Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | While not the primary authentication method, API keys can be generated and managed within GCP for access to BigQuery. Best practices suggest using service accounts instead. | |
| Authentication & Authorization | IAM Integration | True | BigQuery fully integrates with Google Cloud IAM, providing granular access control through roles and policies at the dataset, table, and view levels. | |
| Authentication & Authorization | MFA | True | MFA is enforced for GCP accounts, including those accessing BigQuery. This adds an additional layer of security. | Applies to administrative access. |
| Authentication & Authorization | Service Account Support | True | Service accounts are recommended and supported for programmatic access to BigQuery, allowing for least privilege configuration. | |
| Authentication & Authorization | Standard Protocols | True | BigQuery supports OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance reports and documentation are available on the Google Cloud website. | |
| Compliance & Certifications | Industry Certifications | True | Google Cloud Platform, including BigQuery, undergoes regular audits and certifications relevant to various compliance frameworks like ISO 27001, SOC 2, HIPAA, and GDPR. Documentation is available. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Sensitive data can be masked or redacted using Cloud DLP in conjunction with BigQuery. This is not a native BigQuery feature, but an integration capability. | Requires integration and configuration. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | BigQuery can be integrated with Cloud DLP for scanning data for sensitive information. This requires configuration and setup. | Requires integration. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | While data generally stays in the selected region, cross-region data transfers can occur if datasets are copied or accessed from other regions. However, proper configuration of IAM roles and network settings can restrict data movement. | Requires careful configuration. |
| Data Residency & Sovereignty | Data Location Transparency | True | Google Cloud documentation clearly specifies data location within a selected region. Tools and APIs are available to determine where data is stored. | |
| Data Residency & Sovereignty | Region Selection | True | BigQuery allows users to specify the location of their datasets within various Google Cloud regions. Data remains within the selected region unless explicitly moved. | |
| Encryption | Encryption at Rest | True | BigQuery offers both Google-managed encryption (GMEK) by default and supports customer-managed encryption keys (CMEK) for enhanced control. Key rotation is also supported. | |
| Encryption | Encryption in Transit | True | BigQuery uses TLS/SSL encryption for data in transit. The specific protocols and cipher suites are managed by Google and generally align with industry best practices. | |
| Logging & Monitoring | Access Logging | True | Detailed access logs for API requests are available in Cloud Logging. | |
| Logging & Monitoring | Audit Logging | True | BigQuery provides comprehensive audit logs of all API calls and configuration changes, which can be accessed via Cloud Logging. | |
| Logging & Monitoring | Log Retention | True | Cloud Logging allows for configuring custom log retention policies. | |
| Logging & Monitoring | Monitoring & Alerting | True | BigQuery integrates with Cloud Monitoring for real-time metrics and allows for setting up custom alerts. | |
| Network Security | API Gateway Integration | False | BigQuery does not directly integrate with Cloud API Gateway. | |
| Network Security | DDoS Protection | True | BigQuery benefits from Google Cloud's infrastructure-level DDoS protection. Cloud Armor can also be configured for additional protection at the network layer. | Inherited protection. |
| Network Security | Firewall Rules | True | Network firewall rules within the VPC can control ingress and egress traffic to BigQuery. BigQuery itself doesn't have direct firewall rules, but VPC firewalls manage access. | Indirect control. |
| Network Security | Private Access | True | BigQuery supports private connectivity options like Private Service Connect to secure access from within a Virtual Private Cloud (VPC). | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Google's commitment to security suggests that BigQuery's API is designed according to secure coding principles. Specific details are not publicly available. | Indirect evidence. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | It is assumed that Google employs secure coding practices and security testing throughout the development lifecycle of BigQuery. Details are not publicly released. | Indirect evidence. |
| Vulnerability Management & Patching | Security Updates | True | Google regularly patches and updates the BigQuery service as part of its overall infrastructure maintenance. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | While Google doesn't publicly disclose specifics, their commitment to security implies regular vulnerability scanning and penetration testing of their services, including BigQuery. | Indirect evidence. |