Google helps organizations secure their cloud environment, protect their data, and comply with industry regulations. For general information about security across all of Google Cloud, see Google Cloud security overview.
End user security configurations
Managing your Identity and Access Management (IAM) settings within Agentspace is crucial for security. The resources listed in this section help you understand the permissions and access controls in Agentspace:
- Identity and permissions
- Set up external identities
- Authenticate to Agentspace Enterprise API
- Access control with IAM
The following authentication frameworks are supported:
Agentspace data security
Protecting your data from threats, breaches, and identity theft is important. Agentspace has the following security measures in place:
- Agentspace is integrated with VPC Service Controls.
Default data encryption with Customer Managed Encryption Keys (CMEK).
Agentspace also supports External key manager (EKM) or hardware security module (HSM). For information about the limitations that apply to CMEK and EKM, see Limitations of Cloud Key Management Service in Agentspace Enterprise.
Agentspace compliance
Data compliance involves meeting legal and regulatory requirements for handling personal and sensitive information. It governs data collection, storage, usage, and security to ensure privacy and protection.
The resources listed in this section provide information to help you maintain data transparency and compliance:
- Enable access transparency
- Audit logging
- Agentspace locations
- Compliance and security controls
- Agentspace deletes user-requested data within 60 days. For more information, see Data deletion on Google Cloud.
In addition, Google Agentspace is FedRAMP High-compliant.
Workforce Identity Federation and pool administrators
If you use Workforce Identity Federation to authenticate your users, you
grant the IAM Workforce Identity Pool Admin
(roles/iam.workforcePoolAdmin) and IAM Workforce Pool Editor
(roles/iam.workforcePoolEditor) IAM roles to some of your
administrators. These roles have powerful permissions that could be
used to impersonate other users to gain access to documents and take
unauthorized actions.
For this reason, we recommend the following:
Only grant these workforce pool roles to trusted administrators who absolutely require them.
Use Privileged Access Manager to set up entitlements for these roles and to audit their use.
Required Google Cloud APIs
To begin using Agentspace, the following APIs must be enabled:
- Vertex AI API
- Agentspace (Discovery Engine) API
- Cloud Storage API
- Identity and Access Management API
For more information on getting started with Agentspace, see the Before you begin section.
To disable the Agentspace (Discovery Engine) API, see Turn off Agentspace Enterprise.
Third-party connectors and public endpoints
Third-party connectors interact with public endpoints outside Google's network; for example, endpoints for a third-party's API for polling data or a webhook URL for real-time synchronization. Because VPC Service Controls are designed to govern Google Cloud services, they do not inherently block or secure traffic to these external, non-Google endpoints.
To mitigate, Google Agentspace makes sure that your egress traffic is secured by granular VPC Firewall rules, which restrict outbound connections to only the Fully Qualified Domain Names (FQDNs) of the external service you provide.