Platform: GCP
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | API keys can be used for public data access, with restrictions (API, application). Service accounts are recommended for private data. Best practices include rotation and avoiding embedding keys in code. | Supported with limitations. Refer to notes for details: API keys can be used for public data access, with restrictions (API, application). Service accounts are recommended for private data. Best practices include rotation and avoiding embedding keys in code. |
| Authentication & Authorization | API Key Management | True | API keys can be used for public data access, with restrictions (API, application). Service accounts are recommended for private data. Best practices include rotation and avoiding embedding keys in code. | Supported with limitations. Refer to notes for details: API keys can be used for public data access, with restrictions (API, application). Service accounts are recommended for private data. Best practices include rotation and avoiding embedding keys in code. |
| Authentication & Authorization | IAM Integration | True | Granular access control via Google Cloud IAM roles and policies at project and bucket levels. Supports predefined and custom roles. | |
| Authentication & Authorization | IAM Integration | True | Granular access control via Google Cloud IAM roles and policies at project and bucket levels. Supports predefined and custom roles. | Granular access control via Google Cloud IAM roles and policies at project and bucket levels. Supports predefined and custom roles. |
| Authentication & Authorization | MFA | True | MFA is supported and becoming mandatory for all Google Cloud user accounts. Not directly applicable to service accounts, but user accounts impersonating service accounts will require MFA. | Applicable for user accounts. Refer to notes for details: MFA is supported and becoming mandatory for all Google Cloud user accounts. Not directly applicable to service accounts, but user accounts impersonating service accounts will require MFA. |
| Authentication & Authorization | MFA | True | MFA is supported and becoming mandatory for all Google Cloud user accounts. Not directly applicable to service accounts, but user accounts impersonating service accounts will require MFA. | Applicable for user accounts. Refer to notes for details: MFA is supported and becoming mandatory for all Google Cloud user accounts. Not directly applicable to service accounts, but user accounts impersonating service accounts will require MFA. |
| Authentication & Authorization | Service Account Support | True | Service accounts are fully supported for programmatic access with least privilege. Workload Identity Federation is recommended for external workloads. | |
| Authentication & Authorization | Service Account Support | True | Service accounts are fully supported for programmatic access with least privilege. Workload Identity Federation is recommended for external workloads. | Service accounts are fully supported for programmatic access with least privilege. Workload Identity Federation is recommended for external workloads. |
| Authentication & Authorization | Standard Protocols | True | Relies on OAuth 2.0 for authentication and authorization. OpenID Connect (OIDC) is used for identity verification, especially with Workload Identity Federation. | |
| Authentication & Authorization | Standard Protocols | True | Relies on OAuth 2.0 for authentication and authorization. OpenID Connect (OIDC) is used for identity verification, especially with Workload Identity Federation. | Relies on OAuth 2.0 for authentication and authorization. OpenID Connect (OIDC) is used for identity verification, especially with Workload Identity Federation. |
| Compliance & Certifications | Compliance Documentation | True | Compliance Reports Manager provides on-demand access to ISO/IEC certificates, SOC reports, PCI DSS attestations, and other compliance resources. | Compliance Reports Manager provides on-demand access to ISO/IEC certificates, SOC reports, PCI DSS attestations, and other compliance resources. |
| Compliance & Certifications | Compliance Documentation | True | Compliance Reports Manager provides on-demand access to ISO/IEC certificates, SOC reports, PCI DSS attestations, and other compliance resources. | |
| Compliance & Certifications | Industry Certifications | True | In scope for ISO/IEC 27001, 27017, 27018, SOC 1/2/3, HIPAA, FedRAMP, PCI DSS. Demonstrates adherence to global security and privacy benchmarks. | |
| Compliance & Certifications | Industry Certifications | True | In scope for ISO/IEC 27001, 27017, 27018, SOC 1/2/3, HIPAA, FedRAMP, PCI DSS. Demonstrates adherence to global security and privacy benchmarks. | In scope for ISO/IEC 27001, 27017, 27018, SOC 1/2/3, HIPAA, FedRAMP, PCI DSS. Demonstrates adherence to global security and privacy benchmarks. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Cloud DLP supports data masking and redaction for sensitive information found in Cloud Storage. | Cloud DLP supports data masking and redaction for sensitive information found in Cloud Storage. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Cloud DLP supports data masking and redaction for sensitive information found in Cloud Storage. | |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Integration with Cloud DLP for discovering, classifying, and protecting sensitive data within Cloud Storage buckets. | Integration with Cloud DLP for discovering, classifying, and protecting sensitive data within Cloud Storage buckets. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Integration with Cloud DLP for discovering, classifying, and protecting sensitive data within Cloud Storage buckets. | |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | VPC Service Controls and Organization Policies (constraints/gcp.resourceLocations) can restrict cross-region data transfer and resource creation. | VPC Service Controls and Organization Policies (constraints/gcp.resourceLocations) can restrict cross-region data transfer and resource creation. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | VPC Service Controls and Organization Policies (constraints/gcp.resourceLocations) can restrict cross-region data transfer and resource creation. | |
| Data Residency & Sovereignty | Data Location Transparency | True | Clear documentation and mechanisms to verify data storage and processing locations. | |
| Data Residency & Sovereignty | Data Location Transparency | True | Clear documentation and mechanisms to verify data storage and processing locations. | Clear documentation and mechanisms to verify data storage and processing locations. |
| Data Residency & Sovereignty | Region Selection | True | Google Cloud Storage allows selection of specific regions, dual-regions, and multi-regions for data storage to meet residency requirements. Over 40 regions available globally. | |
| Data Residency & Sovereignty | Region Selection | True | Google Cloud Storage allows selection of specific regions, dual-regions, and multi-regions for data storage to meet residency requirements. Over 40 regions available globally. | Google Cloud Storage allows selection of specific regions, dual-regions, and multi-regions for data storage to meet residency requirements. Over 40 regions available globally. |
| Encryption | Encryption at Rest | True | Data is encrypted at rest by default using Google-Managed Encryption Keys (GMEK). Supports Customer-Managed Encryption Keys (CMEK) via Cloud KMS and Customer-Supplied Encryption Keys (CSEK) for granular control. | |
| Encryption | Encryption at Rest | True | Data is encrypted at rest by default using Google-Managed Encryption Keys (GMEK). Supports Customer-Managed Encryption Keys (CMEK) via Cloud KMS and Customer-Supplied Encryption Keys (CSEK) for granular control. | Data is encrypted at rest by default using Google-Managed Encryption Keys (GMEK). Supports Customer-Managed Encryption Keys (CMEK) via Cloud KMS and Customer-Supplied Encryption Keys (CSEK) for granular control. |
| Encryption | Encryption in Transit | True | All data is encrypted in transit by default using TLS 1.3. Configurable minimum TLS versions (e.g., TLS 1.2+) and cipher suites via Organization Policies (gcp.restrictTLSVersion, gcp.restrictTLSCipherSuites). | All data is encrypted in transit by default using TLS 1.3. Configurable minimum TLS versions (e.g., TLS 1.2+) and cipher suites via Organization Policies (gcp.restrictTLSVersion, gcp.restrictTLSCipherSuites). |
| Encryption | Encryption in Transit | True | All data is encrypted in transit by default using TLS 1.3. Configurable minimum TLS versions (e.g., TLS 1.2+) and cipher suites via Organization Policies (gcp.restrictTLSVersion, gcp.restrictTLSCipherSuites). | |
| Logging & Monitoring | Access Logging | True | Detailed access logs are provided through Data Access audit logs, which record operations that read or write object data. | |
| Logging & Monitoring | Access Logging | True | Detailed access logs are provided through Data Access audit logs, which record operations that read or write object data. | Detailed access logs are provided through Data Access audit logs, which record operations that read or write object data. |
| Logging & Monitoring | Audit Logging | True | Comprehensive audit trails (Admin Activity, Data Access, System Event logs) are available via Cloud Audit Logs. Data Access logs must be explicitly enabled. | |
| Logging & Monitoring | Audit Logging | True | Comprehensive audit trails (Admin Activity, Data Access, System Event logs) are available via Cloud Audit Logs. Data Access logs must be explicitly enabled. | Comprehensive audit trails (Admin Activity, Data Access, System Event logs) are available via Cloud Audit Logs. Data Access logs must be explicitly enabled. |
| Logging & Monitoring | Log Retention | True | Admin Activity and System Event logs are retained for 400 days (fixed). Data Access logs default to 30 days but are configurable from 1 to 3650 days. Logs can be exported for long-term archival. | |
| Logging & Monitoring | Log Retention | True | Admin Activity and System Event logs are retained for 400 days (fixed). Data Access logs default to 30 days but are configurable from 1 to 3650 days. Logs can be exported for long-term archival. | Admin Activity and System Event logs are retained for 400 days (fixed). Data Access logs default to 30 days but are configurable from 1 to 3650 days. Logs can be exported for long-term archival. |
| Logging & Monitoring | Monitoring & Alerting | True | Integration with Cloud Monitoring for real-time metrics (e.g., total bytes, object count, request count) and configurable alerting policies with various notification channels. | |
| Logging & Monitoring | Monitoring & Alerting | True | Integration with Cloud Monitoring for real-time metrics (e.g., total bytes, object count, request count) and configurable alerting policies with various notification channels. | Integration with Cloud Monitoring for real-time metrics (e.g., total bytes, object count, request count) and configurable alerting policies with various notification channels. |
| Network Security | API Gateway Integration | True | API Gateway can be integrated to expose Cloud Storage functionalities via a REST API, enabling enhanced security (API keys, JWTs), simplified access control, and centralized management. | |
| Network Security | API Gateway Integration | True | API Gateway can be integrated to expose Cloud Storage functionalities via a REST API, enabling enhanced security (API keys, JWTs), simplified access control, and centralized management. | API Gateway can be integrated to expose Cloud Storage functionalities via a REST API, enabling enhanced security (API keys, JWTs), simplified access control, and centralized management. |
| Network Security | DDoS Protection | True | DDoS protection is available by placing an external HTTP(S) Load Balancer in front of the Cloud Storage bucket and applying Google Cloud Armor policies to the backend service. | |
| Network Security | DDoS Protection | True | DDoS protection is available by placing an external HTTP(S) Load Balancer in front of the Cloud Storage bucket and applying Google Cloud Armor policies to the backend service. | DDoS protection is available by placing an external HTTP(S) Load Balancer in front of the Cloud Storage bucket and applying Google Cloud Armor policies to the backend service. |
| Network Security | Firewall Rules | False | Traditional IP-based firewall rules don't directly apply to GCS. Access is controlled via IAM, VPC Service Controls, and Signed URLs. Egress firewall rules can be configured in VPC to control traffic to Private Service Connect endpoints. | Not directly applicable; support is indirect. Refer to notes for details: Traditional IP-based firewall rules don't directly apply to GCS. Access is controlled via IAM, VPC Service Controls, and Signed URLs. Egress firewall rules can be configured in VPC to control traffic to Private Service Connect endpoints. |
| Network Security | Firewall Rules | False | Traditional IP-based firewall rules don't directly apply to GCS. Access is controlled via IAM, VPC Service Controls, and Signed URLs. Egress firewall rules can be configured in VPC to control traffic to Private Service Connect endpoints. | Not directly applicable; support is indirect. Refer to notes for details: Traditional IP-based firewall rules don't directly apply to GCS. Access is controlled via IAM, VPC Service Controls, and Signed URLs. Egress firewall rules can be configured in VPC to control traffic to Private Service Connect endpoints. |
| Network Security | Private Access | True | Supports private connectivity via VPC Service Controls (service perimeters) and Private Service Connect for accessing the API from within VPC networks without public internet exposure. | |
| Network Security | Private Access | True | Supports private connectivity via VPC Service Controls (service perimeters) and Private Service Connect for accessing the API from within VPC networks without public internet exposure. | Supports private connectivity via VPC Service Controls (service perimeters) and Private Service Connect for accessing the API from within VPC networks without public internet exposure. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Google Cloud APIs, including Cloud Storage, are designed with security in mind, adhering to secure API design principles as part of Google's overall SDL. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | Google Cloud APIs, including Cloud Storage, are designed with security in mind, adhering to secure API design principles as part of Google's overall SDL. | Google Cloud APIs, including Cloud Storage, are designed with security in mind, adhering to secure API design principles as part of Google's overall SDL. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Google's internal development processes include rigorous code reviews and security testing for its services, including Cloud Storage, as part of its SDL. | Google's internal development processes include rigorous code reviews and security testing for its services, including Cloud Storage, as part of its SDL. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Google's internal development processes include rigorous code reviews and security testing for its services, including Cloud Storage, as part of its SDL. | |
| Vulnerability Management & Patching | Security Updates | True | Google continuously enhances security features and provides updates (e.g., bucket IP filtering, soft-deleted bucket restoration). Users are responsible for securing their data within the shared responsibility model. | Google continuously enhances security features and provides updates (e.g., bucket IP filtering, soft-deleted bucket restoration). Users are responsible for securing their data within the shared responsibility model. |
| Vulnerability Management & Patching | Security Updates | True | Google continuously enhances security features and provides updates (e.g., bucket IP filtering, soft-deleted bucket restoration). Users are responsible for securing their data within the shared responsibility model. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Security Command Center (Security Health Analytics) automatically scans for misconfigurations and vulnerabilities. Artifact Analysis scans software packages. Web Security Scanner for static websites. Third-party tools also available. | Security Command Center (Security Health Analytics) automatically scans for misconfigurations and vulnerabilities. Artifact Analysis scans software packages. Web Security Scanner for static websites. Third-party tools also available. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Security Command Center (Security Health Analytics) automatically scans for misconfigurations and vulnerabilities. Artifact Analysis scans software packages. Web Security Scanner for static websites. Third-party tools also available. |