Anda adalah pakar dalam mengetahui persyaratan keamanan dan peraturan untuk bisnis, serta mengetahui persyaratan untuk melindungi data dan resource rahasia. Saat menjalankan workload di Google Cloud, Anda harus mengidentifikasi kontrol keamanan yang perlu dikonfigurasi di Google Cloud untuk membantu melindungi data rahasia dan setiap workload. Untuk menentukan kontrol keamanan yang akan diterapkan, Anda harus mempertimbangkan faktor-faktor berikut:
Kewajiban kepatuhan terhadap peraturan Anda
Standar keamanan dan rencana manajemen risiko organisasi Anda
Persyaratan keamanan pelanggan dan vendor Anda
Perlindungan data Anda adalah pertimbangan desain utama untuk semua infrastruktur, produk, dan operasi personel Google. Google Cloud menyediakan keamanan yang kuat untuk banyak jenis data, termasuk Data Pelanggan dan Data Layanan. Namun, jika workload Anda harus memenuhi
persyaratan peraturan tertentu atau tunduk pada standar nasional yang memerlukan kontrol keamanan
yang ditingkatkan, kebijakan internal Anda mungkin berbeda dengan opsi konfigurasi default. Jika Anda memiliki persyaratan
tersebut, sebaiknya gunakan alat dan teknik tambahan untuk membantu mempertahankan tingkat kepatuhan
yang diperlukan dan memungkinkan tim Anda mengikuti praktik terbaik pengelolaan data dan pengelolaan keamanan cyber secara keseluruhan.
Mengonfigurasi Google Cloud dan Assured Workloads untuk tanggung jawab bersama
Area berikut adalah tanggung jawab pelanggan sebagai pengguna cloud publik:
Memahami bagian data Anda yang memiliki persyaratan kepatuhan dan keamanan yang berbeda.
Sebagian besar pelanggan cloud memiliki beberapa infrastruktur IT yang memerlukan keamanan komersial umum, dan
beberapa pelanggan memiliki data tertentu, seperti data kesehatan, yang harus memenuhi persyaratan kepatuhan
yang lebih tinggi. Assured Workloads dapat membantu memenuhi persyaratan kepatuhan yang lebih tinggi tersebut. Tempatkan data sensitif atau yang diatur dengan persyaratan akses atau residensi tertentu di dalam folder atau project
Assured Workloads yang sesuai dan simpan di sana.
Mengonfigurasi Identity and Access Management (IAM) untuk memastikan bahwa konten organisasi Anda
diakses dan dapat diubah oleh personel yang sesuai.
Membuat dan mengatur hierarki organisasi Anda sehingga tidak mengekspos data
pribadi.
Memastikan Anda telah membaca semua dokumentasi untuk memahami dan mengikuti praktik terbaik.
Membagikan informasi dengan cermat selama sesi dukungan teknis dan pemecahan masalah, serta
tidak menempatkan atau membagikan data sensitif atau yang diatur di luar folder
Assured Workloads yang mematuhi kebijakan.
Cakupan data sensitif atau yang diatur dapat bervariasi bergantung pada banyak faktor, termasuk peraturan yang berlaku bagi Anda atau pelanggan Anda dan dapat mencakup:
Informasi akun
Informasi kesehatan
ID pribadi untuk pelanggan atau pengguna
Data pemegang kartu
Nomor ID
Tanggung jawab Google dalam model tanggung jawab bersama
Dalam kemitraan tanggung jawab bersama antara Google dan pelanggan, Google bertanggung jawab atas elemen dasar dan infrastruktur untuk membangun bisnis cloud yang sukses, beberapa di antaranya bergantung pada pelanggan yang menjalankan tanggung jawab mereka untuk mengonfigurasiGoogle Cloud guna melindungi data mereka secara memadai. Contoh tanggung jawab Google
meliputi:
Menerapkan kebijakan IAM yang Anda tetapkan untuk membatasi administrasi workload dan
akses data ke identitas yang Anda identifikasi.
Mengonfigurasi dan menerapkan kontrol Assured Workloads yang dipilih pelanggan yang terkait dengan
rezim kepatuhan yang Anda pilih, untuk jenis data yang dilindungi di resource yang telah Anda konfigurasikan untuknya. Hal ini mencakup batasan terkait tempat data akan disimpan dan karyawan Google mana yang dapat
mengakses data Anda selama aktivitas bisnis yang sesuai.
Menyediakan konfigurasi dan kontrol melalui Assured Workloads untuk industri yang diatur dan
data yang sensitif secara lokasi.
Menyediakan alat Policy Intelligence yang memberi
Anda insight tentang akses ke akun dan resource.
Konfigurasi khusus untuk Eropa dan Uni Eropa
Saat menggunakan Assured Workloads untuk Region Uni Eropa atau Sovereign Controls untuk Uni Eropa, pelanggan memiliki kontrol teknis tambahan selain jaminan GDPR yang dibuat di Google Cloud yang dapat mereka gunakan untuk menyesuaikan residensi data dan kontrol keamanan sebagai bagian dari upaya kepatuhan mereka. Beberapa
kontrol ini mencakup:
Batas data Uni Eropa seperti yang dijelaskan lebih lanjut dalam
Residensi data.
Mendukung pemilihan rute ke orang Uni Eropa di lokasi Uni Eropa, termasuk subpemroses.
Visibilitas ke dalam permintaan dan akses Akses Administratif.
Persetujuan akses berbasis kebijakan (khusus Kontrol Berdaulat).
Opsi kustom untuk enkripsi data dan pengelolaan kunci.
Contoh kolom umum yang tidak direkomendasikan untuk data sensitif atau yang diatur
Sebaiknya semua pelanggan yang diatur dan berdaulat berhati-hati saat memasukkan
data ke layanan Google Cloud . Anda harus menghindari penambahan data sensitif atau yang diatur
ke dalam kolom input umum yang mungkin tidak dilindungi oleh kontrol teknis atau tidak disertakan dalam
batas kontrol teknis Workload Terjamin. Praktik ini diperlukan untuk mempertahankan kepatuhan terhadap
persyaratan peraturan dan melindungi informasi sensitif atau yang diregulasi. Untuk membantu Anda, kami
menyusun daftar contoh di berbagai Google Cloud layanan yang memerlukan kewaspadaan
tambahan.
Hindari menempatkan data sensitif atau yang diatur dalam kolom umum berikut:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-01 UTC."],[[["\u003cp\u003eCustomers are responsible for identifying and configuring security controls within Google Cloud to protect their confidential data and meet regulatory requirements.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads helps customers meet high compliance requirements by allowing them to place sensitive or regulated data in protected folders or projects, and also aids in configuring appropriate IAM for the resources.\u003c/p\u003e\n"],["\u003cp\u003eGoogle is responsible for foundational infrastructure security, enforcing customer-defined IAM policies, and applying Assured Workloads controls according to the selected compliance regime.\u003c/p\u003e\n"],["\u003cp\u003eCustomers should avoid placing sensitive or regulated data in common input fields like resource names, descriptions, or timestamps, as these fields may not be protected by the Assured Workloads technical controls.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads for EU Regions or Sovereign Controls for EU offer extra technical controls, including an EU data boundary, support routing to EU locations, visibility into administrative accesses, and custom options for data encryption.\u003c/p\u003e\n"]]],[],null,["# Shared responsibility in Assured Workloads\n==========================================\n\nThis page describes shared responsibility in Assured Workloads. For\ngeneral information about shared responsibility in Google Cloud, see\n[Shared responsibilities and shared fate on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate).\n\nShared responsibility for data\n------------------------------\n\nYou're the expert in knowing the security and regulatory requirements for your business and\nknowing the requirements for protecting your confidential data and resources. When you run your\nworkloads on Google Cloud, you must identify the security controls that you need to configure\nin Google Cloud to help protect your confidential data and each workload. To decide which\nsecurity controls to implement, you must consider the following factors:\n\n- Your regulatory compliance obligations\n- Your organization's security standards and risk management plan\n- Security requirements of your customers and your vendors\n\nThe protection of your data is a primary design consideration for all of Google's\ninfrastructure, products, and personnel operations. Google Cloud provides strong security for\nmany data types, including [Customer Data](/terms/data-processing-addendum) and\n[Service Data](/terms/cloud-privacy-notice). However, if your workloads must meet\nspecific regulatory requirements or are subject to national standards that require elevated security\ncontrols, your internal policies may differ from default configuration options. If you have such\nrequirements, we recommend adopting additional tools and techniques to help maintain your required\nlevel of compliance and enable your team to follow the best practices of data management and overall\ncybersecurity management.\n\nConfigure Google Cloud and Assured Workloads for shared responsibility\n----------------------------------------------------------------------\n\nThe following areas are customer responsibilities as a user of any public cloud:\n\n- Understanding what portions of your data have different compliance and security requirements. Most cloud customers have some IT infrastructure which requires general commercial security, and some customers have specific data, such as health data, which must meet a higher compliance requirement. Assured Workloads can help to meet those higher compliance requirements. Place any sensitive or regulated data with specific access or residency requirements inside appropriate Assured Workloads folders or projects and keep it there.\n- Configuring Identity and Access Management (IAM) to ensure that the contents of your organization are accessed and modifiable by the appropriate personnel.\n- Creating and organizing your organizational hierarchy such that it does not expose personal data.\n- Ensuring you have read all documentation to understand and follow best practices.\n- Sharing information prudently during technical support sessions and troubleshooting, and **not placing or sharing sensitive or regulated data** outside compliant Assured Workloads folders.\n\nThe scope of sensitive or regulated data can vary depending on many factors including regulations\nyou or your customers are subject to and can include:\n\n- Account information\n- Health information\n- Personal identifiers for customers or users\n- Cardholder data\n- ID numbers\n\nGoogle's responsibilities in the shared responsibility model\n------------------------------------------------------------\n\nIn the shared responsibility partnership between Google and customers, Google takes\nresponsibility for the foundational elements and infrastructure of building a successful cloud\nbusiness, some of which rely on customers undertaking their responsibilities to configure\nGoogle Cloud to adequately protect their data. Examples of Google's responsibilities\ninclude:\n\n- Applying [default encryption](/docs/security/encryption/default-encryption) and [infrastructure controls](/docs/security/infrastructure/design).\n- Enforcing the IAM policies that you set to restrict workload administration and data access to the identities that you identify.\n- Configuring and enforcing any customer-selected Assured Workloads controls associated with your selected compliance regime, for the protected data types in the resources you have configured it for. This includes restrictions on where data will be stored and which Google employees can have access to your data in the course of their appropriate business activities.\n- Providing configurations and controls through Assured Workloads for regulated industries and locationally sensitive data.\n- Providing [Organization policies](/resource-manager/docs/organization-policy/overview) and [resource settings](/resource-manager/docs/cloud-platform-resource-hierarchy) that let you configure policies throughout your hierarchy of folders and projects.\n- Providing [Policy Intelligence tools](/policy-intelligence/docs/overview) that give you insights on access to accounts and resources.\n\nConfiguration specific to Europe and the EU\n-------------------------------------------\n\nWhen using Assured Workloads for EU Regions or Sovereign Controls for EU, customers have\nadditional technical controls on top of the GDPR assurances made on Google Cloud that they can\nuse to adjust their data residency and security controls as part of their compliance efforts. Some\nof these controls include:\n\n- An EU data boundary as further described in [Data residency](/assured-workloads/docs/data-residency).\n- Support routing to EU persons in EU locations, including subprocessors.\n- Visibility into Administrative Access requests and accesses.\n- Policy-driven access approvals (Sovereign Controls only).\n- Custom options for data encryption and key management.\n\nExamples of common fields that are not recommended for sensitive or regulated data\n----------------------------------------------------------------------------------\n\nWe strongly recommend all regulated and sovereign customers to exercise caution when inputting\ndata into Google Cloud services. It's critical to avoid adding sensitive or regulated data\ninto common input fields that may not be protected by technical controls or aren't included in the\nAssured Workloads technical control boundary. This practice is necessary to maintain compliance with\nregulatory requirements and safeguards your sensitive or regulated information. To assist you, we\ncompiled a list of examples across various Google Cloud services where extra vigilance is\nrequired.\n\nAvoid placing your sensitive or regulated data in the following common fields:\n\n- Resource names and IDs\n- Project or folder names and IDs\n- Any description fields or labels\n- Log-based metrics\n- VM sizes and similar service configurations\n- URIs or file paths\n- Timestamps\n- User IDs\n- Firewall rules\n- Security scanning configurations\n- Customer IAM policies\n\nWhat's next\n-----------\n\n- Learn more about [Shared responsibilities and shared fate on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate)."]]
