This document describes the best practices that let you deploy a foundationalset of resources in Google Cloud. A cloud foundation is the baseline ofresources, configurations, and capabilities that enable companies to adoptGoogle Cloud for their business needs. A well-designed foundation enablesconsistent governance, security controls, scale, visibility, and access toshared services across all workloads in your Google Cloud environment. After youdeploy the controls and governance that are described in this document, you candeploy workloads to Google Cloud.

Theenterprise foundations blueprint (formerly known as thesecurityfoundations blueprint) is intended for architects, security practitioners, andplatform engineering teams who are responsible for designing an enterprise-readyenvironment on Google Cloud. This blueprint consists of the following:

• Aterraform-example-foundation GitHubrepositorythat contains the deployable Terraform assets.
• A guide that describes the architecture, design, and controls that youimplement with the blueprint (this document).

You can use this guide in one of two ways:

• To create a complete foundation based on Google's bestpractices. You can deploy all the recommendations from this guide as astarting point, and then customize the environment to address yourbusiness' specific requirements.
• To review an existing environment on Google Cloud. You cancompare specific components of your design against Google-recommended bestpractices.

Supported use cases

The enterprise foundation blueprint provides a baseline layer of resources andconfigurations that help enable all types of workloads on Google Cloud.Whether you're migrating existing compute workloads to Google Cloud,building containerized web applications, or creating big data and machinelearning workloads, the enterprise foundation blueprint helps you build yourenvironment to support enterprise workloads at scale.

After you deploy the enterprise foundation blueprint, you can deploy workloadsdirectly or deploy additional blueprints to support complex workloads thatrequire additional capabilities.

A defense-in-depth security model

Google Cloud services benefit from the underlyingGoogle infrastructure security design.It is your responsibility to design security into the systems that you build ontop of Google Cloud. The enterprise foundation blueprint helps you toimplement a defense-in-depth security model for your Google Cloud servicesand workloads.

The following diagram shows a defense-in-depth security model for yourGoogle Cloud organization that combines architecture controls, policycontrols, and detective controls.

The diagram describes the following controls:

• Policy controls are programmatic constraints that enforceacceptable resource configurations and prevent risky configurations. Theblueprint uses a combination of policy controls includinginfrastructure-as-code (IaC) validation in your pipeline and organizationpolicy constraints.
• Architecture controls are the configuration of Google Cloudresources like networks and resource hierarchy. The blueprint architectureis based on security best practices.
• Detective controls let you detect anomalous or malicious behaviorwithin the organization. The blueprint uses platform features such asSecurity Command Center, integrates with your existing detective controls andworkflows such as a security operations center (SOC), and providescapabilities to enforce custom detective controls.

Key decisions

This section summarizes the high-level architectural decisions of theblueprint.

The diagram describes how Google Cloud services contribute to keyarchitectural decisions:

• Cloud Build: Infrastructure resources are managed using aGitOps model. Declarative IaC is written inTerraform and managed in a version control system for review and approval,and resources are deployed using Cloud Build as the continuousintegration and continuous deployment (CI/CD) automation tool. The pipelinealso enforces policy-as-code checks to validate that resources meetexpected configurations before deployment.
• Cloud Identity: Users and group membership are synchronized fromyour existing identity provider. Controls for user account lifecyclemanagement and single sign-on (SSO) rely on the existing controls andprocesses of your identity provider.
• Identity and Access Management (IAM): Allow policies (formerly known asIAM policies) allow access to resources and are applied togroups based on job function. Users are added to the appropriate groups toreceive view-only access to foundation resources. All changes to foundationresources are deployed through the CI/CD pipeline which uses privilegedservice account identities.
• Resource Manager: All resources are managed under a singleorganization, with a resource hierarchy of folders that organizes projectsby environments. Projects are labeled with metadata for governanceincluding cost attribution.
• Networking: Network topologies use Shared VPC to providenetwork resources for workloads across multipleregionsand zones, separated by environment, and managed centrally. All networkpaths between on-premises hosts, Google Cloud resources in the VPCnetworks, and Google Cloud services are private. No outbound trafficto or inbound traffic from the public internet is permitted by default.
• Cloud Logging: Aggregated log sinks are configured to collect logsrelevant for security and auditing into a centralized project for long-termretention, analysis, and export to external systems.
• Organization Policy Service: Organization policy constraints areconfigured to prevent various high-risk configurations.
• Secret Manager: Centralized projects are created for a teamresponsible for managing and auditing the use of sensitive applicationsecrets to help meet compliance requirements.
• Cloud Key Management Service (Cloud KMS): Centralized projects are created for ateam responsible for managing and auditing encryption keys to help meetcompliance requirements.
• Security Command Center: Threat detection and monitoring capabilities areprovided using a combination of built-in security controls fromSecurity Command Center and custom solutions that let you detect and respond tosecurity events.

For alternatives to these key decisions, seealternatives.

What's next

• Read aboutauthentication andauthorization(next document in this series).