− Encrypted in transit • AES-256 with symmetric keys − Keys are encrypted with a master key − Key rotation is automatic • Some services allow you to use your own keys − Google Compute disks − Cloud Storage Data in the Google Cloud
connection in a co-located facility − Traffic does not traverse public internet − Private addresses directly accessible • Between 1-8 10Gbps connections per interconnect • Not encrypted – still consider a VPN • More cost effective for high volume of traffic Dedicated Interconnect
a Gmail or G Suite account • Cloud Identity & Access Management (IAM) − Fine grained set of configurable permissions − Permissions can be collected into a role • Primitive roles • Predefined roles • Custom roles Accessing your Data
Admin Activity − Data Access • Activity can be alerted upon − Define a metric in Stackdriver Logging − Create an alert in Stackdriver Monitoring • Not all services log data access − All will be with many currently in beta Cloud Audit Logging
Nearline when data is accessed once a month − Use Coldline when data is accessed once a year • Data Access logs will be excessive − Consider logging access only to sensitive data • Set a budget − Budgets can be defined in billing − Alerts can be raised if a budget is exceeded Cost considerations
manage your keys • Cloud VPN is sufficient for most use cases • Judicious use of IAM • Stackdriver is essential for • Audit logging • Cost management Summary