Google Cloud Platform

Security baseline for GCP projects. Covers IAM, logging, networking, VMs, Cloud Storage, BigQuery, and GKE configurations.

Official security guidance including IAM, encryption, network security, and compliance considerations. Covers BeyondCorp zero trust, Security Command Center, and enterprise foundations blueprint.

NIST SP 800-144 Executive Summary: "Carefully plan the security and privacy aspects of cloud computing solutions before engaging them." §3.2: "Assurances furnished by the cloud provider to support security or privacy claims should be verified whenever possible through independent assessment." §4.4: "Organizations should specify data backup and recovery requirements, and determine whether the cloud provider's backup capabilities are adequate." §4.6: "Data encryption can help mitigate data confidentiality and integrity risks." GCP implements these through Cloud KMS, Cloud Storage encryption, and comprehensive audit logging.

NIST defines "Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model." GCP provides IaaS (Compute Engine), PaaS (App Engine), and SaaS (Workspace). Shared responsibility applies.

§5.3.6: "Keys should have a limited cryptoperiod." §6.2: "Secret keys require confidentiality protection during transit and storage." Google Cloud KMS provides automatic key rotation, HSM-backed key storage, and key versioning for compliance.

NIST SP 800-144 §4.4: "Understanding the cloud architecture is essential to understand the security boundaries and mechanisms." §4.6: "Software isolation is critical in multi-tenant environments to prevent data leakage between tenants." §5.2: "Organizations should perform due diligence when selecting cloud providers, assessing their security posture and compliance certifications."

NIST SP 800-125B §3.1: "Virtual networks must provide traffic isolation equivalent to physically separate networks." §4.3: "Deny-by-default policies should be implemented where traffic is blocked unless explicitly allowed." GCP VPC firewall rules and network policies implement these virtual network security requirements.

CCM IVS-04: "Segmented network environments shall isolate and control traffic flows." CCM IAM-02: "Strong authentication mechanisms shall be implemented." CCM SEF (Security Incident Management): "Security incident management processes shall be established." GCP services map to CCM cloud security controls. Source: CSA Cloud Controls Matrix v4.0.

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets." CC6.6: "Logical access security measures protect against threats from sources outside system boundaries." CC7.1: "The entity uses detection and monitoring procedures." GCP Security Command Center and VPC firewall rules implement SOC 2 requirements. Source: AICPA TSC-NIST Mapping.

ISO 27001:2022 A.5.23: "Information security requirements for cloud services shall be established." A.8.22: "Networks shall be segregated based on types of information services." A.8.16: "Monitoring activities shall include activities to detect unauthorized processing." GCP supports ISO 27001 through native security controls. Source: NIST OLIR Informative Reference Catalog.