L4. The Shared Responsibility Model on Google Cloud
Video generating
Check back soon for the video lesson on The Shared Responsibility Model on Google Cloud
Google Cloud uses a shared responsibility model where Google and customers each own specific security layers. The Digital Leader exam tests what Google secures and what customers must secure themselves.
Shared Responsibility on Google Cloud
Google Cloud uses a shared responsibility model that divides security obligations between Google and the customer based on the service type.
Google's Responsibilities ("Security OF the Cloud")
Google is responsible for:
- Physical security: datacenter access controls, surveillance, personnel background checks
- Hardware security: secure boot for servers, hardware security chips, custom security ASICs (Titan chip)
- Network security: Google's global network infrastructure, DDoS mitigation
- Infrastructure security: hypervisor, host OS, kernel hardening
- Managed service security: for fully managed services (Cloud SQL, BigQuery, Pub/Sub), Google patches and secures the underlying platform
- Titan Security Key and Titan chip (custom hardware root of trust)
- BeyondCorp enterprise security model (zero trust for Google employees)
- BoringSSL (Google's maintained fork of OpenSSL)
- Third-party audits: ISO 27001, SOC 2, PCI DSS, FedRAMP
Customer Responsibilities ("Security IN the Cloud")
Customers are responsible for:
- Identity and access management: who has access to Google Cloud resources (Cloud IAM)
- Data classification and protection: which data is sensitive, how it is encrypted
- Application security: code running on Cloud Run, App Engine, GKE
- Network configuration: VPC design, firewall rules, private service access
- Compliance: meeting industry-specific requirements within the customer's scope
How Responsibility Shifts by Service
Compute Engine (IaaS):- Google: hardware, hypervisor
- Customer: OS patches, application security, data encryption, network firewall rules
- Google: hardware, OS, database engine patching
- Customer: database access control, data encryption settings, network access, query security
- Google: hardware, OS, runtime, container security
- Customer: application code, IAM, secrets management
- Google: almost everything
- Customer: user access control, data sharing policies, phishing-resistant authentication
Google's Compliance Offerings
Google Cloud provides compliance documentation in the Compliance Reports Manager, which hosts audit reports (ISO, SOC, PCI DSS, etc.) for customers to access. Exam tip: Google's Titan chip provides hardware root-of-trust for servers. BeyondCorp is Google's zero-trust model applied internally. Customers always own: data, identities, application code, and access configurations.
- ✓Google secures: physical datacenters, hardware (Titan chip), network, hypervisor, and managed service platforms
- ✓Customers secure: IAM configurations, data classification, application code, VPC firewall rules
- ✓Titan chip is Google's custom hardware security chip providing a hardware root of trust in every server
- ✓BeyondCorp is Google's zero-trust enterprise security model; context-aware access without VPN
- ✓Compliance Reports Manager provides Google Cloud audit certifications (ISO 27001, SOC 2, PCI DSS)
1. An organization using Compute Engine discovers their VM's operating system has not been patched. Who is responsible for patching the Compute Engine guest OS?
2. Which Google hardware security technology provides a cryptographic root of trust embedded in every server in Google Cloud datacenters?
Recommended: Pluralsight
Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.