Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Cloud SQL primarily uses IAM and service accounts for authentication, not API keys. | API keys are not typically used for Cloud SQL. |
| Authentication & Authorization | IAM Integration | True | Cloud SQL integrates fully with Google Cloud IAM, allowing granular control over access through roles and policies. | |
| Authentication & Authorization | MFA | True | MFA is not directly enforced by Cloud SQL but relies on the security measures of your GCP user accounts. Enabling 2FA on user accounts is recommended for administrative access. | Requires enabling 2FA on the user account. |
| Authentication & Authorization | Service Account Support | True | Cloud SQL supports using service accounts for programmatic access, allowing for the principle of least privilege to be applied. | |
| Authentication & Authorization | Standard Protocols | True | Cloud SQL supports OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Google provides comprehensive compliance documentation for Cloud SQL, outlining adherence to various industry standards and regulations. | |
| Compliance & Certifications | Industry Certifications | True | Cloud SQL is compliant with various industry standards and regulations depending on the region and the database engine used. Refer to Google Cloud's compliance documentation for details. | Specific certifications vary. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Data masking and redaction typically need to be implemented at the application layer using Cloud SQL's APIs. Database-level capabilities are dependent on the specific database engine. | Requires application-level implementation. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | While Cloud SQL doesn't have built-in DLP, it can integrate with Cloud DLP APIs to scan data for sensitive information. | Requires integration with Cloud DLP. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | While Cloud SQL doesn't inherently restrict cross-region data transfers, proper VPC configuration, including network peering and firewall rules, can control data flow between regions. | Requires careful configuration of VPC networking. |
| Data Residency & Sovereignty | Data Location Transparency | True | Google Cloud documentation clearly specifies the region where your Cloud SQL instance resides. You can verify this during instance creation and via the GCP console. | |
| Data Residency & Sovereignty | Region Selection | True | Cloud SQL allows you to specify the region where your database instances are created. This allows for compliance with data residency requirements. | |
| Encryption | Encryption at Rest | True | Cloud SQL supports encryption at rest using Google-managed encryption keys (GMEK) by default. It also supports customer-managed encryption keys (CMEK) for enhanced control. | |
| Encryption | Encryption in Transit | True | Cloud SQL encrypts data in transit using TLS/SSL by default. Specific TLS versions and cipher suites can be configured depending on the database engine version. | |
| Logging & Monitoring | Access Logging | True | Cloud SQL provides access logs which can be viewed through the GCP console. These logs capture connection details and other important access information. | |
| Logging & Monitoring | Audit Logging | True | Cloud SQL integrates with Cloud Audit Logging, providing detailed audit trails of API calls and configuration changes. | |
| Logging & Monitoring | Log Retention | True | Log retention policies are managed through Cloud Logging, which integrates with Cloud SQL logs. | Dependent on Cloud Logging configuration. |
| Logging & Monitoring | Monitoring & Alerting | True | Cloud SQL integrates with Cloud Monitoring, allowing you to set up custom metrics and alerts for various aspects of database performance and security. | |
| Network Security | API Gateway Integration | False | Cloud SQL does not directly integrate with API Gateway. Network-level security mechanisms should be used instead. | Not directly integrated. |
| Network Security | DDoS Protection | True | Cloud SQL benefits from Google Cloud's inherent DDoS protection built into its infrastructure. Additional configuration via Cloud Armor might be necessary for advanced protection scenarios. | Protection relies on GCP's underlying infrastructure. |
| Network Security | Firewall Rules | True | Cloud SQL allows you to configure ingress and egress firewall rules to control network access to your instances. | |
| Network Security | Private Access | True | Cloud SQL supports private connectivity using Private Service Connect and VPC Service Controls. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Cloud SQL's APIs are designed and maintained with consideration for secure development principles, although specifics are not publicly detailed. | Indirectly; part of GCP's overall security posture. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Google employs rigorous code review and testing processes as part of its secure development lifecycle for Cloud SQL, although specific methodologies are not publicly disclosed. | Indirect; part of GCP's overall security posture. |
| Vulnerability Management & Patching | Security Updates | True | Google regularly patches and updates Cloud SQL. Specific updates are announced via Google Cloud documentation and release notes. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Google performs regular vulnerability assessments and penetration testing of Cloud SQL as part of its overall security operations. Specific details are generally not publicly available. | Indirect; part of GCP's overall security posture. |