Google Cloud has updated its collection of security blueprints with the addition of a Secure data storage plan that customers can implement to safeguard their data in the cloud.
of Google security plans Combine best practices with opinionated guidance to help customers build stronger security into their cloud deployments. In the case of its Secure Data Warehouse Blueprint, released today, it has created an actionable framework that is designed to preserve the security, confidentiality, and integrity of business data while it is stored in cloud data warehouses, in transit, or in use.
In a blog post, Google Senior Security Product Manager Andy Chang and Security and Compliance Customer Service Engineer Erlander Lo explained that the model employs a unique layered cybersecurity approach. Its goal is to minimize the amount of infrastructure that administrators need to manage, thus reducing the potential attack surface for hackers.
The plane encompasses four layers. There is a “landing area layer” that handles how streaming or batch data is ingested, as well as a “data storage layer” that covers data storage and de-identification. In addition, a “data classification and governance layer” manages data classification and encryption taxonomy, and a “security posture layer” assists in detection, monitoring, and response.
Chang and Lo said the plan will benefit customers in a number of ways, with the main focus on providing strong security and referral flexibility. One of the main advantages is that it allows teams to use “infrastructure as code” techniques for analyzing your security controls and comparing them to your company’s requirements for building, implementing, and operating data systems. IaC also simplifies regulatory and compliance reviews.
The layered approach to security also makes it easy to demonstrate to security, risk, and compliance teams exactly what security controls have been implemented. For example, the following diagram illustrates not only the security services built into the architecture, but also how they work together to protect data:
Another benefit of Google’s reference architecture is that it allows users to monitor and define where data can and cannot flow. They can establish perimeters that restrict data to specific projects and services to minimize the risk of data exfiltration.
Additional controls can be added, such as preventing the use of external IPs from accessing data and ensuring that data in transit only flows over trusted networks. And the plan provides detailed identity and access management policies to limit access to different sets of data, based on how sensitive it is.
Additionally, the model helps facilitate complex compliance requirements. For example, users can address data minimization requirements through Google Cloud Data Loss Prevention’s cryptographic transformation tools. Meanwhile, data encryption is handled by keys managed with Google Cloud HSM.
The plan also outlines how businesses can use security tools like Google Cloud Security Command Center for threat detection and Security Health Analytics. That way, they can continuously monitor each project covered by the blueprint to minimize the risk of configuration errors.
Google said its secure data storage plan has been reviewed by the Google Cybersecurity Action Team and a third-party security team. Customers can download the plan nowor alternatively, download an out-of-the-box secure data store that is ready to use via Deployable Terraform.