Assessment Criteria

This page lists all the security criteria used to assess cloud APIs.

  • API Key Management: Secure generation, rotation, and revocation of API keys.
  • IAM Integration: Granular access control via Google Cloud IAM roles and policies.
  • MFA: Support for Multi-Factor Authentication for administrative access.
  • Service Account Support: Use of service accounts for programmatic access with least privilege.
  • Standard Protocols: Support for OAuth 2.0 / OpenID Connect.

  • Compliance Documentation: Availability of compliance reports.
  • Industry Certifications: Adherence to relevant industry standards (e.g., ISO 27001, SOC 2, HIPAA, GDPR).

  • Data Masking/Redaction: Ability to mask or redact sensitive information.
  • Sensitive Data Scanning: Integration with DLP services.

  • Cross-Region Data Transfer Controls: Controls to restrict data transfer outside of specified regions.
  • Data Location Transparency: Clear documentation and mechanisms to verify data storage and processing locations.
  • Region Selection: Ability to deploy API services and store data in specific Google Cloud regions to meet data residency requirements.

  • Encryption at Rest: Default encryption for all stored data, with support for Google-managed (GMEK), Customer-managed (CMEK), and Customer-supplied (CSEK) encryption keys, including key rotation and granular access controls.
  • Encryption in Transit: Mandatory strong TLS/SSL (e.g., TLS 1.2+) with configurable minimum versions and cipher suites.

  • Access Logging: Detailed access logs for API requests.
  • Audit Logging: Comprehensive audit trails for all API calls and configuration changes.
  • Log Retention: Configurable log retention policies.
  • Monitoring & Alerting: Integration with Cloud Monitoring for real-time metrics and security alerts.

  • API Gateway Integration: Centralized traffic management and security policies via API Gateway.
  • DDoS Protection: Built-in or configurable DDoS protection (e.g., Cloud Armor).
  • Firewall Rules: Ability to configure ingress/egress firewall rules.
  • Private Access: Support for private connectivity (e.g., Private Service Connect, VPC Service Controls).

  • API Design Principles: Adherence to secure API design principles.
  • Code Review & Testing: Evidence of secure coding practices and security testing.

  • Security Updates: Google's commitment to regular patching and updates.
  • Vulnerability Scanning: Evidence of regular vulnerability scanning and penetration testing.
Back to Home