Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | Firebase allows for the creation, rotation, and revocation of API keys. However, proper key management practices are crucial to avoid unauthorized access. | Requires careful management to avoid security risks. |
| Authentication & Authorization | IAM Integration | True | Firebase integrates tightly with Google Cloud IAM, enabling granular access control through roles and policies. | |
| Authentication & Authorization | MFA | True | MFA is enforced by Google Cloud IAM for administrative access to the Firebase project and its related GCP resources. | Applies to administrative accounts within the Google Cloud Console. |
| Authentication & Authorization | Service Account Support | True | Firebase supports service accounts for programmatic access, allowing for least privilege configurations. | |
| Authentication & Authorization | Standard Protocols | True | Firebase supports OAuth 2.0 and OpenID Connect for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through Google Cloud's compliance documentation, covering general GCP security and compliance as well as aspects specific to Firebase. | Documentation is spread across various Google Cloud resources. |
| Compliance & Certifications | Industry Certifications | True | Firebase inherits compliance certifications from the underlying GCP infrastructure, including SOC 2, ISO 27001, and others. The exact certifications depend on the specific Firebase services used and the overall GCP project setup. | Specific certifications depend on the service and configuration. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Data masking or redaction can be achieved through integration with Cloud DLP. This is not a direct feature of Firebase but relies on Cloud DLP's capabilities. | Requires configuration and might not be supported by all Firebase services. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Firebase can integrate with Cloud Data Loss Prevention (DLP) for scanning data within supported Firebase services. This requires explicit configuration. | Requires configuration and integration with Cloud DLP. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Cross-region data transfer is controlled through GCP's networking features and regional constraints. Firebase leverages these controls, but explicit configuration might be needed depending on the specific Firebase services and their interactions with other GCP services. | Requires configuration within underlying GCP services. |
| Data Residency & Sovereignty | Data Location Transparency | True | While Firebase doesn't directly expose the precise physical location of all data, data is stored within GCP regions specified during project setup. The level of transparency depends on the specific Firebase service used, some offering more granular details than others. | Requires understanding of the underlying GCP services used by Firebase. |
| Data Residency & Sovereignty | Region Selection | True | Firebase allows developers to specify regions for storage and other services, though not all Firebase features support region selection. Data location depends on the specific Firebase product used (e.g., Firestore, Realtime Database). | |
| Encryption | Encryption at Rest | True | Most Firebase services offer encryption at rest, often using Google-managed keys. Some services allow for customer-managed encryption keys (CMEK) integration, giving more control over key management. | Specific options vary depending on the Firebase service. |
| Encryption | Encryption in Transit | True | Firebase uses HTTPS for all communication, ensuring encryption in transit. | |
| Logging & Monitoring | Access Logging | True | Firebase provides access logging through Cloud Logging, offering insights into API requests. | Level of detail depends on the service and configuration. |
| Logging & Monitoring | Audit Logging | True | Firebase provides audit logging for certain actions, and this integrates with GCP's Cloud Logging service. | Granularity varies across services. |
| Logging & Monitoring | Log Retention | True | Log retention is configurable through Cloud Logging, which Firebase uses for its logging. | Retention policies are managed through GCP Cloud Logging. |
| Logging & Monitoring | Monitoring & Alerting | True | Firebase integrates with Cloud Monitoring for real-time metrics and allows for custom alert configurations. | |
| Network Security | API Gateway Integration | False | Firebase doesn't directly integrate with Apigee API Gateway. While some indirect integration might be possible leveraging GCP networking, it is not a native feature. | |
| Network Security | DDoS Protection | True | Firebase benefits from GCP's built-in DDoS protection and can be further enhanced with Cloud Armor configurations. | Protection is inherited from GCP's infrastructure and Cloud Armor. |
| Network Security | Firewall Rules | True | Firewall rules are managed through the underlying GCP project's firewall settings. These rules control access to Firebase services. | Configuration is indirect, managed through GCP Firewall rules. |
| Network Security | Private Access | True | Firebase supports integration with VPC Service Controls and other GCP networking features for private connectivity. | Requires configuration and might not be applicable to all Firebase services. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Google adheres to secure API design principles in the development of Firebase, although specific details of their SDL are not publicly shared. | Details of internal SDL practices are not publicly available. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Firebase development employs secure coding practices and security testing, although the specifics of these processes are not publicly available. | Internal practices not publicly disclosed. |
| Vulnerability Management & Patching | Security Updates | True | Google is responsible for patching and updating the underlying infrastructure and Firebase services. | Implicitly managed by Google. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Google performs regular vulnerability scanning and penetration testing on Firebase infrastructure, but the specifics are not publicly disclosed. | Details of the scanning process are not publicly available. |