您非常了解企业的安全和监管要求,也非常了解保护机密数据和资源的要求。在 Google Cloud上运行工作负载时,必须确定您需要在 Google Cloud 中配置的安全控制措施,以帮助保护机密数据和每个工作负载。如需确定要实现的安全控制措施,您必须考虑以下因素:
法规遵从义务
组织的安全标准和风险管理计划
客户和供应商的安全要求
保护您的数据是 Google 所有基础架构、产品和员工操作的主要设计考量因素。 Google Cloud 可为许多数据类型(包括客户数据和服务数据)提供强大的安全保障。不过,如果您的工作负载必须满足特定的监管要求,或者受需要提升安全控制的国家标准约束,您的内部政策可能与默认配置选项不同。如果您有此类要求,我们建议您采用其他工具和技术,以帮助您保持所需的合规性水平,并让您的团队能够遵循数据管理和整体网络安全管理方面的最佳实践。
配置 Google Cloud 和 Assured Workloads for Shared Responsibility
作为任何公共云的用户,客户在以下方面负有责任:
了解您的哪些数据部分具有不同的合规性和安全要求。
大多数云客户都有一些需要常规商业安全的 IT 基础架构,而有些客户拥有特定数据(例如健康数据),这些数据必须满足更高的合规性要求。Assured Workloads 有助于满足更高级别的合规性要求。将所有具有特定访问权限或数据驻留要求的敏感数据或受监管数据放入适当的 Assured Workloads 文件夹或项目中,并将其保留在该位置。
配置 Identity and Access Management (IAM),确保只有适当的人员可以访问和修改贵组织的内容。
我们强烈建议所有受监管的客户和主权国家/地区的客户在向 Google Cloud 服务中输入数据时务必谨慎。请务必避免将敏感数据或受监管数据添加到可能未受技术控制保护或未包含在“可信工作负载”技术控制边界内的常见输入字段中。为了确保遵守监管要求并保护您的敏感数据或受监管数据,这种做法非常必要。为方便起见,我们列举了一些需要格外注意的 Google Cloud 服务示例。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-01。"],[[["\u003cp\u003eCustomers are responsible for identifying and configuring security controls within Google Cloud to protect their confidential data and meet regulatory requirements.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads helps customers meet high compliance requirements by allowing them to place sensitive or regulated data in protected folders or projects, and also aids in configuring appropriate IAM for the resources.\u003c/p\u003e\n"],["\u003cp\u003eGoogle is responsible for foundational infrastructure security, enforcing customer-defined IAM policies, and applying Assured Workloads controls according to the selected compliance regime.\u003c/p\u003e\n"],["\u003cp\u003eCustomers should avoid placing sensitive or regulated data in common input fields like resource names, descriptions, or timestamps, as these fields may not be protected by the Assured Workloads technical controls.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads for EU Regions or Sovereign Controls for EU offer extra technical controls, including an EU data boundary, support routing to EU locations, visibility into administrative accesses, and custom options for data encryption.\u003c/p\u003e\n"]]],[],null,["# Shared responsibility in Assured Workloads\n==========================================\n\nThis page describes shared responsibility in Assured Workloads. For\ngeneral information about shared responsibility in Google Cloud, see\n[Shared responsibilities and shared fate on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate).\n\nShared responsibility for data\n------------------------------\n\nYou're the expert in knowing the security and regulatory requirements for your business and\nknowing the requirements for protecting your confidential data and resources. When you run your\nworkloads on Google Cloud, you must identify the security controls that you need to configure\nin Google Cloud to help protect your confidential data and each workload. To decide which\nsecurity controls to implement, you must consider the following factors:\n\n- Your regulatory compliance obligations\n- Your organization's security standards and risk management plan\n- Security requirements of your customers and your vendors\n\nThe protection of your data is a primary design consideration for all of Google's\ninfrastructure, products, and personnel operations. Google Cloud provides strong security for\nmany data types, including [Customer Data](/terms/data-processing-addendum) and\n[Service Data](/terms/cloud-privacy-notice). However, if your workloads must meet\nspecific regulatory requirements or are subject to national standards that require elevated security\ncontrols, your internal policies may differ from default configuration options. If you have such\nrequirements, we recommend adopting additional tools and techniques to help maintain your required\nlevel of compliance and enable your team to follow the best practices of data management and overall\ncybersecurity management.\n\nConfigure Google Cloud and Assured Workloads for shared responsibility\n----------------------------------------------------------------------\n\nThe following areas are customer responsibilities as a user of any public cloud:\n\n- Understanding what portions of your data have different compliance and security requirements. Most cloud customers have some IT infrastructure which requires general commercial security, and some customers have specific data, such as health data, which must meet a higher compliance requirement. Assured Workloads can help to meet those higher compliance requirements. Place any sensitive or regulated data with specific access or residency requirements inside appropriate Assured Workloads folders or projects and keep it there.\n- Configuring Identity and Access Management (IAM) to ensure that the contents of your organization are accessed and modifiable by the appropriate personnel.\n- Creating and organizing your organizational hierarchy such that it does not expose personal data.\n- Ensuring you have read all documentation to understand and follow best practices.\n- Sharing information prudently during technical support sessions and troubleshooting, and **not placing or sharing sensitive or regulated data** outside compliant Assured Workloads folders.\n\nThe scope of sensitive or regulated data can vary depending on many factors including regulations\nyou or your customers are subject to and can include:\n\n- Account information\n- Health information\n- Personal identifiers for customers or users\n- Cardholder data\n- ID numbers\n\nGoogle's responsibilities in the shared responsibility model\n------------------------------------------------------------\n\nIn the shared responsibility partnership between Google and customers, Google takes\nresponsibility for the foundational elements and infrastructure of building a successful cloud\nbusiness, some of which rely on customers undertaking their responsibilities to configure\nGoogle Cloud to adequately protect their data. Examples of Google's responsibilities\ninclude:\n\n- Applying [default encryption](/docs/security/encryption/default-encryption) and [infrastructure controls](/docs/security/infrastructure/design).\n- Enforcing the IAM policies that you set to restrict workload administration and data access to the identities that you identify.\n- Configuring and enforcing any customer-selected Assured Workloads controls associated with your selected compliance regime, for the protected data types in the resources you have configured it for. This includes restrictions on where data will be stored and which Google employees can have access to your data in the course of their appropriate business activities.\n- Providing configurations and controls through Assured Workloads for regulated industries and locationally sensitive data.\n- Providing [Organization policies](/resource-manager/docs/organization-policy/overview) and [resource settings](/resource-manager/docs/cloud-platform-resource-hierarchy) that let you configure policies throughout your hierarchy of folders and projects.\n- Providing [Policy Intelligence tools](/policy-intelligence/docs/overview) that give you insights on access to accounts and resources.\n\nConfiguration specific to Europe and the EU\n-------------------------------------------\n\nWhen using Assured Workloads for EU Regions or Sovereign Controls for EU, customers have\nadditional technical controls on top of the GDPR assurances made on Google Cloud that they can\nuse to adjust their data residency and security controls as part of their compliance efforts. Some\nof these controls include:\n\n- An EU data boundary as further described in [Data residency](/assured-workloads/docs/data-residency).\n- Support routing to EU persons in EU locations, including subprocessors.\n- Visibility into Administrative Access requests and accesses.\n- Policy-driven access approvals (Sovereign Controls only).\n- Custom options for data encryption and key management.\n\nExamples of common fields that are not recommended for sensitive or regulated data\n----------------------------------------------------------------------------------\n\nWe strongly recommend all regulated and sovereign customers to exercise caution when inputting\ndata into Google Cloud services. It's critical to avoid adding sensitive or regulated data\ninto common input fields that may not be protected by technical controls or aren't included in the\nAssured Workloads technical control boundary. This practice is necessary to maintain compliance with\nregulatory requirements and safeguards your sensitive or regulated information. To assist you, we\ncompiled a list of examples across various Google Cloud services where extra vigilance is\nrequired.\n\nAvoid placing your sensitive or regulated data in the following common fields:\n\n- Resource names and IDs\n- Project or folder names and IDs\n- Any description fields or labels\n- Log-based metrics\n- VM sizes and similar service configurations\n- URIs or file paths\n- Timestamps\n- User IDs\n- Firewall rules\n- Security scanning configurations\n- Customer IAM policies\n\nWhat's next\n-----------\n\n- Learn more about [Shared responsibilities and shared fate on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate)."]]
