Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
A segurança é uma responsabilidade compartilhada. O Dataflow protege a infraestrutura
escalonável usada para executar os pipelines do Dataflow e
fornece ferramentas e controles de segurança para proteger dados, códigos e modelos.
Embora não seja uma lista completa, este documento lista as responsabilidades do
Google e do cliente.
Responsabilidades do Google
Proteger a infraestrutura: o Google é responsável por fornecer infraestrutura segura para os serviços, incluindo segurança física dos data centers, da rede e dos aplicativos.
Proteger a plataforma: o Google é responsável por proteger a plataforma, incluindo o gerenciamento de controles de acesso, o monitoramento de incidentes de segurança e a resposta a eventos de segurança. O Google também fornece aos clientes ferramentas para gerenciar as próprias configurações de segurança.
Manter a conformidade: o Google obedece às leis e regulamentações de proteção de dados relevantes. Saiba mais sobre a conformidade do Google Cloud.
Proteger e corrigir imagens: o Google protege e corrige o sistema operacional
de imagens de base usadas pelas
imagens pertencentes ao Dataflow. O Google disponibiliza todos os patches dessas
imagens.
Os boletins de segurança são fornecidos
para vulnerabilidades conhecidas.
Responsabilidades do cliente
Use e atualize seu ambiente para as versões mais recentes de
contêineres e imagens de VM do Dataflow:
o Dataflow fornece contêineres e imagens de VM predefinidos para simplificar
o uso dos serviços. O Google vai criar novas versões dessas imagens quando
vulnerabilidades forem identificadas. É sua responsabilidade monitorar
boletins de segurança e atualizar o
ambiente imediatamente quando novas versões estiverem disponíveis.
Você é responsável por garantir que configurou corretamente seus serviços para usar a versão mais recente ou fazer upgrade manualmente para a versão mais recente. Para usar as VMs mais recentes, reinicie
jobs de longa duração
atualizados. Para mais
informações, consulte
Fazer upgrade e corrigir VMs do Dataflow.
Para gerenciar problemas de segurança de forma responsiva, é recomendável usar
imagens de contêiner personalizadas.
Se você estiver usando uma
imagem de base do modelo Flex,
use imagens de base Distroless sempre que possível para garantir a segurança e reduzir os riscos de vulnerabilidade.
Gerenciar controles de acesso: você é responsável por gerenciar os controles de acesso aos seus dados e serviços. Isso inclui o gerenciamento de controles de autorização, acesso e autenticação do usuário e a proteção dos seus próprios aplicativos e dados. Saiba mais sobre a segurança e as permissões do Dataflow.
Aplicativos seguros: você é responsável por proteger seus próprios
aplicativos em execução no Dataflow, incluindo
a implementação de práticas de codificação seguras e o teste regular de
vulnerabilidades.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-18 UTC."],[[["\u003cp\u003eSecurity within Dataflow is a shared responsibility between Google, which secures the infrastructure and platform, and the customer, who manages their own data and applications.\u003c/p\u003e\n"],["\u003cp\u003eGoogle ensures the security of its infrastructure, platform, compliance, and base images, while also providing tools for customers to manage their own security settings.\u003c/p\u003e\n"],["\u003cp\u003eCustomers are responsible for updating their environment to the latest versions of Dataflow containers and VM images, including managing custom images and using distroless base images where applicable.\u003c/p\u003e\n"],["\u003cp\u003eCustomers must manage access controls, secure their own applications, monitor for security incidents, and promptly report any vulnerabilities to Google.\u003c/p\u003e\n"],["\u003cp\u003eIt is important for customers to subscribe to Dataflow security bulletins, follow Dataflow release notes, follow Apache Beam release notes, and avoid the deprecated Monitoring agent option.\u003c/p\u003e\n"]]],[],null,["# Dataflow shared responsibility\n\nSecurity is a shared responsibility. Dataflow secures the scalable\ninfrastructure that you use to run your Dataflow pipelines and\nprovides you tools and security controls to protect your data, code, and models.\nWhile not an exhaustive list, this document lists the responsibilities for both\nGoogle and the customer.\n\nGoogle's responsibilities\n-------------------------\n\n- **Protect the infrastructure**: Google is responsible for providing secure\n infrastructure for its services, including physical security of data centers,\n network security, and application security.\n\n- **Secure the platform**: Google is responsible for securing its platform,\n including managing access controls, monitoring for security incidents, and\n responding to security events. Google also provides customers with tools to\n manage their own security settings and configurations.\n\n- **Maintain compliance** : Google maintains compliance with relevant data\n protection laws and regulations. Learn more about\n [Google Cloud compliance](/security/compliance).\n\n- **Harden and patch images** : Google hardens and patches the operating system\n of [base images](/software-supply-chain-security/docs/base-images) used by the\n Dataflow-owned images. Google promptly makes any patches to\n these images available.\n [Security bulletins](/dataflow/docs/security-bulletins) are provided\n for known vulnerabilities\n\nCustomer's responsibilities\n---------------------------\n\n- **Use and update your environment to the latest versions of\n Dataflow containers and VM images** :\n Dataflow provides prebuilt containers and VM images to simplify\n the use of its services. Google will create new versions of these images when\n vulnerabilities are identified. It is your responsibility to monitor for\n [security bulletins](/dataflow/docs/security-bulletins) and update your\n environment promptly when new versions are available.\n\n You are responsible for ensuring\n that you properly configured your services to use the latest version, or to\n manually upgrade to the latest version. To use the latest VMs, restart\n long-running jobs by\n [updating the job](/dataflow/docs/guides/updating-a-pipeline). For more\n information, see\n [Upgrade and patch Dataflow VMs](/dataflow/docs/concepts/security-and-permissions#upgrade-patch).\n To manage security issues responsively, it is recommended that you use\n custom container images.\n\n If you're using a\n [custom container image](/dataflow/docs/guides/using-custom-containers)\n or a\n [custom template](/dataflow/docs/guides/templates/creating-templates),\n you're responsible for scanning and patching the custom images to mitigate\n vulnerabilities.\n\n If you're using a\n [Flex Template base image](/dataflow/docs/reference/flex-templates-base-images),\n to ensure security and reduce vulnerability risks, use Distroless base images\n when possible.\n- **Manage access controls** : You are responsible for managing access\n controls to your own data and services. This includes managing user access,\n authentication, and authorization controls, and securing your own\n applications and data. Learn more about\n [Dataflow security and permissions](/dataflow/docs/concepts/security-and-permissions).\n\n- **Secure applications**: You are responsible for securing your own\n applications running on Dataflow, including\n implementing secure coding practices and regularly testing for\n vulnerabilities.\n\n Learn more about\n [Customer-managed encryption keys](/dataflow/docs/guides/customer-managed-encryption-keys),\n [networks and VPC Service Controls](/dataflow/docs/guides/specifying-networks),\n and [permissions best practices](/dataflow/docs/concepts/security-and-permissions#best-practices).\n- **Monitor for security incidents**: You are responsible for monitoring\n your own applications for security incidents, and reporting any\n incidents to Google as necessary.\n\n - Subscribe to the [Dataflow security bulletins](/dataflow/docs/security-bulletins).\n - Follow the [Dataflow release notes](/dataflow/docs/release-notes).\n - Follow the [Apache Beam release notes](/dataflow/docs/resources/release-notes-apache-beam).\n - Learn more about [Monitoring](/dataflow/docs/guides/using-cloud-monitoring) and [Audit logging](/dataflow/docs/audit-logging).\n\n | **Note:** When using the Monitoring agent, the `--experiments=enable_stackdriver_agent_metrics` option uses a deprecated container image that isn't maintained and might have unpatched vulnerabilities. We recommend that you don't use this option.\n\nWhat's next\n-----------\n\n- Learn more about [shared responsibilities on Google Cloud](/architecture/framework/security/shared-responsibility-shared-fate).\n- Learn about how to [protect your software supply chain](/software-supply-chain-security/docs/practices)."]]