers

Our focus on security and protection of data is amongour primary designcriteria. The physicalsecurity in Google data centers is a layered security model. Physical securityincludes safeguards like custom-designed electronic access cards, alarms,vehicle access barriers, perimeter fencing, metal detectors, and biometrics. Inaddition, to detect and track intruders, we use security measures such as laserbeam intrusion detection and 24/7 monitoring by high-resolution interior andexterior cameras. Access logs, activity records, and camera footage areavailable in case an incident occurs. Experienced security guards, who haveundergone rigorous background checks and training, routinely patrol our datacenters. As you get closer to the data center floor, security measures alsoincrease. Access to the data center floor is only possible through a securitycorridor that implements multi-factor access control using security badges andbiometrics. Only approved employees with specific roles may enter. Very fewGoogle employees will ever gain access to one of our data centers.

Inside our data centers, we employ security controls in thephysical-to-logicalspace, defined as "arm's length from a machine in a rack to the machine'sruntime environment." These controls include hardware hardening, task-basedaccess control, anomalous event detection, and system self-defense. For moreinformation, seeHow Google protects the physical-to-logical space in a datacenter.

Powering our data centers

To keep things running 24/7 and provide uninterrupted services, our datacenters have redundant power systems and environmental controls. Every criticalcomponent has a primary and alternate power source, each with equal power.Backup generators can provide enough emergency electrical power to run each datacenter at full capacity. Cooling systems maintain a constant operatingtemperature for servers and other hardware, which reduces the risk of serviceoutages whileminimizing environmental impact.Fire detection and suppression equipment help prevent damage to hardware. Heatdetectors, fire detectors, and smoke detectors trigger audible and visiblealarms at security operations consoles and at remote monitoring desks.

We are the first major internet services company to get external certificationof our high environmental, workplace safety, and energy management standardsthroughout our data centers. For example, to demonstrate our commitment toenergy management practices, we obtained voluntaryISO 50001certifications for our data centers in Europe. For more information about how wereduce our environmental impact in Google Cloud, seeEfficiency.

Custom server hardware and software

Our data centers have purpose-built servers and network equipment, some ofwhich we design ourselves. While our servers are customized to maximizeperformance, cooling, and power efficiency, they are also designed to helpprotect against physical intrusion attacks. Unlike most commercially availablehardware, our servers don't include unnecessary components such as video cards,chipsets, or peripheral connectors, all of which can introduce vulnerabilities.We vet component vendors and choose components with care, working with vendorsto audit and validate the security properties that are provided by thecomponents. We design custom chips, such asTitan,that help us securely identify and authenticate legitimate Google devices at thehardware level, including the code that these devices use to boot up.

Server resources are dynamically allocated. Dynamic allocation gives usflexibility for growth and lets us adapt quickly and efficiently to customerdemand by adding or reallocating resources. This environment is maintained byproprietary software that continually monitors systems for binary-levelmodifications. Our automated, self-healing mechanisms are designed to enable usto monitor and remediate destabilizing events, receive notifications aboutincidents, and slow down potential compromises on the network.

Hardware tracking and disposal

We meticulously track the location and status of equipment within our datacenters using barcodes and asset tags. We deploy metal detectors and videosurveillance to help make sure that no equipment leaves the data center floorwithout authorization. If a component fails to pass a performance test at anypoint during its lifecycle, it's removed from inventory and retired.

Our storage devices, including hard drives, solid-state drives, and non-volatiledual inline memory modules (DIMMs), use technologies like full disk encryption(FDE) and drive locking to protect data at rest. When a storage device isretired, authorized individuals verify that the device is sanitized. They alsoperform a multiple-step verification process to ensure the device contains nodata. If a device cannot be erased for any reason, it's physically destroyed.Physical destruction is performed using a shredder that breaks the device intosmall pieces, which are then recycled at a secure facility. Each data centeradheres to a strict disposal policy and any variances are immediately addressed.For more information, seeData deletion onGoogle Cloud.

Software development practices

We proactively seek to limit the opportunities for vulnerabilities to beintroduced by using source control protections and two-party reviews. We alsoprovide libraries that prevent developers from introducing certain classes ofsecurity bugs. For example, we have libraries and frameworks that are designedto eliminate XSS vulnerabilities in web apps. We also have automated tools forautomatically detecting security bugs; these tools include fuzzers, staticanalysis tools, and web security scanners.

For more information, seeSafe software development.

Key security controls

Google Cloud services are designed to deliver better security than manyon-premises solutions. This section describes the main security controls that weuse to help protect your data.

Encryption

Encryption adds a layer of defense for protecting data. Encryption ensures thatif an attacker gets access to your data, the attacker cannot read the datawithout also having access to the encryption keys. Even if an attacker getsaccess to your data (for example, by accessing the wire connection between datacenters or by stealing a storage device), they won't be able to understand ordecrypt it.

Encryption provides an important mechanism in how we help protect the privacy ofyour data. It allows systems to manipulate data—for example, for backup—andengineers to support our infrastructure, without providing access to content forthose systems or employees.

Securing data at rest

By default, Google Cloud uses several layers of encryption to protect userdata that's stored in Google production data centers. Encryption is applied atthe application layer, the storage device layer, or both layers.

For more information about encryption at rest, including encryption keymanagement and Keystore, seeEncryption at rest in Google Cloud.

Securing data in transit

Data can be vulnerable to unauthorized access as it travels across the internetor within networks. Traffic between your devices and theGoogle Front End (GFE)is encrypted using strong encryption protocols such as TLS.

For more information, seeEncryption in transit in Google Cloud.

Software supply chain integrity

Software supply chain integrity ensures that the underlying code and binariesfor the services that process your data are verified and that they passattestation tests. In Google Cloud, we developedBinary Authorization for Borg(BAB) to review and authorizeproduction software that we deploy. BAB helps ensure that only authorized codecan process your data. In addition to BAB, we use hardware security chips(called Titan) that we deploy on servers, devices, and peripherals. These chipsoffer core security features such as secure key storage, root of trust, andsigning authority.

To help secure your software supply chain, you can implementBinary Authorizationto enforce your policies before deploying your code. For information aboutsecuring your supply chain, seeSLSA.

Securing data in use

Google Cloud supports data encryption for data in use withConfidential Computing.Confidential Computing provides hardware isolation and attestation using aTrusted Execution Environment (TEE). Confidential Computing protectsworkloads by performing computation in cryptographic isolation, which helps toensure confidentiality in a multi-tenant cloud environment. This type ofcryptographically isolated environment helps prevent unauthorized access ormodifications to applications and data while the applications and data are inuse. TEE provides independently verifiable attestations that attest to thesystem state and code run. Confidential Computing might be a good optionfor organizations that manage sensitive and regulated data and that needverifiable security and privacy assurances.

Security benefits of our global network

In other cloud services and on-premises solutions, customer data travelsbetween devices across the public internet in paths known ashops. The numberof hops depends on the optimal route between the customer's ISP and the datacenter. Each additional hop introduces a new opportunity for data to be attackedor intercepted. Because our global network is linked to most ISPs in the world,our network limits hops across the public internet, and therefore helps limitaccess to that data by bad actors.

Our network uses multiple layers of defense—defense in depth—to help protect thenetwork against external attacks. Only authorized services and protocols thatmeet our security requirements are allowed to traverse it; anything else isautomatically dropped. To enforce network segregation, we use firewalls andaccess control lists. Traffic is routed through GFE servers to help detectand stop malicious requests and distributed denial-of-service (DDoS) attacks.Logs are routinely examined to reveal any exploitation of programming errors.Access to networked devices is restricted to only authorized employees.

Our global infrastructure allows us to runProjectShield. Project Shield provides free,unlimited protection to websites that are vulnerable to DDoS attacks that areused to censor information. Project Shield is available for news websites, humanrights websites, and election-monitoring websites.

Low latency and highly available solutions

Our IP data network consists of our own fiber, of publicly available fiber, andof undersea cables. This network allows us to deliver highly available andlow-latency services across the globe.

We design the components of our platform to be highly redundant. This redundancyapplies to our server design, to how we store data, to network and internetconnectivity, and to the software services themselves. This "redundancy ofeverything" includes exception handling and creates a solution that is notdependent on a single server, data center, or network connection.

Our data centers are geographically distributed to minimize the effects ofregional disruptions on global products, such as when natural disasters or localoutages occur. If hardware, software, or a network fails, platform services andcontrol planes are automatically and swiftly shifted from one facility toanother so that platform services can continue without interruption.

Our highly redundant infrastructure also helps you protect your business fromdata loss. You can create and deploy Google Cloud resources acrossmultiple regions and zones to build resilient and highly available systems. Oursystems are designed to minimize downtime or maintenance windows for when weneed to service or upgrade our platform. For more information about howGoogle Cloud builds resilience and availability into its coreinfrastructure and services, from design through operations, see theGoogle Cloud infrastructure reliability guide.

Google Cloud service availability

Some Google Cloud services are not available in all geographies. Someservice disruptions are temporary (due to an unanticipated event, such as anetwork outage), but other service limitations are permanent due togovernment-imposed restrictions. Our comprehensiveTransparencyReport andstatusdashboard showrecent and ongoingdisruptions of trafficand availability of Google Cloud services. We provide this data to helpyou analyze and understand the availability of services.

Data access and restrictions

This section describes how we restrict access to data and how we respond todata requests from law enforcement agencies.

Data usage

Data that you store on our systems is yours. We don't scan your data foradvertising purposes, we don't sell it to third parties, and we don't use it totrain our AI models without your permission. TheData ProcessingAddendum for Google Cloud describes ourcommitment to protecting your data. That document states that we won't processdata for any purpose other than to meet our contractual obligations. If youchoose to stop using our services, we provide tools that let youtake your data with you, without penalty or additional cost. For moreinformation about our commitments for Google Cloud, see ourtrust principles.

Administrative access for Google employees

Our infrastructure is designed to logically isolate each customer's data fromthe data of other customers and users, even when it's stored on the samephysical server. Only a small group of employees have access to customerdata. Access rights and levels are based on an employee's jobfunction and role, using the principles of least privilege and need-to-know thatmatch access privileges to defined responsibilities. Our employees are grantedonly a limited set of default permissions to access company resources, such asemployee email and Google's internal employee portal. Requests for additionalaccess must follow a formal process that involves a request and an approval fromthe data or system owner, manager, or other executives, as dictated by oursecurity policies.

Approvals are managed by workflow tools that maintain audit records of allchanges. These tools control both the modification of authorization settings andthe approval process to help ensure that approval policies are consistentlyapplied. An employee's authorization settings are used to control access toresources, including data and systems for Google Cloud products. Supportservices are provided only to authorized customer administrators. Our dedicatedsecurity teams, privacy teams, and internal audit teams monitor and auditemployee access, and we provide audit logs to you throughAccess Transparencyfor Google Cloud. Also, when you enableAccess Approval,our support personnel and our engineers require your explicit approval to accessyour data.

Law enforcement data requests

As the data owner, you are primarily responsible for responding to lawenforcement data requests. However, like many technology companies, we receivedirect requests from governments and courts to disclose customer information.Google has operational policies and procedures and other organizational measuresin place to help protect against unlawful or excessive requests for user data bypublic authorities. When we receive such a request, our team reviews the requestto make sure that it satisfies legal requirements and Google's policies.Generally speaking, for us to comply, the request must be made in writing,issued under an appropriate law, and signed by an authorized official of therequesting agency.

We believe that the public deserves to know the full extent to which governmentsrequest information from us. We became the first company to start regularlypublishing reports about government data requests. Detailed information aboutdata requests and our response to them is available in ourTransparency Report.It's our policy to notify you about requests for your data unless we arespecifically prohibited by law or court order from doing so. For moreinformation, seeGovernment Requests for Cloud Customer Data.

Third-party suppliers

For most data-processing activities, we provide our services in our owninfrastructure. However, we might engage some third-party suppliers to provideservices related to Google Cloud, including customer support and technicalsupport. Before onboarding a supplier, we assess their security and privacypractices. This assessment checks whether the supplier provides a level ofsecurity and privacy that is appropriate for their access to data and for thescope of the services that they are engaged to provide. After we have assessedthe risks that are presented by the third-party supplier, the supplier isrequired to enter into appropriate security, confidentiality, and privacycontract terms.

For more information, see theSupplier Code of Conduct.

Support for compliance requirements

Google Cloud regularly undergoes independent verification of itssecurity, privacy, and compliance controls, and receives certifications,attestations, and audit reports to demonstrate compliance. Our informationsecurity includes specific customer data privacy-related controls that help keepcustomer data secure.

Some key international standards that we are audited against are the following:

• ISO/IEC 27001 (Information Security Management)
• ISO/IEC 27017 (Cloud Security)
• ISO/IEC 27018 (Cloud Privacy)
• ISO/IEC 27701 (Privacy)

In addition, ourSOC 2 andSOC 3 reports are available to our customers.

We also participate in sector and country-specific frameworks, such asFedRAMP (US government),BSI C5 (Germany), andMTCS(Singapore). We provide resource documents and mappings for certain frameworkswhere formal certifications or attestations might not be required or applied.

If you operate in regulated industries, such as finance, government, healthcare,or education, Google Cloud provides products and services that help you becompliant with numerous industry-specific requirements. SeeAssured Workloadsoverview for information about how you canimplement regulatory requirements inGoogle Cloud.

For a complete listing of our compliance offerings, see theCompliance resource center.

Risk management and insurance

We maintain a robust insurance program for many risk types, including cyber andprivacy liability insurance coverage. These policies include coverage forGoogle Cloud in events such as unauthorized use or access of our network;regulatory action where insurable; failure to adequately protect confidentialinformation; notification costs; and crisis management costs, including forensicinvestigation.

Google Cloud security products and services

Security is a shared responsibility. Generally, you are responsible for securingwhat you bring to the cloud, whereas we are responsible for protecting the clouditself. Therefore, while you're always responsible for securing your data, weare responsible for securing the underlying infrastructure. The following imagevisualizes this relationship as the shared responsibility model, which describesthe responsibilities that we and you have in Google Cloud.

In the infrastructure as a service (IaaS) model, only the hardware, storage, andnetwork are our responsibility. In the software as a service (SaaS) model, thesecurity of everything except the data and its access and usage are ourresponsibility.

Google Cloud offers a range of security services that you can takeadvantage of to secure your cloud environment at scale. For more information,seeSecurity and identity products in Google Cloud.You can also find more information in oursecurity best practices center.

Conclusion

The protection of your data is a primary design consideration for ourinfrastructure, products, and operations. Our scale of operations and ourcollaboration with the security research community enable us to addressvulnerabilities quickly, and often to prevent them entirely. We run our ownservices, such as Search, YouTube, andGmail, on the same infrastructure that we make available to ourcustomers, who benefit directly from our security controls and practices.

We offer a level of protection that few public cloudproviders or private enterprise IT teams can match. Protecting data iscore to our business, so we make extensive investments in security, resources,and expertise at a scale that others cannot. Our investment frees you to focuson your business and innovation. Our strong contractual commitments help youmaintain control over your data and how it's processed. We don't use your datafor advertising or any purpose other than to deliver Google Cloudservices.

Many innovative organizations trust us with their most valuable asset: theirdata. We will continue to invest in the security of Google Cloud services to letyou benefit from our services in a secure and transparent manner.

What's next

• To learn more about our security culture and philosophy, readBuilding Secure and Reliable Systems (O'Reilly book).
• For information about our novel approach to cloud security, readBeyondProd,which describes how to protect code change and access to user data inmicroservices.
• To adopt similar security principles for your own workloads, deploy theenterprise foundations blueprint.
• To learn more about Google Workspace security, seeGoogle Workspace security.