This chapter covers Google Cloud's security architecture, including the shared responsibility model, identity and access management, encryption, network security, and compliance. Security is a critical topic for the GCDL exam, appearing in approximately 15-20% of questions across multiple domains. Understanding how Google implements defense-in-depth and how customers complement those controls is essential for designing secure cloud solutions.
Jump to a section
Imagine a medieval fortress with a single entrance. The gatekeeper checks every visitor against a list of allowed names and denies entry to anyone not on the list. This is identity-based access control. But what if an enemy disguised as a friend gets through? The fortress needs additional defenses: a moat (network segmentation), watchtowers (monitoring), and archers on the walls (intrusion detection). Google Cloud's security model works similarly. It starts with identity and access management (IAM) as the gatekeeper, defining who can enter (authentication) and what they can do (authorization). Then it adds layers: VPC firewalls (moat) control traffic between networks, Cloud Armor (watchtower) protects against web attacks, and Security Command Center (archers) provides centralized visibility and threat detection. Just as a fortress uses multiple independent defenses so that one failure doesn't compromise the whole, Google Cloud uses a defense-in-depth strategy. Each layer addresses a different risk: IAM handles user identity, encryption protects data at rest and in transit, and audit logs record all activity. The key principle is that no single control is perfect; security relies on the combination of overlapping, independent mechanisms. This is why the exam emphasizes understanding how these layers work together rather than memorizing a single tool.
The Shared Responsibility Model
Google Cloud operates under a shared responsibility model where security of the cloud (infrastructure, hardware, software, networking, and physical facilities) is Google's responsibility, while security in the cloud (data, access control, configurations, and usage) is the customer's responsibility. This division is not static; it varies by service. For IaaS like Compute Engine, the customer is responsible for guest OS, applications, and data. For SaaS like Gmail, Google manages almost everything except user access and data classification. The exam expects you to know which party is responsible for what in each service model. A common trap is assuming Google secures everything, but customers must still configure IAM policies, encryption keys, and network controls.
Identity and Access Management (IAM)
IAM is the primary mechanism for controlling access to Google Cloud resources. It uses three core components: principal (who), role (what permissions), and resource (what object). IAM policies are attached to resources at the project, folder, or organization level and are inherited downward. Roles are either predefined (curated by Google), custom (user-defined with exact permissions), or basic (legacy owner/editor/viewer). Predefined roles follow the principle of least privilege; basic roles are overly permissive and not recommended for production. IAM conditions allow fine-grained access based on attributes like time, IP address, or resource name. The exam often tests the difference between primitive roles and predefined roles, and the fact that IAM is global — a policy change takes effect within minutes but is eventually consistent.
Encryption at Rest and in Transit
Google encrypts data at rest by default using AES-256. Data is encrypted at the storage layer (disk encryption) and the application layer (object encryption). Customers can use Google-managed keys (default), Cloud KMS (customer-managed keys), or CSEK (customer-supplied encryption keys). Cloud KMS is a centralized key management service that supports symmetric and asymmetric keys, key rotation, and HSM-backed keys. Data in transit is encrypted using TLS 1.2 or higher for external communication and Google's internal network uses encryption between data centers. The exam may ask which encryption option provides the most control (CSEK) versus the least operational overhead (Google-managed keys).
Network Security
Google Cloud provides multiple network security controls: - VPC Firewall Rules: Stateful firewall that controls ingress and egress traffic based on IP addresses, protocols, and ports. Rules can be applied to instances via network tags or service accounts. Default rules allow internal traffic and deny all ingress from outside. - Cloud Armor: Web application firewall (WAF) that protects against DDoS and application attacks like SQL injection and XSS. It uses preconfigured rules (e.g., OWASP Top 10) and custom rules. Cloud Armor is integrated with Cloud CDN and external HTTPS load balancers. - Cloud IDS: Intrusion detection system that monitors network traffic for threats using Palo Alto Networks threat signatures. It provides visibility into malicious activity without blocking traffic. - Packet Mirroring: Copies traffic from selected instances for analysis by third-party security appliances.
Security Command Center
Security Command Center (SCC) is a centralized security and risk management platform. It provides: - Asset Discovery: Automatically discovers and tracks Google Cloud resources. - Vulnerability Scanning: Scans compute instances for common vulnerabilities (e.g., outdated OS packages). - Threat Detection: Detects anomalies like crypto mining, compromised credentials, and data exfiltration using machine learning. - Compliance Reporting: Provides reports for standards like PCI DSS, HIPAA, and CIS Benchmarks. SCC has two tiers: Standard (free) includes basic vulnerability scanning and threat detection; Premium (paid) adds event threat detection, container threat detection, and security health analytics. The exam expects you to know SCC's role as a unified dashboard for security posture.
Compliance and Certifications
Google Cloud maintains a wide range of compliance certifications, including SOC 1/2/3, ISO 27001, PCI DSS, HIPAA, and FedRAMP. The Compliance Reports Manager provides downloadable reports for auditors. Customers can use Assured Workloads to enforce compliance controls (e.g., data residency, CMEK) for regulated workloads. The exam may ask which certification is relevant for healthcare (HIPAA) or financial services (PCI DSS).
Additional Security Services
Cloud DLP: Data Loss Prevention service that inspects, classifies, and masks sensitive data like credit card numbers or PII.
Cloud Audit Logs: Records admin activities, data access, and system events. Logs are immutable and retained for 30 days by default (or longer with custom retention).
Access Transparency: Provides logs when Google employees access customer data, meeting compliance requirements for cloud providers.
VPC Service Controls: Prevents data exfiltration by defining perimeters around resources and restricting access to only authorized networks.
Key Defaults and Values
IAM policy propagation: typically under 30 seconds, but eventually consistent.
Encryption at rest: AES-256, default for all data.
TLS version: minimum 1.2 for external connections.
Cloud Audit Logs retention: 30 days for admin logs, 30 days for data access logs (default), configurable up to 3650 days with custom retention.
Cloud Armor rule limit: 200 rules per policy.
SCC Standard tier: free, includes basic vulnerability scanning.
VPC firewall rules: 2000 rules per network (soft limit).
Interaction with Related Technologies
IAM works with Cloud Audit Logs to track who did what. Encryption integrates with Cloud KMS for key management. VPC firewall rules work with Cloud Armor for layered network defense. SCC ingests data from Cloud Audit Logs, Cloud IDS, and other sources to provide a unified view. Understanding these interactions is crucial for the exam because questions often ask which combination of services solves a specific security requirement.
Authenticate the Principal
When a user or service attempts to access a Google Cloud resource, the first step is authentication. The principal provides credentials such as a Google account, service account key, or OAuth token. Google's authentication system verifies the credentials against its identity store. For service accounts, the authentication uses a JSON Web Token (JWT) signed by the private key. If authentication fails, the request is rejected with a 401 Unauthorized error. The exam may ask about the difference between user accounts and service accounts, and that service accounts are used for server-to-server interactions.
Evaluate IAM Policy
After authentication, Google Cloud evaluates the IAM policy attached to the target resource. IAM policies are composed of bindings that map a principal to a role. The role defines a set of permissions. Google Cloud checks if the principal has any role that grants the required permission for the action. Policies are evaluated in a hierarchical manner: organization, folder, project, and resource. If a permission is denied by an IAM condition (e.g., time-based restriction), access is denied even if the role otherwise allows it. The evaluation is done server-side and the result is cached for up to a few minutes.
Enforce VPC Firewall Rules
If the request is a network connection (e.g., SSH to a VM), VPC firewall rules are evaluated. Firewall rules are stateful: if you allow ingress traffic, the corresponding egress response is automatically allowed. Rules are evaluated in priority order (lower number = higher priority). If no rule matches, the default deny all ingress rule applies. For egress, the default allow all egress rule applies unless overridden. Firewall rules can be tagged to apply only to specific instances. The exam tests that firewall rules are applied at the instance level, not at the network level, and that they are stateful.
Apply Additional Security Controls
After passing IAM and firewall checks, additional security controls may be applied. For example, if the traffic is HTTP/HTTPS and goes through a Cloud Load Balancer, Cloud Armor rules are evaluated. Cloud Armor can block requests based on IP reputation, HTTP headers, or OWASP signatures. Similarly, VPC Service Controls can block data exfiltration by restricting access to allowed networks. These controls act as additional gates. The order of evaluation is important: IAM first, then network controls, then application-layer controls. The exam may present scenarios where multiple controls must be configured in sequence.
Log and Audit the Activity
All successful and failed access attempts are logged in Cloud Audit Logs. Admin Activity logs record changes to configurations, while Data Access logs record reads/writes to data. These logs are immutable and can be exported to Cloud Storage or BigQuery for analysis. Security Command Center ingests these logs to detect anomalies. The exam expects you to know that Data Access logs are disabled by default (to reduce volume) and must be explicitly enabled. Also, log retention is 30 days by default, but can be extended using custom retention policies or exporting to Cloud Storage.
Enterprise Scenario 1: Multi-national Retailer with PCI DSS Compliance
A global retailer running e-commerce workloads on Google Cloud must comply with PCI DSS. They use VPC Service Controls to create a perimeter around their payment processing environment, ensuring that only authorized networks (e.g., corporate VPN) can access the payment data. They configure Cloud Armor with OWASP rules to block SQL injection and XSS attacks. Encryption at rest uses Cloud KMS with customer-managed keys (CMEK) to satisfy key control requirements. They enable Data Access audit logs for all storage buckets containing cardholder data and export logs to BigQuery for analysis. Security Command Center Premium monitors for vulnerabilities and misconfigurations. A common misconfiguration is forgetting to enable VPC Service Controls for all services, leaving a data exfiltration path via a misconfigured Cloud Storage bucket. The retailer learned this the hard way during an audit, where a bucket with public access was discovered. They now use SCC's security health analytics to detect such issues automatically.
Enterprise Scenario 2: SaaS Provider Using Shared VPC
A SaaS provider hosts multi-tenant applications in a shared VPC environment. They use IAM conditions to restrict developer access to only their respective project's resources during business hours. Service accounts are used for applications, with keys rotated every 90 days using Cloud KMS. They deploy Cloud IDS to monitor for lateral movement between tenants. A challenge they faced was that developers inadvertently exposed internal services by creating firewall rules that were too permissive. They solved this by using hierarchical firewall policies enforced at the organization level, which cannot be overridden by project-level rules. The exam often tests this concept: hierarchical firewall policies are managed by organization admins and take precedence over VPC firewall rules.
Enterprise Scenario 3: Healthcare Organization with HIPAA
A healthcare provider stores protected health information (PHI) on Google Cloud. They use Assured Workloads to enforce data residency in the US and require CMEK for all storage services. They enable Access Transparency logs to meet the requirement that cloud provider access to data is logged. They use Cloud DLP to scan Cloud Storage buckets for PHI and automatically redact or mask it. A common issue is that developers sometimes forget to enable CMEK on new services, resulting in data being encrypted with Google-managed keys. They now use organization policies to require CMEK for all resources, enforced via a constraint like constraints/gcp.resourceEncryptionKeyLocation. This is a key exam point: organization policies can enforce compliance requirements across all projects.
What the GCDL Exam Tests on Security (Objective 2.5)
The GCDL exam expects you to understand the overall security posture of Google Cloud, not to configure it hands-on. Key areas: - Shared Responsibility Model: Know which party is responsible for what in IaaS, PaaS, and SaaS. A common question: 'Who is responsible for patching the guest OS in Compute Engine?' Answer: Customer. - IAM: Understand the difference between primitive roles (Owner/Editor/Viewer) and predefined roles. Know that IAM policies are inherited and that conditions exist. Trap: Candidates think basic roles are fine for small projects, but the exam wants you to know they are too permissive. - Encryption: Know the three key management options: Google-managed, CMEK, CSEK. The exam may ask which provides the most control (CSEK) and which is easiest (Google-managed). Trap: CMEK uses Cloud KMS, but CSEK requires customer to supply keys — candidates often confuse them. - Network Security: VPC firewall rules are stateful, Cloud Armor is a WAF, and Cloud IDS is for threat detection. Trap: Candidates think Cloud Armor is a firewall; it's a WAF that works at layer 7. - Security Command Center: Know that SCC Standard is free and includes basic vulnerability scanning; Premium adds threat detection. Trap: Candidates assume all features are free. - Compliance: Know that PCI DSS is for payment data, HIPAA for healthcare, FedRAMP for US government. Assured Workloads helps enforce compliance.
Common Wrong Answers and Why
'Google is responsible for all security.' This is wrong because the shared responsibility model clearly assigns customer responsibility for data, access, and configurations.
'IAM roles are evaluated at the resource level only.' Wrong — IAM is hierarchical and policies are inherited from organization to project to resource.
'VPC firewall rules are stateless.' Wrong — they are stateful; return traffic is automatically allowed.
'Cloud Armor is a firewall.' Wrong — it is a WAF that protects web applications; VPC firewall rules are the network firewall.
Specific Numbers and Terms
AES-256 encryption at rest.
TLS 1.2 minimum for in transit.
30-day default audit log retention.
2000 firewall rules per network (soft limit).
SCC Standard: free; Premium: paid.
IAM propagation: under 30 seconds typical.
Edge Cases
When using VPC Service Controls, IAM still applies first. If a user has IAM access but is outside the perimeter, access is denied.
Data Access audit logs are disabled by default; you must enable them per service.
CSEK keys are stored on the client; if lost, data cannot be recovered.
Organization policies can override project-level IAM? No — organization policies are for constraints (e.g., resource locations), not IAM permissions.
Shared responsibility: Google secures the cloud; customer secures what's in the cloud.
IAM uses principals, roles, and resources; policies are inherited hierarchically.
Predefined roles follow least privilege; basic roles are too permissive for production.
Encryption at rest uses AES-256 by default; three key management options: Google-managed, CMEK, CSEK.
VPC firewall rules are stateful and applied at the instance level via tags or service accounts.
Cloud Armor is a WAF for HTTP/S traffic; it works with load balancers, not all instances.
Security Command Center Standard is free; Premium adds advanced threat detection.
Cloud Audit Logs have 30-day default retention; Data Access logs must be enabled explicitly.
VPC Service Controls prevent data exfiltration by defining perimeters around resources.
Assured Workloads enforces compliance controls like data residency and CMEK.
Organization policies can enforce constraints (e.g., allowed locations) across all projects.
The exam tests conceptual understanding, not command-line skills.
These come up on the exam all the time. Here's how to tell them apart.
Google-Managed Encryption Keys
Google creates, rotates, and manages keys automatically.
No customer overhead for key management.
Keys are stored in Google's infrastructure.
Suitable for most workloads with compliance requirements.
Cannot control key rotation schedule.
Customer-Managed Encryption Keys (CMEK)
Customer manages keys via Cloud KMS.
Customer controls key rotation and access.
Keys are stored in Cloud KMS, separate from data.
Required for regulatory compliance like HIPAA or PCI DSS.
Customer can disable or destroy keys, rendering data inaccessible.
VPC Firewall Rules
Operates at layers 3 and 4 (IP, ports).
Stateful — auto-allow return traffic.
Controls traffic at the instance level.
No application-layer inspection.
Free with VPC.
Cloud Armor
Operates at layer 7 (HTTP/S).
Stateless — each request evaluated individually.
Protects load balancers and CDN.
Includes WAF rules for SQL injection, XSS, etc.
Paid service per policy.
Mistake
Google Cloud secures everything, so customers don't need to worry about security.
Correct
The shared responsibility model means Google secures the infrastructure, but customers must secure their data, manage access, and configure network controls. For example, customers must patch guest OS, manage IAM policies, and enable encryption keys.
Mistake
IAM basic roles (Owner/Editor/Viewer) are acceptable for production use.
Correct
Basic roles grant broad permissions that violate least privilege. For example, Editor can modify any resource in a project. Google recommends using predefined roles that limit permissions to specific actions.
Mistake
VPC firewall rules are stateless and require separate rules for return traffic.
Correct
VPC firewall rules are stateful. When you allow ingress traffic, the corresponding egress response is automatically permitted. You do not need to create a separate rule for the reply.
Mistake
Cloud Armor is a network firewall that can replace VPC firewall rules.
Correct
Cloud Armor is a web application firewall (WAF) that operates at layer 7, protecting against HTTP/S attacks. VPC firewall rules are layer 3/4 network firewalls. They complement each other; one cannot replace the other.
Mistake
Security Command Center is a paid-only service.
Correct
SCC has a free Standard tier that includes asset discovery, vulnerability scanning, and basic threat detection. The Premium tier adds advanced threat detection and security health analytics for a fee.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The shared responsibility model divides security duties between Google and the customer. Google secures the infrastructure (physical data centers, network, hypervisor). The customer secures their data, identities, access management, and configurations. For IaaS, the customer also secures the guest OS and applications. For SaaS, Google handles more, but the customer still manages user access and data classification.
IAM conditions allow you to grant access based on attributes like time, IP address, or resource name. For example, you can allow a user to access a bucket only during business hours. Conditions are evaluated at the time of request. If the condition is not met, access is denied even if the role otherwise grants permission. This adds fine-grained control beyond static roles.
CMEK (Customer-Managed Encryption Keys) uses Cloud KMS to manage keys. You control key rotation and access, but keys are stored in Google Cloud. CSEK (Customer-Supplied Encryption Keys) requires you to provide the key with each API call. Google never stores the key. CSEK gives you more control but more operational burden. If you lose a CSEK, data cannot be recovered.
VPC firewall rules are stateful. When you allow ingress traffic, the corresponding egress response is automatically allowed. You do not need to create a separate rule for the reply. However, if you block outbound traffic, you must explicitly allow the return traffic if needed. This is different from AWS security groups, which are also stateful, but Google's implementation is similar.
Security Command Center (SCC) is a centralized platform for security posture management. It provides asset discovery, vulnerability scanning, threat detection, and compliance reporting. The Standard tier is free and includes basic features. The Premium tier adds advanced threat detection (e.g., event threat detection, container threat detection) and security health analytics. SCC integrates with Cloud Audit Logs and Cloud IDS.
Data Access audit logs are disabled by default to reduce log volume. You can enable them via the Cloud Audit Logs configuration in the Google Cloud Console or using the gcloud command: `gcloud logging settings set --enable-data-access`. You can specify which services to log. Be aware that enabling all Data Access logs can generate high volumes and incur costs.
VPC Service Controls (VPC-SC) help prevent data exfiltration by defining perimeters around Google Cloud resources. Resources inside the perimeter can only be accessed from authorized networks (e.g., VPC networks, on-premises via VPN). Access from outside the perimeter is denied, even if IAM allows it. VPC-SC is commonly used for compliance with regulations like PCI DSS.
You've just covered Security on Google Cloud — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?