Infrastructure Security and Availability

Hardening 

The service is deployed in a microservices architecture orchestrated by Kubernetes. Containers are deployed from hardened images and are patched regularly.

Intrusion Detection 

The service network environment is protected against DDoS attacks and other web attacks using Google Cloud Armor, which also provides WAF protection. Cloud Armor is also configured with rules that mitigate OWASP Top 10 risks, preventing amongst others, cross site scripting, sql injection and remote code execution.

Scanning 

We implement a comprehensive CNAPP approach that includes multiple scans of code, infrastructure, and networks, leveraging internal Google commercial scanning tools.  

A CSPM tool is used for ongoing monitoring and enhancing of the service security posture. 

Monitoring and Alerts 

Critical infrastructure components and services produce detailed logs which are monitored 24x7. Alerts are generated and addressed based on event criticality by on-call personnel. Tier-3 support available on shift to handle escalated situations. 

In addition, Google Security Operations runs services that constantly monitor solution components such as services, disk space availability and web services availability. In the case of failure, notification is automatically sent to on-call personnel who can restore service according to SLA terms. 

Backup and Restore

Customers' data is stored in the Google SecOps service database, which is deployed in a multi-zone architecture. The DB undergoes continuous backup and a daily full backup snapshot.