Agentspace Enterprise security overview

Google helps organizations secure their cloud environment, protect their data, and comply with industry regulations. For general information about security across all of Google Cloud, see Google Cloud security overview.

End user security configurations

Managing your Identity and Access Management (IAM) settings within Agentspace Enterprise is crucial for security. The resources listed in this section help you understand the permissions and access controls in Agentspace Enterprise:

• Identity and permissions
• Set up external identities
• Authenticate to Agentspace Enterprise API
• Access control with IAM

The following authentication frameworks are supported:

• Workforce Identity Federation

• Google Identity

• Workload Identity Federation

Agentspace Enterprise data security

Protecting your data from threats, breaches, and identity theft is important. Agentspace Enterprise has the following security measures in place:

• Agentspace Enterprise is integrated with VPC Service Controls.

• Default data encryption with Customer Managed Encryption Keys (CMEK).

  Agentspace Enterprise also supports External key manager (EKM) or hardware security module (HSM). For information about the limitations that apply to CMEK and EKM, see Limitations of Cloud Key Management Service in Agentspace Enterprise.

Agentspace Enterprise compliance

Data compliance involves meeting legal and regulatory requirements for handling personal and sensitive information. It governs data collection, storage, usage, and security to ensure privacy and protection.

The resources listed in this section provide information to help you maintain data transparency and compliance:

• Enable access transparency
• Audit logging
• Agentspace locations
• Compliance and security controls
• Agentspace Enterprise deletes user-requested data within 60 days. For more information, see Data deletion on Google Cloud.

Workforce Identity Federation and pool administrators

If you use Workforce Identity Federation to authenticate your users, you grant the IAM Workforce Identity Pool Admin (roles/iam.workforcePoolAdmin) and IAM Workforce Pool Editor (roles/iam.workforcePoolEditor) IAM roles to some of your administrators. These roles have powerful permissions that could be used to impersonate other users to gain access to documents and take unauthorized actions.

For this reason, we recommend the following:

• Only grant these workforce pool roles to trusted administrators who absolutely require them.

• Use Privileged Access Manager to set up entitlements for these roles and to audit their use.

Required Google Cloud APIs

To begin using Agentspace Enterprise, the following APIs must be enabled:

• Vertex AI API
• Agentspace Enterprise (Discovery Engine) API
• Cloud Storage API
• Identity and Access Management API

For more information on getting started with Agentspace Enterprise, see the Before you begin section.

To disable the Agentspace Enterprise (Discovery Engine) API, see Turn off Agentspace Enterprise.