Cloud Security FAQ
Here you will find answers to some Frequently Asked Questions related to Security and Compliance on Google Cloud Platform.
For more information about security of the platform and its products, please see Google Cloud Platform Security and Compliance
Penetration testingDo I need to notify Google that I plan to do a penetration test on my project?
If you plan to evaluate the security of your Cloud Platform infrastructure with penetration testing, you are not required to contact us. You will have to abide by the Cloud Platform Acceptable Use Policy and Terms of Service, and ensure that your tests only affect your projects (and not other customers’ applications). If a vulnerability is found, please report it via the Vulnerability Reward Program.
Intrusion detectionHow does Google protect against hackers and other intruders?
The technology, scale and agility of our infrastructure bring you unique security benefits. Our data centers are built with custom-designed servers, running our own operating system for security and performance. Google’s 500+ security engineers, including some of the world’s foremost experts, work around the clock to spot threats early and respond quickly. We get better as we learn from each incident, and even incentivize the security research community, with which we actively engage, to expose our systems’ vulnerabilities. Here are a few examples of how security and reliability are at the core of what we do:
- Google’s data centers use custom hardware running a custom hardened operating system and file system. Each of these systems has been optimized for security and performance. Since Google controls the entire hardware stack, we are able to quickly respond to any threats or weaknesses that may emerge.
- We encrypt data in transit between Google and our customers and between our data centers and we encrypt data at rest in our Cloud Platform services.
- To protect against cryptanalytic advances, in 2013, Google doubled the length of our RSA encryption keys to 2048 bits . We change the keys regularly, raising the bar for the rest of the industry.
Partner service securityHow are partner integrations like Cloud Dataprep secured?
Cloud Dataprep is a special service that is built in collaboration with the external company Trifacta. Trifacta runs, operates, and secures this service with support from Google. Cloud Dataprep is a different model from native services like Google Compute Engine that are fully managed and secured by Google.
Google has worked closely with Trifacta to ensure that they meet an industry-standard security bar. This security is maintained by Trifacta and is separate from the protections and standards that safeguard native Google services.
Trifacta doesn't have any default access to your Google Cloud projects. Before you use Cloud Dataprep, you must accept the Cloud Dataprep Permissions which authorize the service to access project data.
Securing instancesGoogle Cloud Platform provides great security, so why do I need to worry about securing my instance?
With Google Cloud Platform, your projects take advantage of the same security model that Google uses to keep its customers safe on other Google properties. However, if your instance is configured incorrectly, it could be vulnerable to an attack. This is similar to how you need to keep the doors to your house locked, even though the police also patrol your neighborhood.
To secure your instances on Google Cloud Platform, follow these best practices:
- Connect securely to your instance. For externally facing applications, it's a good idea to configure your firewalls properly and secure your ports. For tips on securing your instance, see Securely Connecting to VM Instances. For enterprises, see Networking and security.
- Ensure the project firewall is not open to everyone on the internet. Leaving all firewall rules open to 0.0.0/0 will mean that any source on the internet can establish a connection to your instance. Unless you specifically want to make your instance publicly available, a general best practice is to allow access only to your application, and only on the ports your application needs access to. For best practice information about firewalls, see Firewall rules and Firewalls in the Compute Engine Using Networks and Firewalls guide.
- Use a strong password. Passwords ensure that only authorized people have access to your instance. For information on creating strong passwords, see Creating a strong password. In addition, remember to secure the Gmail account that you use for accessing the Cloud Platform Console. For tips on securing your Gmail account, see Gmail security checklist.
- Ensure that all software is up to date. Make sure that the software you have installed is up to date and that there are no known vulnerabilities that could compromise your instance.
- Monitor project usage closely via the monitoring API to identify abnormal project usage. Google Cloud Platform offers Stackdriver Logging. Stackdriver Logging enables you to collect and store logs from applications and services on the Google Cloud Platform. You can use logging to create log-based metrics for monitoring and alerting on unusual behavior. For more information, see the Stackdriver Logging Documentation. Investigate any suspicious usage to ensure that your instance is not being hijacked by malicious software.
For more tips on designing a robust system, see How to design robust systems.
As an owner of a project, you are responsible for securing the software installed on your machine. If you feel that your instance has been compromised, the following steps will help with limiting the damage:
- Stop the instance immediately.
- Notify impacted users; they might be wondering why your service is down.
- Identify the source of the vulnerability by analyzing the behavior of your instance and the software you've installed.
- Ensure that all the software is up to date. Check for any known vulnerabilities in the software installed on your machine and take proactive steps to apply the latest security patches.
- Adopt additional security measures to ensure that your project is not compromised by a third party and then completely reinstall your project.
- Follow the guidelines in What can I do to protect my instance? (above) to ensure your project is secure going forward.
- If you received a warning from Google Cloud Platform about suspicious behavior by your project, appeal the warning by going to the Google Cloud Platform console and explaining the steps you took to secure the instance.
Unfortunately, we do not have visibility into what is installed on your instance or what software caused the issue. You're responsible for investigating the source of vulnerability and taking steps to mitigate it. If you need any additional support to troubleshoot the issue please refer to the Cloud Platform Support page.
There are several reasons why this might happen. Sometimes, a third party application can make your instance vulnerable. It's critical to monitor your instance and ensure that it is secure.
Also, please review the Google Cloud Platform Acceptable Use Policy to ensure that your project complies. In extremely rare instances, our algorithms may flag your project's intentional behavior as suspicious behavior originating from a compromised instance. In such cases, you can appeal by going to the Google Cloud Platform console and providing a business justification. A member of our team will review your appeal and get back to you within two business days.
Blocking accountsHow do I block consumer accounts from accessing the Google Cloud Console on my network?
If your organization has G Suite, or has a managed domain for Google accounts, you can restrict access to the Cloud Platform Console by enforcing a web proxy. For more information, see Block access to consumer accounts in the G Suite Administrator Help.
Blocked users will receive the message "Google Developers Console is not available for firstname.lastname@example.org within this network. Please talk to your network administrator for more information."