Google Cloud Security
Google has a global scale technical infrastructure designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.
Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform.
The security of the infrastructure is designed in progressive layers starting from the physical security of data centers, continuing on to the security of the hardware and software that underlie the infrastructure, and finally, the technical constraints and processes in place to support operational security.
Google invests heavily in securing its infrastructure with many hundreds of engineers dedicated to security and privacy distributed across all of Google, including many who are recognized industry authorities.
Google Cloud Security White Paper
Traditionally organizations have looked to the public cloud for cost savings, or to augment private data center capacity. However, organizations are now primarily looking to the public cloud for security, realizing that providers can invest more in people and processes to deliver secure infrastructure.
As a cloud pioneer, Google fully understands the security implications of the cloud model. Our cloud services are designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Google runs on the same infrastructure that we make available to our customers, your organization can directly benefit from these protections. That’s why we focus on security, and protection of data is among our primary design criteria. Security drives our organizational structure, training priorities and hiring processes. It shapes our data centers and the technology they house. It’s central to our everyday operations and disaster planning, including how we address threats. It’s prioritized in the way we handle customer data. And it’s the cornerstone of our account controls, our compliance audits and the certifications we offer our customers.
This paper outlines Google’s approach to security and compliance for Google Cloud Platform, our suite of public cloud products and services. Used by organizations worldwide, from large enterprises and retailers with hundreds of thousands of users to fast-growing startups, Cloud Platform includes offerings in compute, storage, networking and big data. This whitepaper focuses on security including details on organizational and technical controls regarding how Google protects your data.
How Google Encrypt Data?
Core customer data that is uploaded or created in G Suite services is encrypted at rest, as described in the help center article
This encryption happens at is it is written to disk, without the customer having to take any action. Google encrypts data with distinct encryption keys, even if they belong to the same customer. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES).
Google encrypts core G Suite data while it is “in transit” as well, whether it is traveling over the Internet between the customer and Google, or moving within Google as it shifts from one datacenter to another. We encrypt this data between Google and our customers using HTTPS with Perfect forward secrecy.
Independent Third-Party Certifications
ISO 27001 is one of the most widely recognized and accepted independent security standards. Google has earned it for the systems, technology, processes, and data centers that run G Suite. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum, or IAF).
ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum, or IAF).
ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in public clouds services. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum, or IAF). Our ISO 27018 certificate is availabl
Security,Availability,Processing Integrity and Confidentiality
In 2014, the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) released the revised version of the Trust Services Principles and Criteria (TSP). SOC (Service Organization Controls) is an audit framework for non-privacy principles that include security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports. The SOC 3 confirms Google Cloud's compliance with the principles of security, availability, processing integrity and confidentiality.
U.S. Health Insurance Portability and Accountability Act (HIPAA)
G Suite supports our customers’ compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the confidentiality and privacy of protected health information (PHI). Customers who are subject to HIPAA and wish to use G Suite with PHI must sign a business associate agreement (BAA) with Google. The BAA covers Gmail, Google Calendar, Google Drive, Google Sites and Google Vault. Additional information can be found in our HIPAA Implementation Guide.
U.S. Health Insurance Portability and Accountability Act (HIPAA)
Google Cloud Platform Compliance
Google Cloud Platform will also support HIPAA covered customers by entering into a Business Associates Agreement. The Cloud Platform BAA currently covers Compute Engine, Cloud Storage, Cloud SQL, Cloud Dataproc, Genomics, BigQuery, Container Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, and Cloud Pub/Sub. Learn more about HIPAA compliance.
Google Cloud Platform and the EU Data Protection Directive
As part of Google’s rigorous privacy and compliance standards and commitment to our customers, Google Inc. is certified under the EU-U.S. Privacy Shield Framework. In addition, Google offers Cloud Platform customers EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive. The European Union's data protection authorities have concluded that Google's model contract clauses meet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions for G Suite and the Google Cloud Platform. Learn more about EU Data Protection.
No advertising in G Suite
There is no advertising in the G Suite Core Services, and we have no plans to change this in the future. Google does not collect, scan or use data in G Suite Core Services for advertising purposes. Customer administrators can restrict access to Non-Core Services from the G Suite Admin console. Google indexes customer data to provide beneficial services, such as spam filtering, virus detection, spellcheck and the ability to search for emails and files within an individual account.