Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | API keys are not used for authentication with Cloud Pub/Sub; service accounts and OAuth 2.0 are the primary methods. | |
| Authentication & Authorization | IAM Integration | True | Cloud Pub/Sub leverages Google Cloud IAM for granular access control using roles and policies, allowing fine-grained permissions management. | |
| Authentication & Authorization | MFA | True | Multi-Factor Authentication (MFA) is supported through Google Cloud IAM for users managing Pub/Sub resources. | Applies to IAM users, not service accounts. |
| Authentication & Authorization | Service Account Support | True | Service accounts are commonly used for programmatic access and can be configured with least privilege principles. | |
| Authentication & Authorization | Standard Protocols | True | Uses OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Google provides comprehensive compliance documentation for GCP, covering Cloud Pub/Sub as well. | |
| Compliance & Certifications | Industry Certifications | True | Google Cloud Platform, and therefore Cloud Pub/Sub, adheres to numerous industry standards and certifications, including ISO 27001, SOC 2, and others depending on the specific region and service offering. Details are available in Google's compliance documentation. | Specific certifications vary. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction needs to be handled at the application level, before publishing data to Cloud Pub/Sub, using GCP's DLP API. | |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | Cloud Pub/Sub does not have built-in DLP scanning. Data loss prevention needs to be implemented at the application level using GCP's DLP API. | |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | While data at rest is regional, messages can be published and subscribed to from any region. Data transfer between regions is implicit and controlled by the publisher and subscriber location choices. VPC Service Controls can help restrict egress. | Requires careful configuration. |
| Data Residency & Sovereignty | Data Location Transparency | True | Google provides documentation specifying data location based on topic and subscription region. While not always precise to the data center, it provides regional level transparency. | |
| Data Residency & Sovereignty | Region Selection | True | Cloud Pub/Sub allows you to select the region for your topics and subscriptions. Data is stored within the selected region. | |
| Encryption | Encryption at Rest | True | Cloud Pub/Sub uses Google-managed encryption keys (GMEK) by default for data at rest. Customer-managed encryption keys (CMEK) are not supported directly. | |
| Encryption | Encryption in Transit | True | Cloud Pub/Sub uses TLS/SSL for encryption in transit. Specific TLS versions can be indirectly influenced through client and network settings. | |
| Logging & Monitoring | Access Logging | True | Access logs provide details about API requests made to Pub/Sub. These logs are available through Cloud Logging. | |
| Logging & Monitoring | Audit Logging | True | Cloud Pub/Sub integrates with Cloud Audit Logging, providing audit trails for API calls and configuration changes. | |
| Logging & Monitoring | Log Retention | True | Cloud Logging allows configuring log retention policies to manage how long logs are stored. | |
| Logging & Monitoring | Monitoring & Alerting | True | Integrates with Cloud Monitoring for real-time metrics and supports setting up alerts based on various criteria. | |
| Network Security | API Gateway Integration | False | Cloud Pub/Sub does not directly integrate with Cloud API Gateway. | |
| Network Security | DDoS Protection | True | Benefits from Google Cloud's built-in DDoS protection. | Relies on GCP infrastructure. |
| Network Security | Firewall Rules | True | Firewall rules in the VPC where your Pub/Sub resources reside can control inbound and outbound network traffic. | Indirectly through VPC |
| Network Security | Private Access | True | Supports private connectivity using Private Service Connect and VPC Service Controls to limit access to authorized networks. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Cloud Pub/Sub is developed using Google's Secure Development Lifecycle (SDL) practices which should cover API design principles. | Implicit through Google's SDL |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Google's SDL process includes code review and security testing as part of their development lifecycle for Cloud Pub/Sub. | Implicit through Google's SDL |
| Vulnerability Management & Patching | Security Updates | True | Google regularly patches and updates the underlying infrastructure for Cloud Pub/Sub. | Implicit through GCP infrastructure |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Google conducts regular security scans and penetration testing on its infrastructure, including Cloud Pub/Sub. | Indirectly through GCP infrastructure |