Google Cloud Security - The Complete Guide

Practitioner-grade guide to securing Google Cloud - shared responsibility, Google's security differentiators, the core services (Security Command Center, VPC Service Controls, IAM, Cloud KMS, Workload Identity Federation, BeyondCorp, Confidential Computing, Assured Workloads), reference architecture, the GCP-specific attack paths, and cross-references to every discipline page.

Rows of cloud data center servers with status lights
Photo on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: Google Cloud is the smallest of the big three by revenue but ships the most opinionated security platform - every project encrypted-by-default since 2014, hardware root of trust on Google's own Titan chips, BeyondCorp as a productized zero-trust model, and VPC Service Controls as a data-exfil-prevention primitive the other clouds don't have. The pivot point of any GCP security program is the org / folder / project hierarchy, governed by Organization Policy and observed by Security Command Center.

In 2026 the GCP security story is: SCC Enterprise (Chronicle SecOps + Mandiant inside SCC) on the detection side, Workload Identity Federation displacing service-account keys, Binary Authorization + GKE Security Posture for containers, and Assured Workloads for FedRAMP/IL/ITAR/HIPAA workloads that previously needed a separate cloud. The killer feature remains VPC Service Controls; the killer footgun remains the default Compute Engine service account.

On this page

  1. Shared responsibility on GCP
  2. Google's security differentiators
  3. GCP Architecture Framework - Security pillar
  4. Core GCP security services
  5. Reference architecture - landing zone
  6. Top 10 GCP security misconfigurations
  7. GCP-specific attack paths
  8. VPC Service Controls deep-dive
  9. GCP service comparisons
  10. By discipline - GCP anchors
  11. GCP certifications
  12. GCP-native vs third-party
  13. Further reading
  14. FAQ
  15. Where next

Shared responsibility on GCP

The shared-responsibility model on Google Cloud follows the same shape as AWS and Azure but with Google's own vocabulary. Google is responsible for security of the cloud - the hardware, hypervisor, physical facilities, the global network, the operating systems under managed services, and the security of every API endpoint. You are responsible for security in the cloud - the configuration of IAM, the projects you create, the workloads you deploy, the data you store, and the policies you enforce.

The line moves with the service. For Compute Engine (IaaS), you own the guest OS, the patches, the workload, and the IAM. For Cloud Run or App Engine (PaaS), Google owns the runtime - you own the container image, the IAM, the data. For managed services like BigQuery, Cloud Storage, Pub/Sub, and Spanner, you own the data, the IAM bindings, and the access controls; Google owns everything underneath. Knowing exactly where the line falls for each service is the entire job of a GCP security architect.

Layer Google's responsibility Your responsibility
Physical & hardware Data centers, Titan chips, custom silicon, hardware lifecycle None
Global network Backbone, encryption in transit between regions, DDoS at edge VPC design, firewall rules, Cloud NAT, peering
Hypervisor & host OS Patched, hardened, attested with Shielded VM root of trust None
Managed services (BigQuery, GCS, Pub/Sub) Runtime, patching, availability, encryption-at-rest IAM, data classification, VPC SC perimeter, KMS key choice
Compute Engine guest OS None (boot image is yours) Patching, hardening, agent management, OS Login config
Identity Cloud Identity / Workspace IdP, IAM service, SSO infrastructure Users, groups, service accounts, role bindings, conditional access
Data Encryption-at-rest by default, durability, regional residency Classification, retention, CMEK vs Google-managed keys, DLP
Audit log integrity Generation of Admin Activity logs (free, immutable) Configure Data Access logs, route to log sink, retain per policy

Google's security differentiators

Google Cloud's security story is rooted in the same infrastructure that runs Search, Gmail, and YouTube - the world's largest production target for nation-state attackers since the early 2000s. The defensive primitives that protect those services are exposed to GCP customers, and several of them have no clean equivalent at AWS or Azure.

BeyondCorp origin

Google invented productized zero-trust. After Operation Aurora (2009-2010), Google rebuilt internal access around identity + device context per request, with no network-based trust. The result became BeyondCorp, published in 2014, and now sold as BeyondCorp Enterprise with Identity-Aware Proxy and Access Context Manager. GCP customers can adopt the same model end-to-end without bolting on a third-party ZTNA.

Encryption-by-default since 2014

Every byte stored on Google Cloud is encrypted at rest by default, with Google-managed keys, and has been since 2014. You can upgrade to Customer-Managed Encryption Keys (CMEK) via Cloud KMS, then to Customer-Supplied (CSEK) or External Key Manager (EKM) if you need to hold keys outside Google's boundary. No checkbox to remember to enable.

Titan chips & custom silicon

Google designs its own server silicon. Titan chips provide a hardware root of trust on every server, every networking device, and every peripheral, signing boot firmware before code executes. Combined with Shielded VMs (vTPM, integrity monitoring) and Confidential VMs (AMD SEV / Intel TDX memory encryption), the chain of trust extends from the silicon to the workload.

VPC Service Controls

The single most-distinctive GCP security primitive. A logical perimeter around Google-managed services that prevents data movement across the boundary regardless of IAM. The right answer to the question "how do I prevent a compromised credential from exfiltrating a BigQuery dataset to a personal GCS bucket?" - no AWS or Azure equivalent operates at the same layer.

Mandiant + Chronicle

Google acquired Mandiant (2022) and built its threat intel into Chronicle SecOps, now bundled inside SCC Enterprise. The result: SCC findings can be enriched with Mandiant-attributed adversary context out of the box, and Chronicle's flat-fee ingest pricing removes the per-GB anxiety of traditional SIEMs.

Supply-chain integrity

Google originated Sigstore, SLSA (Supply-chain Levels for Software Artifacts), and Binary Authorization. The story end-to-end: build attestations in Cloud Build, store images in Artifact Registry with vulnerability scanning, require Binary Authorization before deploy to GKE / Cloud Run. The supply-chain primitives are first-class on GCP in a way they aren't elsewhere.

GCP Architecture Framework - Security pillar

Google publishes the Google Cloud Architecture Framework as its opinion on how customers should design GCP workloads. The Security pillar is the practitioner's reference; it organizes the work into seven principles:

Core GCP security services

Opinionated 2-3 sentences on each. Where a service has a clear analog elsewhere, the comparison points you to the cross-cloud page.

Detection & monitoring

Identity & access

Network cabling in a data center
Photo on Pexels

Data protection

Network security

Compliance & governance

Posture & governance

Container & Kubernetes security

Reference architecture - GCP landing zone

A defensible GCP landing zone has four moving pieces - the hierarchy, the org policies, the perimeters, and the central log sink. Get these right and most other controls compose cleanly on top.

1. The org / folder / project hierarchy

The hierarchy is the unit of blast radius. A typical pattern:

Use the landing-zones page for the general pattern; this is the GCP-specific variant.

2. Organization Policy constraints applied at the top

Apply these as a baseline at the org or top-level folder, override down where exceptions are justified:

3. VPC Service Controls perimeters

One perimeter around production. Inside the perimeter: BigQuery, Cloud Storage, Pub/Sub, Cloud KMS, Cloud SQL, every service holding regulated data. Ingress rules permit specific identities from specific networks; egress rules permit specific outbound paths (e.g., to a partner project). The perimeter denies everything else, regardless of IAM. See the deep-dive for design patterns.

4. Central log sink to a dedicated security project

One aggregated log sink at the org level, routing all Admin Activity + Data Access + System Event + Policy Denied audit logs into a single security-folder project. From there: split sinks to BigQuery (for analytics), Cloud Storage with Bucket Lock (for tamper-evident retention), Pub/Sub (for streaming to Chronicle or an external SIEM), and a Cloud Logging bucket (for short-term operational queries). The security project is the only place humans hold the IAM to read these logs.

Top 10 GCP security misconfigurations

The findings every CSPM tool will surface in any GCP environment that hasn't been actively hardened:

  1. Public GCS bucket. Bucket-level IAM granted to allUsers or allAuthenticatedUsers. The most common cause of accidental data exposure on GCP. Fix: enforce constraints/storage.publicAccessPrevention at the org level; audit existing buckets with Asset Inventory.
  2. allUsers / allAuthenticatedUsers IAM bindings. Not limited to GCS - Pub/Sub topics, Cloud Functions, Cloud Run services, and BigQuery datasets can all be granted to the public principals. Search the org's IAM bindings for these and treat each match as an incident.
  3. Default Compute Engine SA at Editor. Legacy projects auto-grant roles/editor to the default Compute Engine SA. Every workload that uses it inherits ~almost-everything. Fix: enable the automatic-IAM-grants constraint, assign least-privilege SAs per workload, deprecate the default.
  4. No VPC Service Controls. Data sits in BigQuery and GCS protected only by IAM. A single compromised credential is sufficient to exfiltrate. Add a perimeter even if it starts in dry-run mode.
  5. Project-level over-privilege. Engineers granted roles/editor or roles/owner on whole projects "to unblock work." Editor and Owner are essentially admin in GCP's model. Replace with task-specific roles (custom or curated predefined).
  6. No audit log sinks. Admin Activity logs flow to Cloud Logging but aren't routed to long-term storage; Data Access logs aren't enabled at all. When you need them for IR, they're 30 days old at best. Fix: aggregated sink at org level on day one.
  7. Exposed Firebase / public Firestore rules. Firebase projects auto-create Firestore and Realtime Database with permissive default rules. Whole Firestore exposures are routinely discovered via security research tooling. Audit the rules file on every Firebase project.
  8. Cloud Function / Cloud Run with --allow-unauthenticated. Deploys with public-internet invocation. Sometimes intentional (a public API); often not. Audit per project; for non-public services, require IAP or IAM-based invocation.
  9. Hardcoded SA JSON keys in code. The single biggest preventable GCP incident class. The fix is Workload Identity Federation for everything outside GCP, Workload Identity for everything inside GKE, and the SA-key-creation constraint everywhere else.
  10. IAM "Owner" sprawl. Org or folder Owner roles granted as a convenience, never revoked. Owner can grant any IAM, modify Organization Policies, and self-escalate trivially. Treat Owner as break-glass-only; the daily-driver role is something tighter.

GCP-specific attack paths

The techniques offensive operators reach for in real GCP engagements. For the broader cloud-pentesting view see cloud-pentesting.html → GCP section.

Security operations center analyst monitoring multiple screens
Photo on Pexels

VPC Service Controls deep-dive

VPC SC is the GCP security primitive that has no clean equivalent at AWS or Azure. Understanding it well is the highest-leverage thing a GCP security engineer can do.

What it actually solves

IAM answers "who is allowed to call this API?" VPC SC answers "from where, and where can the data go?" The classic exfiltration scenario: an attacker compromises a workload with legitimate IAM permissions on a BigQuery dataset; the attacker queries the dataset and copies the result to a personal GCS bucket in their own project. IAM does not stop this - the call is authorized. VPC SC stops it - the perimeter denies the cross-perimeter API call regardless of IAM.

The threat model VPC SC defends against:

How to design perimeters

The hard part of VPC SC is not the technology - it's the design. The mental model that works:

Ingress and egress rules

The composition primitive is:

Every rule is auditable and shows in Policy Denied audit logs when it would have allowed something - the asymmetric value of VPC SC is that everything blocked at the perimeter is logged, even if no other detection fires.

GCP service comparisons

Quick reads on where the GCP-native option lands vs the leading alternative.

Decision GCP-native Alternative When the alternative wins
CNAPP / CSPM SCC Enterprise (Premium posture + Chronicle SIEM) Wiz, Orca, Prisma Cloud Multi-cloud breadth, agentless graph, cross-cloud attack paths - the third-party CNAPPs still win when your org runs AWS + Azure + GCP.
WAF / DDoS Cloud Armor Cloudflare, Akamai, AWS WAF Cloudflare wins on edge POPs and on bot management richness; Akamai on enterprise-scale managed WAF rules. Cloud Armor wins on tight Google-load-balancer integration and on cost.
SIEM / SOAR Chronicle SecOps (inside SCC Enterprise) Splunk, Microsoft Sentinel, Elastic Splunk wins on third-party connector breadth and SPL maturity; Sentinel wins inside Microsoft estates. Chronicle wins on TCO at scale and on Google-cloud-native data.
Zero-trust access BeyondCorp Enterprise (IAP + ACM) Zscaler, Cloudflare Access, Netskope Third-party ZTNAs win for cross-cloud and SaaS-heavy estates. BeyondCorp wins when most internal apps are on GCP or behind IAP.
Secret management Secret Manager HashiCorp Vault, AWS Secrets Manager, 1Password Secrets Vault wins on dynamic secrets and on multi-cloud. Secret Manager wins on GCP-native simplicity and on cost.

By discipline - GCP anchors on every page

Most readers come to this page wanting the GCP take on a discipline they already know. The cross-references below jump straight to the GCP section on each page:

GCP certifications

Google's security-relevant certification ladder is shorter than AWS's or Azure's, and the Professional Cloud Security Engineer remains the credential for the role. The pragmatic sequence:

For the cross-cloud certification roadmap, see Certifications.

GCP-native vs third-party

The honest take on where Google's first-party tooling outperforms the market, and where the third-party CNAPP / SIEM / ZTNA still wins.

Where GCP-native wins

Where third-party still wins

Further reading

Google primary sources

Community & offensive references

Related CSOH pages

FAQ

What is VPC Service Controls?

VPC Service Controls is a logical perimeter around Google-managed services that prevents data movement across the boundary regardless of IAM. A compromised credential inside the perimeter cannot copy data to a personal GCS bucket outside the perimeter, even with full IAM permissions, because the perimeter denies the API call at the service edge. There is no AWS or Azure equivalent that operates at the same layer; this is the single most distinctive primitive in GCP security.

Should I use Security Command Center Premium or Enterprise?

Standard is free and gives you Security Health Analytics and a basic posture view. Premium adds Event Threat Detection, Container Threat Detection, Web Security Scanner, and attack-path analysis. Enterprise is Premium plus the full Chronicle SecOps SIEM/SOAR stack with Mandiant threat intelligence, billed on data ingest. Pick Premium if you already have a SIEM you trust; pick Enterprise if you want Google's SecOps stack to be your SIEM.

How does Workload Identity Federation work?

Workload Identity Federation lets workloads outside GCP - on AWS, Azure, GitHub Actions, Kubernetes, or anything that issues OIDC tokens - assume a GCP service account without a long-lived service-account JSON key. The external identity provider issues a signed token; GCP validates it against a workload identity pool configuration; GCP returns a short-lived access token for a specific SA. It is the right answer to "how do I avoid SA-key leaks?" and is the GCP equivalent of AWS IAM Roles Anywhere or Azure Workload Identity.

What's Chronicle vs Splunk?

Chronicle (now Google SecOps, inside SCC Enterprise) is Google's cloud-native SIEM with flat-fee ingest pricing, YARA-L detections, and tight integration with Mandiant threat intel. Splunk is the incumbent SIEM with the deepest ecosystem of integrations and the most mature search language (SPL), but per-GB ingest pricing that scales painfully at high volume. Chronicle wins on TCO and on Google-cloud-native data; Splunk wins on third-party connector breadth and search flexibility.

Is the default Compute Engine service account a problem?

Yes. By default every Compute VM and Cloud Run service in a project runs as the Compute Engine default SA, which historically has the project Editor role. Editor is roughly "modify almost anything in the project" - including reading data and impersonating other SAs. Newer projects have a constraint that demotes the default SA, but legacy projects still have Editor. Fix: enable constraints/iam.automaticIamGrantsForDefaultServiceAccounts, bind every workload to a least-privilege SA, and treat the default SA as deprecated.

How does BeyondCorp relate to Zero Trust on GCP?

BeyondCorp is Google's internal zero-trust model from 2011, productized as BeyondCorp Enterprise. It pairs Identity-Aware Proxy (IAP) for context-aware access to internal apps with Access Context Manager for policy. The model: never trust the network, always verify identity + device + context per request. GCP customers can adopt the same pattern - IAP fronting internal apps, ACM defining the policy, Endpoint Verification proving device posture - without buying a third-party ZTNA. See the zero-trust page.

What is Assured Workloads, and when do I need it?

Assured Workloads carves out a folder of compliance-controlled projects inside your commercial GCP organization, with Google automatically enforcing the matching constraints (data-residency, personnel access, encryption, service availability). Pick a regime (FedRAMP Moderate/High, IL2/IL4/IL5, ITAR, HIPAA, CJIS, Canadian Protected B). Use it whenever you have a regulated workload that needs those constraints; it's the in-place alternative to a separate GovCloud-style tenant.

Where next