Well-Architected Framework: Security, privacy, and compliance pillar
Stay organized with collections
Save and categorize content based on your preferences.
Last reviewed 2025-02-05 UTC
The Security, Privacy and Compliance pillar in the
Google Cloud Well-Architected Framework
provides recommendations to help you design, deploy, and operate cloud workloads
that meet your requirements for security, privacy, and compliance.
This document is designed to offer valuable insights and meet the needs of a
range of security professionals and engineers. The following table describes
the intended audiences for this document:
Audience
What this document provides
Chief information security officers (CISOs), business unit leaders,
and IT managers
A general framework to establish and maintain security excellence in
the cloud and to ensure a comprehensive view of security areas to
make informed decisions about security investments.
Security architects and engineers
Key security practices for the design and operational phases to help
ensure that solutions are designed for security, efficiency, and
scalability.
DevSecOps teams
Guidance to incorporate overarching security controls to plan
automation that enables secure and reliable infrastructure.
Compliance officers and risk managers
Key security recommendations to follow a structured approach to risk
management with safeguards that help to meet compliance
obligations.
To ensure that your Google Cloud workloads meet your security, privacy,
and compliance requirements, all of the stakeholders in your organization must
adopt a collaborative approach. In addition, you must recognize that cloud
security is a shared responsibility between you and Google. For more
information, see
Shared responsibilities and shared fate on Google Cloud.
The recommendations in this pillar are grouped into core security principles.
Each principle-based recommendation is mapped to one or more of the
focus areas of cloud security
that might be critical to your organization. Each
recommendation highlights guidance about the use and configuration of
Google Cloud products and capabilities to help improve your organization's
security posture.
Core principles
The recommendations in this pillar are grouped within the following core
principles of security. Every principle in this pillar is important. Depending
on the requirements of your organization and workload, you might choose to
prioritize certain principles.
Implement security by design:
Integrate cloud security and network security considerations starting from
the initial design phase of your applications and infrastructure.
Google Cloud provides architecture blueprints and recommendations to
help you apply this principle.
Implement zero trust:
Use a never trust, always verify approach, where access to resources is
granted based on continuous verification of trust. Google Cloud
supports this principle through products like Chrome Enterprise Premium and
Identity-Aware Proxy (IAP).
Implement shift-left security:
Implement security controls early in the software development lifecycle.
Avoid security defects before system changes are made. Detect and fix
security bugs early, fast, and reliably after the system changes are
committed. Google Cloud supports this principle through products like
Cloud Build, Binary Authorization, and Artifact Registry.
Implement preemptive cyber defense:
Adopt a proactive approach to security by implementing robust fundamental
measures like threat intelligence. This approach helps you build a
foundation for more effective threat detection and response.
Google Cloud's
approach to layered security controls
aligns with this principle.
Use AI for security:
Use AI capabilities to improve your existing security systems and processes
through
Gemini in Security
and overall platform-security capabilities. Use AI as a tool to increase
the automation of remedial work and ensure security hygiene to make other
systems more secure.
Meet regulatory, compliance, and privacy needs:
Adhere to industry-specific regulations, compliance standards, and privacy
requirements. Google Cloud helps you meet these obligations through
products like Assured Workloads, Organization Policy Service, and our
compliance resource center.
Organizational security mindset
A security-focused organizational mindset is crucial for successful cloud
adoption and operation. This mindset should be deeply ingrained in your
organization's culture and reflected in its practices, which are guided by core
security principles as described earlier.
An organizational security mindset emphasizes that you think about security
during system design, assume zero trust, and integrate security features
throughout your development process. In this mindset, you also think proactively
about cyber-defense measures, use AI securely and for security, and consider
your regulatory, privacy, and compliance requirements. By embracing these
principles, your organization can cultivate a security-first culture that
proactively addresses threats, protects valuable assets, and helps to ensure
responsible technology usage.
Focus areas of cloud security
This section describes the areas for you to focus on when you plan,
implement, and manage security for your applications, systems, and data. The
recommendations in each principle of this pillar are relevant to one or more of
these focus areas. Throughout the rest of this document, the recommendations
specify the corresponding security focus areas to provide further clarity and
context.
Focus area
Activities and components
Related Google Cloud products, capabilities, and solutions
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-02-05 UTC."],[[["\u003cp\u003eThe Security, Privacy, and Compliance pillar of the Google Cloud Well-Architected Framework provides guidance for designing, deploying, and operating cloud workloads that meet specific security, privacy, and compliance needs.\u003c/p\u003e\n"],["\u003cp\u003eThis pillar offers insights for various audiences, including CISOs, security architects, DevSecOps teams, and compliance officers, with tailored information for each role.\u003c/p\u003e\n"],["\u003cp\u003eCore security principles such as implementing security by design, zero trust, shift-left security, preemptive cyber defense, and responsible AI usage are crucial for maintaining a strong security posture.\u003c/p\u003e\n"],["\u003cp\u003eCloud security is a shared responsibility between the organization and Google, requiring a collaborative effort among all stakeholders to ensure that security, privacy, and compliance requirements are met.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines key focus areas of cloud security, including infrastructure security, identity and access management, data security, AI and ML security, security operations, application security, cloud governance, risk and compliance, as well as logging, auditing, and monitoring.\u003c/p\u003e\n"]]],[],null,["# Well-Architected Framework: Security, privacy, and compliance pillar\n\n| To view the content in the security, privacy, and compliance pillar on a single page or to to get a PDF output of the content, see [View on one page](/architecture/framework/security/printable).\n\nThe Security, Privacy and Compliance pillar in the\n[Google Cloud Well-Architected Framework](/architecture/framework)\nprovides recommendations to help you design, deploy, and operate cloud workloads\nthat meet your requirements for security, privacy, and compliance.\n\nThis document is designed to offer valuable insights and meet the needs of a\nrange of security professionals and engineers. The following table describes\nthe intended audiences for this document:\n\nTo ensure that your Google Cloud workloads meet your security, privacy,\nand compliance requirements, all of the stakeholders in your organization must\nadopt a collaborative approach. In addition, you must recognize that cloud\nsecurity is a shared responsibility between you and Google. For more\ninformation, see\n[Shared responsibilities and shared fate on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate).\n\nThe recommendations in this pillar are grouped into core security principles.\nEach principle-based recommendation is mapped to one or more of the\n[focus areas of cloud security](#focus_areas_of_cloud_security)\nthat might be critical to your organization. Each\nrecommendation highlights guidance about the use and configuration of\nGoogle Cloud products and capabilities to help improve your organization's\nsecurity posture.\n\nCore principles\n---------------\n\nThe recommendations in this pillar are grouped within the following core\nprinciples of security. Every principle in this pillar is important. Depending\non the requirements of your organization and workload, you might choose to\nprioritize certain principles.\n\n- [Implement security by design](/architecture/framework/security/implement-security-by-design): Integrate cloud security and network security considerations starting from the initial design phase of your applications and infrastructure. Google Cloud provides architecture blueprints and recommendations to help you apply this principle.\n- [Implement zero trust](/architecture/framework/security/implement-zero-trust): Use a *never trust, always verify* approach, where access to resources is granted based on continuous verification of trust. Google Cloud supports this principle through products like Chrome Enterprise Premium and Identity-Aware Proxy (IAP).\n- [Implement shift-left security](/architecture/framework/security/implement-shift-left-security): Implement security controls early in the software development lifecycle. Avoid security defects before system changes are made. Detect and fix security bugs early, fast, and reliably after the system changes are committed. Google Cloud supports this principle through products like Cloud Build, Binary Authorization, and Artifact Registry.\n- [Implement preemptive cyber defense](/architecture/framework/security/implement-preemptive-cyber-defense): Adopt a proactive approach to security by implementing robust fundamental measures like threat intelligence. This approach helps you build a foundation for more effective threat detection and response. Google Cloud's [approach to layered security controls](/docs/security/overview/whitepaper#technology_with_security_at_its_core) aligns with this principle.\n- [Use AI securely and responsibly](/architecture/framework/security/use-ai-securely-and-responsibly): Develop and deploy AI systems in a responsible and secure manner. The recommendations for this principle are aligned with guidance in the [AI and ML perspective](/architecture/framework/perspectives/ai-ml) of the Well-Architected Framework and in Google's [Secure AI Framework (SAIF)](https://saif.google).\n- [Use AI for security](/architecture/framework/security/use-ai-for-security): Use AI capabilities to improve your existing security systems and processes through [Gemini in Security](/security/ai) and overall platform-security capabilities. Use AI as a tool to increase the automation of remedial work and ensure security hygiene to make other systems more secure.\n- [Meet regulatory, compliance, and privacy needs](/architecture/framework/security/meet-regulatory-compliance-and-privacy-needs): Adhere to industry-specific regulations, compliance standards, and privacy requirements. Google Cloud helps you meet these obligations through products like Assured Workloads, Organization Policy Service, and our [compliance resource center](/security/compliance).\n\nOrganizational security mindset\n-------------------------------\n\nA security-focused organizational mindset is crucial for successful cloud\nadoption and operation. This mindset should be deeply ingrained in your\norganization's culture and reflected in its practices, which are guided by core\nsecurity principles as described earlier.\n\nAn organizational security mindset emphasizes that you think about security\nduring system design, assume zero trust, and integrate security features\nthroughout your development process. In this mindset, you also think proactively\nabout cyber-defense measures, use AI securely and for security, and consider\nyour regulatory, privacy, and compliance requirements. By embracing these\nprinciples, your organization can cultivate a security-first culture that\nproactively addresses threats, protects valuable assets, and helps to ensure\nresponsible technology usage.\n\nFocus areas of cloud security\n-----------------------------\n\nThis section describes the areas for you to focus on when you plan,\nimplement, and manage security for your applications, systems, and data. The\nrecommendations in each principle of this pillar are relevant to one or more of\nthese focus areas. Throughout the rest of this document, the recommendations\nspecify the corresponding security focus areas to provide further clarity and\ncontext.\n\nContributors\n------------\n\nAuthors:\n\n- [Wade Holmes](https://www.linkedin.com/in/wholmes) \\| Global Solutions Director\n- [Hector Diaz](https://www.linkedin.com/in/hectorgdiaz) \\| Cloud Security Architect\n- Carlos Leonardo Rosario \\| Google Cloud Security Specialist\n- [John Bacon](https://www.linkedin.com/in/johnbac/) \\| Partner Solutions Architect\n- [Sachin Kalra](http://www.linkedin.com/in/thesachinkalra) \\| Global Security Solution Manager\n\n\u003cbr /\u003e\n\nOther contributors:\n\n- [Anton Chuvakin](https://www.linkedin.com/in/chuvakin/) \\| Security Advisor, Office of the CISO\n- [Daniel Lees](https://www.linkedin.com/in/daniellees) \\| Cloud Security Architect\n- [Filipe Gracio, PhD](https://www.linkedin.com/in/filipegracio) \\| Customer Engineer, AI/ML Specialist\n- [Gary Harmson](https://www.linkedin.com/in/garyharmson) \\| Principal Architect\n- [Gino Pelliccia](https://www.linkedin.com/in/gino-pelliccia-13637025) \\| Principal Architect\n- [Jose Andrade](https://www.linkedin.com/in/jmandrade) \\| Customer Engineer, SRE Specialist\n- [Kumar Dhanagopal](https://www.linkedin.com/in/kumardhanagopal) \\| Cross-Product Solution Developer\n- [Laura Hyatt](https://www.linkedin.com/in/laura-hyatt) \\| Customer Engineer, FSI\n- [Marwan Al Shawi](https://www.linkedin.com/in/marwanalshawi) \\| Partner Customer Engineer\n- [Nicolas Pintaux](https://www.linkedin.com/in/nicolaspintaux) \\| Customer Engineer, Application Modernization Specialist\n- [Noah McDonald](https://www.linkedin.com/in/noah-mcdonald-77b04a173) \\| Cloud Security Consultant\n- [Osvaldo Costa](https://www.linkedin.com/in/osvaldocostajr) \\| Networking Specialist Customer Engineer\n- [Radhika Kanakam](https://www.linkedin.com/in/radhika-kanakam-18ab876) \\| Program Lead, Google Cloud Well-Architected Framework\n- [Samantha He](https://www.linkedin.com/in/samantha-he-05a98173) \\| Technical Writer\n- [Susan Wu](https://www.linkedin.com/in/susanwu88) \\| Outbound Product Manager\n\n\u003cbr /\u003e"]]
