GOOGLE CLOUD PLATFORM SECURITY
Google Cloud Platform meets rigorous privacy and compliance standards that test for data safety, privacy, and security.
Independent Audits of Infrastructure, Services, and Operations
Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google has annual audits for the following standards:
Google’s third party audit approach is designed to be comprehensive in order to provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability. Customers may use these third party audits to assess how Google’s products can meet their compliance and data-processing needs.
Google Cloud has completed the Cloud Security Alliance (CSA) STAR Self-Assessment. Learn more here.
MTCS Tier 3 Certification (Singapore)
The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584 is a cloud security certification managed by the Singapore Info-comm Media Development Authority (IMDA). The standard has 3 tiers designed to certify cloud service providers at different levels of operational security, with Tier 3 having the most stringent requirements. At the conclusion of the assessment, which included an audit by an independent MTCS Certifying Body, 114 Google Cloud services and 20 datacenter sites received Tier 3 certification. The scope of services included in the certification highlights Google Cloud’s ongoing and continuous commitment to ensuring sound operational and security controls across all three service models–Infrastructure-as-a-Service (Iaas), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The certificate can be downloaded here.
Google Cloud Platform and the EU Data Protection Directive
As part of Google’s rigorous privacy and compliance standards and commitment to our customers, Google Inc. is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. In addition, Google offers Cloud Platform customers EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive. The European Union’s data protection authorities have concluded that Google’s model contract clausesmeet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions for G Suite and the Google Cloud Platform. Learn more about EU Data Protection.
Google Cloud Platform and G Suite comply with NIST 800-171
National Institute of Standards and Technology Special Publication 800-171 was released in June 2015. It focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal information systems and organizations, and defines security requirements to achieve that objective. The security controls of NIST 800-171 can be mapped directly to NIST 800-53. This mapping is available on page D-2 of the publication NIST.SP.800-171.
The services below have undergone an independent third party assessment that confirmed compliance with NIST 800-53 controls in scope for FedRAMP, which includes all requisite controls described in NIST 800-171. The attestation letter can be found here.
The list of services covered include:
Google Cloud Platform and G Suite comply with NIST 800-53
National Institute of Standards and Technology Special Publication 800-53 (Rev 4) was released in April 2013. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the expres approval of appropriate federal officials exercising policy authority over such systems.
The services below have undergone an independent third party assessment that confirmed the services are operating in compliance with NIST 800-53 controls. The attestation letter can be found here.
The list of services covered include:
Protection of Personal Information and My Number Data (Japan)
The Japanese government issues a unique number to every resident of Japan (both foreign and domestic). This number, also referred to as the Social Benefits or Tax Number, is protected by the “My Number Act”.
The responsibility to protect personal information and “My Number” data lies with our customers when using Google Cloud Platform. Google Cloud Platform products are ISO 27001 and ISO 27018certified. These are international certifications related to practices to protect information (such as personal information and “My Number” data) and include appropriate access control measures.
FISC (Center for Financial Industry Information Systems) is a public interest incorporated foundation tasked with conducting research related to technology, utilization, control, and threat/defense related to financial information systems in Japan. One of the key documents created by the organization is the “FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions”. The document describes controls related to facilities, operations, and technical infrastructure.
MPAA Best Practices Guidelines
The Motion Picture Association of America (MPAA) has created a best practices guideline for cloud providers. Under a shared security model, customers using Google Cloud Platform can configure their cloud services to support these best practices. While not a formal certification, the control aspects of the guidelines map closely to Google’s existing third party audited core compliance programs, including ISO 27001, ISO 27017, ISO 27108, and CSA STAR certifications. This document details the MPAA controls that Google Cloud Platform supports. Google contracts with a third party auditor to validate these controls on a regular basis.
Sarbanes-Oxley Act (SOX)
As part of SOX requirements, each US public company is responsible for establishing and monitoring internal controls, including those maintained by a third party, such as a cloud service provider. Therefore, if a (potential) cloud customer is a US public company or planning to become public, they should think about how using a cloud provider impacts their financial reporting controls.
If a customer processes accounting or financial information on Google Cloud Platform, the customer’s management may determine that some Google Cloud Platform services are in scope for their SOX obligations. The customer’s management must make their own judgement regarding Google Cloud Platform’s SOX applicability. If the customer requests information about controls over specific GCP products, we refer them to the Google Cloud Platform Service Organization Control (SOC) 1 Type II report. This report includes Google’s descriptions of GCP systems and controls, an independent auditor opinion on the accuracy of management’s description, an independent auditor opinion on appropriateness of the controls described in meeting the stated objectives, and an indepedent auditor opinion on the effectiveness of those controls in meeting the stated objectives.
Australian Privacy Principles
The Privacy Act 1988 (Cth) (Privacy Act), which includes the Australian Privacy Principles (APPs), regulates the way APP entities collect, use, and manage individuals’ personal and sensitive information.
While customers are responsible for ensuring that they comply with their obligations under the Privacy Act (including the APPs), this white paper helps customers understand how information is stored, processed, maintained, accessed, and secured in Google Cloud when using Google Cloud Platform and G Suite.
Australian Prudential Regulation Authority (APRA) Standards
In Australia, the financial services industry is regulated by the Australian Prudential Regulation Authority (APRA). APRA’s mission is to establish and enforce prudential standards designed to ensure that, under all reasonable circumstances, financial promises made by the institutions it supervises are met within a stable, efficient, and competitive financial system. The Prudential standards CPS 231, CPG 234, and CPG 235 are three such standards and practice guides that govern outsourcing, management of security risk in information and information technology, and managing data risk respectively.
We have recently produced two whitepapers in response to the three Prudential standards mentioned above. The first whitepaper provides general information to financial institutions looking to use Google Cloud services, with discussion limited to the APRA Prudential Standard CPS 231. In the second whitepaper, which outlines Google Cloud’s response to APRA CPG 234 and CPG 235, we map the GCP and G Suite controls and processes outlined in our Service Organization Controls (SOC) 2 Type II report to the set of security guidelines and controls spelled out under APRA CPG 234 and CPG 235. The mapping is designed to provide a more digestible format of Google Cloud’s compliance controls corresponding to the specific APRA requirements. To access this control mapping, customers can contact the Cloud sales team.
Esquema Nacional de Seguridad (Spain)
The ENS (Esquema Nacional de Seguridad) accreditation scheme has been developed by ENAC in close collaboration with the Ministry of Finance and Public Administration and the National Cryptologic Centre (CCN). The ENS was established as part of Royal Decree 3/2010. This decree, and its updated amendment Royal Decree 951/2015 serve to establish principles and requirements for the adequate protection of information for public sector entities. Google Cloud (GCP and G Suite) has successfully met all requirements to comply at the High level with the ENS, Royal Decree 3/2010, and Royal Decree 951/2015.