Google Cloud Well-Architected Framework skill for the Security pillar

Overview

The security pillar of the Google Cloud Well-Architected Framework provides design principles and best practices for building a robust security posture by integrating security into every layer of the architecture for cloud workloads. It focuses on maintaining confidentiality and integrity of data and systems while ensuring compliance and privacy. It provides a structured approach to risk management, threat defense, and identity control, enabling you to operate cloud workloads securely and at scale.

Core principles

The recommendations in the security pillar of the Well-Architected Framework are aligned with the following core principles:

• Implement security by design: Integrate cloud security and network security considerations starting from the initial design phase of your applications and infrastructure. Google Cloud provides architecture blueprints and recommendations to help you apply this principle. Grounding document: https://docs.cloud.google.com/architecture/framework/security/implement-security-by-design

• Implement zero trust: Use a never trust, always verify approach, where access to resources is granted based on continuous verification of trust. Google Cloud supports this principle through products like Chrome Enterprise Premium and Identity-Aware Proxy (IAP). Grounding document: https://docs.cloud.google.com/architecture/framework/security/implement-zero-trust

• Implement shift-left security: Implement security controls early in the software development lifecycle. Avoid security defects before system changes are made. Detect and fix security bugs early, fast, and reliably after the system changes are committed. Google Cloud supports this principle through products like Cloud Build, Binary Authorization, and Artifact Registry. Grounding document: https://docs.cloud.google.com/architecture/framework/security/implement-shift-left-security

• Implement preemptive cyber defense: Adopt a proactive approach to security by implementing robust fundamental measures like threat intelligence. This approach helps you build a foundation for more effective threat detection and response. Google Cloud's approach to layered security controls aligns with this principle. Google Cloud supports this principle through products like Security Command Center, Google Threat Intelligence, and Google SecOps. Grounding document: https://docs.cloud.google.com/architecture/framework/security/implement-preemptive-cyber-defense

• Use AI securely and responsibly: Develop and deploy AI systems in a responsible and secure manner. The recommendations for this principle are aligned with guidance in the AI and ML perspective of the Well-Architected Framework and in Google's Secure AI Framework (SAIF). Grounding document: https://docs.cloud.google.com/architecture/framework/security/use-ai-securely-and-responsibly

• Use AI for security: Use AI capabilities to improve your existing security systems and processes through Gemini in Security and overall platform-security capabilities. Use AI as a tool to increase the automation of remedial work and ensure security hygiene to make other systems more secure. Google Cloud supports this principle through products like Google Threat Intelligence and Google SecOps. Grounding document: https://docs.cloud.google.com/architecture/framework/security/use-ai-for-security

• Meet regulatory, compliance, and privacy needs: Adhere to industry-specific regulations, compliance standards, and privacy requirements. Google Cloud helps you meet these obligations through products like Assured Workloads, Organization Policy Service, and our compliance resource center. Grounding document: https://docs.cloud.google.com/architecture/framework/security/meet-regulatory-compliance-and-privacy-needs

Relevant Google Cloud products

The following are examples of Google Cloud products and features that are relevant to security:

• Identity and access management

  • Identity and Access Management (IAM): Fine-grained access control for Google Cloud resources.
  • Identity-Aware Proxy (IAP): Secure access to applications without a VPN.
  • Chrome Enterprise Premium: Endpoint security and context-aware access.

• Network security

  • Google Cloud Armor: DDoS protection and Web Application Firewall (WAF).
  • VPC Service Controls: Define security perimeters to prevent data exfiltration.
  • Cloud Next-Generation Firewall (NGFW): Advanced threat protection for network traffic.
  • Shared VPC: Centralized network management across projects.
  • Cloud Interconnect and IPsec VPN: Secure, private connectivity.

• Data security

  • Cloud Key Management Service (KMS): Manage encryption keys.
  • Sensitive Data Protection (formerly Cloud DLP): Discover and redact sensitive data.
  • Confidential Computing: Encrypt data in use (memory).

• Security operations (SecOps)

  • Google SecOps (Chronicle): Threat detection and security analytics.
  • Security Command Center (SCC): Centralized vulnerability and threat management.
  • Cloud Logging and Cloud Monitoring: Visibility into system activity.

• Automation and supply chain

  • Cloud Build: Secure CI/CD pipelines.
  • Artifact Analysis: Vulnerability scanning for container images.
  • Binary Authorization: Deploy-time policy enforcement.
  • Assured open source software: Use secured OSS packages.

Workload assessment questions

Ask appropriate questions to understand the security-related requirements and constraints of the workload and the user's organization. Choose questions from the following list:

• Security by design:

  • How do you incorporate security considerations into your project's initial planning and design phases?
  • How do you define and document security requirements for new applications and services?
  • How do you ensure that security is integrated into your development lifecycle?
  • What tools and techniques do you use to perform threat modeling during the design phase?
  • How do you manage and prioritize security vulnerabilities discovered during the design and development process?
  • How do you handle security updates and patches for your applications and infrastructure?
  • How do you document and communicate security design decisions to your team and stakeholders?
  • How do you ensure that security configurations are consistently applied across your environments?
  • How do you validate the effectiveness of your security controls and measures?
  • How do you handle security exceptions and deviations from your security design?

• Zero trust:

  • How do you verify and authenticate users and devices accessing your Google Cloud resources?
  • How do you implement the principle of least privilege for access control?
  • How do you monitor and control network traffic within your Google Cloud environment?
  • How do you secure data in transit and at rest in your Google Cloud environment?
  • How do you implement continuous monitoring and logging of user and device activity?
  • How do you handle and respond to security incidents and breaches in a Zero Trust environment?
  • How do you manage and update security policies and controls in a Zero Trust environment?
  • How do you ensure that third-party applications and services comply with your Zero Trust principles?
  • How do you handle remote access and BYOD devices in a Zero Trust environment?
  • How do you educate and train your employees on Zero Trust principles and practices?

• Shift-left security:

  • How do you integrate security testing into your development pipeline early in the process?
  • What types of security testing do you perform during the development phase?
  • How do you provide developers with feedback on security vulnerabilities and best practices?
  • How do you empower developers to take ownership of security in their code?
  • How do you ensure that security requirements are clearly defined and communicated to developers?
  • How do you measure the effectiveness of your Shift Left security initiatives?
  • How do you handle security dependencies and third-party libraries in your code?
  • How do you manage and update security configurations in your development environment?
  • How do you handle security exceptions and deviations from your security policies in development?
  • How do you promote a culture of security awareness and responsibility among developers?

• Preemptive cyber defense:

  • How do you proactively identify and mitigate potential security threats before they impact your systems?
  • What tools and techniques do you use for continuous security monitoring and analysis?
  • How do you respond to and remediate security alerts and incidents?
  • How do you simulate and test your incident response plans?
  • How do you stay up-to-date with the latest security threats and vulnerabilities?
  • How do you handle and mitigate DDoS attacks against your applications and services?
  • How do you protect your sensitive data from insider threats?
  • How do you ensure that your security controls are effective against advanced persistent threats (APTs)?
  • How do you handle security vulnerabilities in your supply chain?
  • How do you adapt your security posture to evolving threats and technologies?

• Security of AI workloads:

  • How do you ensure the security of your AI models and data?
  • How do you address potential biases and ethical concerns in your AI models?
  • How do you protect your AI models from adversarial attacks and data poisoning?
  • How do you ensure the privacy of data used in your AI models?
  • How do you explain and interpret the decisions made by your AI models?
  • How do you manage and control access to your AI models and data?
  • How do you ensure compliance with regulations and standards related to AI and ML?
  • How do you monitor and detect anomalies in the behavior of your AI models?
  • How do you handle and respond to security incidents involving your AI models?
  • How do you educate and train your employees on the secure and responsible use of AI and ML?

• AI for security:

  • How do you leverage AI and ML to enhance your security posture?
  • What types of AI models do you use for security purposes?
  • How do you train and validate your AI models for security applications?
  • How do you ensure the accuracy and reliability of AI-based security systems?
  • How do you handle false positives and false negatives from AI-based security systems?
  • How do you integrate AI-based security systems with your existing security infrastructure?
  • How do you manage and update your AI models for security applications?
  • How do you explain and interpret the decisions made by your AI models for security applications?
  • How do you ensure the ethical and responsible use of AI and ML for security purposes?
  • How do you measure the effectiveness of AI and ML in improving your security posture?

• Regulatory compliance and privacy:

  • What regulatory compliance frameworks and privacy standards do you need to adhere to?
  • How do you assess and manage compliance risks in your Google Cloud environment?
  • How do you ensure the privacy of sensitive data stored and processed in Google Cloud?
  • How do you handle data subject requests (DSRs) related to privacy regulations?
  • How do you document and track compliance activities and evidence?
  • How do you ensure that third-party vendors and partners comply with your regulatory and privacy requirements?
  • How do you handle data breaches and security incidents related to compliance regulations?
  • How do you stay up-to-date with changes in regulatory compliance and privacy standards?
  • How do you educate and train your employees on regulatory compliance and privacy requirements?
  • How do you demonstrate and prove compliance to auditors and regulators?

Validation checklist

Use the following checklist to evaluate the architecture's alignment with security recommendations:

• Security by design:

  • Are system components selected based on their security features and hardening?
  • Is defense-in-depth implemented at the network, host, and application layers?
  • Are safe libraries and application frameworks used to prevent common vulnerabilities?
  • Is a risk assessment performed using industry standards?

• Zero trust:

  • Is access control enforced based on user identity and context (device, location)?
  • Are private connectivity methods (Cloud Interconnect, VPN) used for internal traffic?
  • Are default networks disabled in all projects?
  • Are VPC Service Controls perimeters established around sensitive data?

• Shift-left security:

  • Is infrastructure provisioned using Infrastructure as Code (e.g., Terraform)?
  • Are automated security scans integrated into the CI/CD pipeline?
  • Is there a process for scanning and patching vulnerabilities in dependencies?
  • Is Binary Authorization used to ensure only trusted images are deployed?

• Preemptive cyber defense:

  • Is threat intelligence integrated into security operations?
  • Is security logging enabled and centralized for all critical resources?
  • Are automated responses configured for common security threats?
  • Are defenses validated through periodic testing or red-teaming?

• AI security and governance:

  • Are AI pipelines secured against tampering and data poisoning?
  • Is differential privacy or data masking used for training data where appropriate?
  • Are Vertex Explainable AI and fairness indicators used for model governance?