Identity and Organization Structure
Resource Hierarchy GCP resource hierarchy flows from Organization to Folders to Projects, with IAM policies and organization policies inherited down the hierarchy. Organization represents the root of the hierarchy, typically corresponding to a company domain. Folders provide grouping and policy inheritance, enabling department or environment-level policy application. Projects provide resource isolation and billing boundaries, with separate projects recommended per environment and application. Separate projects per environment and application provide strong isolation boundaries, preventing development environment compromises from affecting production. Project-level IAM and organization policies enable fine-grained access control. Cloud IAM Cloud IAM provides identity and access management through roles assigned to principals (users, groups, service accounts). Basic roles (Owner, Editor, Viewer) provide coarse-grained permissions, while predefined roles provide fine-grained permissions for specific services. Custom roles enable organization-specific permission combinations when predefined roles don’t match requirements. Custom roles should be used sparingly, as predefined roles receive automatic updates for new features. Service accounts provide application identity with short-lived access tokens. Workload Identity Federation enables external identity providers to authenticate to GCP without service account keys, eliminating long-lived credentials. Service account key creation should be disabled through organization policies, forcing use of short-lived tokens and workload identity. Organization Policies Organization policies enforce guardrails across the organization, preventing insecure configurations. Policies can disable service account key creation, restrict resource locations, require VPC Service Controls, and enforce encryption. Policies inherit down the resource hierarchy, with child resources able to further restrict but not relax parent policies. Policy inheritance enables centralized governance with delegated administration. Common organization policies include allowed locations (data residency), disabled service account key creation, required VPC Service Controls, and enforced encryption.Network Security
VPC Architecture VPC per environment provides network isolation between development, staging, and production. Shared VPC enables central network governance while allowing project-level resource management. Shared VPC host projects own VPC networks, with service projects using shared VPC networks. This separation enables network teams to manage networking while application teams manage compute resources. Firewall rules should follow least privilege, with default deny and explicit allows for required traffic. Hierarchical firewall policies enable organization-level firewall rules that apply across all VPCs. Private Service Connect Private Service Connect enables private connectivity to Google services and third-party services without exposing traffic to the internet. Private Service Connect uses private IP addresses for service endpoints. VPC peering connects VPCs for private communication, but doesn’t support transitive peering. VPC peering should be used carefully to avoid creating unintended connectivity. Egress Control Cloud NAT provides outbound internet connectivity for private instances without public IP addresses. Cloud NAT should be combined with firewall rules to restrict egress to approved destinations. DNS policies enable custom DNS resolution and DNS forwarding, supporting hybrid cloud architectures. DNS policies can enforce use of private DNS zones.Data Protection
Cloud KMS and Cloud HSM Cloud Key Management Service (KMS) provides centralized key management with customer-managed encryption keys (CMEK). Cloud HSM provides FIPS 140-2 Level 3 certified hardware security modules for regulated workloads. Per-project keys with separation of duties prevent single-project compromise from affecting all projects. Key rotation should be automated with monitoring for key usage. CMEK enables customer control over encryption keys for regulated workloads requiring key management independence from Google. Default encryption uses Google-managed keys, while CMEK uses customer-managed keys. Cloud Storage Security Uniform bucket-level access simplifies access control by using only IAM policies, disabling legacy ACLs. Public access prevention blocks public access to buckets and objects regardless of IAM policies. Signed URLs provide time-limited access to objects without requiring authentication. Signed URL TTL should be short to limit exposure window. Object versioning and retention policies protect against accidental deletion and ransomware. Retention policies prevent deletion during retention periods.Logging and Threat Detection
Cloud Audit Logs Cloud Audit Logs capture Admin Activity, Data Access, System Events, and Policy Denied logs. Admin Activity logs are enabled by default and free, while Data Access logs require explicit enablement and incur costs. Log Router sinks forward logs to centralized projects, Cloud Storage, BigQuery, or Pub/Sub for analysis and retention. Centralized logging projects provide isolation and prevent log tampering. Retention policies should balance compliance requirements with storage costs. Critical security logs typically require 90-day to one-year retention. Security Command Center Security Command Center (SCC) provides unified security and risk management, including security posture management, threat detection, and compliance monitoring. SCC scans for misconfigurations, vulnerabilities, and threats across GCP resources. SCC findings include security health analytics, web security scanner results, and Event Threat Detection alerts. Findings should be integrated with incident response workflows. SCC Premium tier provides additional features including container threat detection, virtual machine threat detection, and compliance monitoring. Chronicle SIEM Chronicle provides cloud-native SIEM with petabyte-scale log analysis and threat intelligence integration. Chronicle ingests logs from GCP and external sources for unified security monitoring. Event Threat Detection analyzes Cloud Audit Logs for suspicious activities including malware, cryptomining, and data exfiltration. Event Threat Detection findings integrate with Security Command Center.Container and Compute Security
Google Kubernetes Engine Security GKE Workload Identity provides Kubernetes service accounts with GCP IAM identities, eliminating service account keys. Workload Identity should be enabled for all GKE clusters. Pod Security Standards enforce security policies at pod level, preventing privileged containers and insecure configurations. Binary Authorization requires cryptographic signatures on container images before deployment. Private GKE clusters disable public IP addresses on nodes, requiring Cloud NAT or VPN for outbound connectivity. Shielded GKE nodes provide verifiable node integrity through Secure Boot and virtual Trusted Platform Module. GKE Autopilot provides opinionated, secure-by-default cluster configuration with automatic security updates and hardening. Cloud Run and Cloud Functions Cloud Run minimum instances enable faster cold start times but increase costs. IAM-based authentication should be required for Cloud Run services, preventing unauthenticated access. VPC connectors enable Cloud Run and Cloud Functions to access resources in VPC networks. Connector configuration should follow least privilege. Cloud Functions should use least privilege service accounts with minimal IAM permissions. Function environment variables should not contain secrets, using Secret Manager instead.Conclusion
Google Cloud security requires leveraging GCP-specific constructs including resource hierarchy, organization policies, VPC Service Controls, and workload identity. Security engineers design GCP architectures that use project isolation, centralized governance, and comprehensive monitoring. Success requires understanding GCP security services and how they integrate to provide defense-in-depth. Organizations that invest in GCP security fundamentals build secure cloud infrastructures that leverage GCP’s security capabilities while maintaining compliance and operational efficiency.References
- Google Cloud Security Foundations Blueprint
- CIS Google Cloud Platform Foundation Benchmark
- Google Cloud Architecture Framework Security
- Security Command Center Documentation
- VPC Service Controls Documentation