Data and infrastructure security overview

This page describes the data and infrastructure security that apply to Security Command Center.

Data processing

When you enroll in Security Command Center, Google Cloud processes information related to the Google Cloud services you use, including the following:

  • The configuration and metadata associated with your Google Cloud resources
  • The configuration and metadata for your Identity and Access Management (IAM) policies and users
  • Google Cloud-level API access patterns and usage
  • Cloud Logging contents for your Google Cloud organization
  • Security Command Center metadata, including service settings and security findings

Security Command Center processes data related to your cloud logs and assets that you configure to be scanned or monitored, including telemetry and other data therein, to provide findings and improve the service.

In order to protect your assets against new and evolving threats, Security Command Center analyzes data related to misconfigured assets, indicators of compromise in logs, and attack vectors. This activity may include processing to improve service models, recommendations for hardening customer environments, the effectiveness and quality of services, and user experience. If you prefer to use the service without your data being processed for purposes of improving the service, you can contact Google Cloud Support to opt out. Certain features that depend on security telemetry might not be available to you if you opt out. Examples of these are customized detections tailored to your environment, and service improvements that incorporate your service configurations.

Data is encrypted at rest and in transit between internal systems. Additionally, Security Command Center's data access controls are compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other Google Cloud compliance offerings.

Limiting sensitive data

Administrators and other privileged users in your organization must exercise appropriate care when adding data to Security Command Center.

Security Command Center lets privileged users add descriptive information to Google Cloud resources and the findings generated by scans. In some cases, users may unknowingly relay sensitive data when using the product, for example, adding customer names or account numbers to findings. To protect your data, we recommended that you avoid adding sensitive information when naming or annotating assets.

As an additional safeguard, Security Command Center can be integrated with Sensitive Data Protection. Sensitive Data Protection discovers, classifies, and masks sensitive data and personal information, such as credit card numbers, Social Security numbers, and Google Cloud credentials.

Depending on the quantity of information, Sensitive Data Protection costs can be significant. Follow best practices for keeping Sensitive Data Protection costs under control.

For guidance on setting up Security Command Center, including managing resources, see Optimizing Security Command Center.

Data retention

Data that Security Command Center processes is captured and stored in findings that identify threats, vulnerabilities, and misconfigurations in the resources and assets within your organization, folders, and projects. Findings contain a series of daily snapshots that capture the state and properties of a finding each day.

With the Premium and Enterprise tiers, Security Command Center stores finding snapshots for 13 months. With the Standard tier, Security Command Center stores finding snapshots for 35 days. After the retention period, finding snapshots and their data are deleted from the Security Command Center database and cannot be recovered. This results in fewer snapshots in a finding, limiting the ability to view the history of a finding and how it's changed over time.

A finding persists in Security Command Center as long as it contains at least one snapshot that remains within the applicable retention period. To keep findings and all of their data for longer periods, export them to another storage location. To learn more, see Exporting Security Command Center data.

For all tiers, an exception to the retention periods applies when an organization is deleted from Google Cloud. When an organization is deleted, all findings derived from the organization and its folders and projects are deleted within the retention period documented in Data deletion on Google Cloud.

If Security Command Center is activated in one or more projects within an organization, but not in the organization as a whole, findings for each individual project are retained for 13 months for the Premium tier and 35 days for the Standard tier. The Enterprise tier does not support project-level activations. If a project is deleted, the findings from the project are not deleted at the same time, but are instead retained for the auditability of the organization that contained the deleted project. The retention period depends on the tier that was active in the deleted project: 13 months for the Premium tier or 35 days for the Standard tier.

If you delete a project and need to delete all of the findings for the project at the same time, contact Cloud Customer Care, who can initiate an early deletion of all findings in the project for you.

Infrastructure security

Security Command Center is built on top of the same infrastructure that Google uses for its own consumer and enterprise services. The layered security of our infrastructure is designed to protect all services, data, communications, and operations in Google Cloud.

To learn more about Google's infrastructure security, see Google infrastructure security design overview.

What's next