Portfolio:Google Cloud
Google Cloud is a Google-driven suite of public, private, hybrid, and multicloud computing services that runs on the same infrastructure that Google uses internally for its end-user products.[1] Google Cloud boasts data centers in 37 regions, 112 zones, and 187 network edge locations.[2] More than 100 different products and services are associated with Google Cloud, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, media management, container management, developer support, scientific computing, internet of things, and artificial intelligence.[3]
Provider research
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
Examples of labs that have worked with Google Cloud at some point include the Department of Energy's National Labs[4], Hologic[5], IDEXX Laboratories[6], Spectra Laboratories[7], and Washington Laboratories.[8] It's also worth noting that some laboratory information management system (LIMS) developers have offered their solution on Google Cloud over the years, including GoMeyra Corporation[9], Online LIMS Canada Limited[10], and Persistent Systems Ltd.[11] A Google Cloud representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used Google Cloud.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
It will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Google Cloud integrations. Google provides documentation about how to integrate your applications with its backend and frontend, including its APIs. Additionally, Google Cloud discusses at length the concept of data integration, including its Cloud Data Fusion (CDF) offering for hybrid and multicloud integration. The CDF library of connectors and transformations, along with its "end-to-end data lineage, integration metadata, and cloud-native security and data protection services," helps customers keep data integrated no matter its location.[12]
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. Google Cloud has a systems status page with status history (you have to click on the "View Summary and History" link at the bottom). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with a Google Cloud representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
Google Cloud does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Google Cloud what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
Google Cloud has 37 regions it operates in[2], with each region having at least three zones[13], with more three-zone regions planned.[2] Google Cloud uses its content delivery network Cloud CDN, which "gives you the same world-class infrastructure to accelerate and secure mission critical web experiences at a global scale."[14] When moving data to and from on-premises and Google Cloud systems, multiple transfer options exist, including normal online transfer, a full-scale transfer service, transfer appliances, and scheduled SaaS data transfers.[15] Data in motion is encrypted following a strict company policy. As for data localization and residency requirements, Google Cloud gives customers many controls, including organization policies, Cloud IAM configurations, and VPC service controls.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
In its security whitepaper, Google states the following[16]:
The physical security in Google data centers is a layered security model. Physical security includes safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. In addition, to detect and track intruders, we use security measures such as laser beam intrusion detection and 24/7 monitoring by high-resolution interior and exterior cameras. Access logs, activity records, and camera footage are available in case an incident occurs. Experienced security guards, who have undergone rigorous background checks and training, routinely patrol our data centers. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible through a security corridor that implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Google employees will ever set foot in one of our data centers.
For information about specific certifications and compliance training, discuss this with a Google Cloud representative.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all Google Cloud machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
Unlike other cloud providers, it's not entirely clear what Google Cloud's stance is on physical separation. The only information to be found was a sentence in their security whitepaper[16]: "Our infrastructure is designed to logically isolate each customer's data from the data of other customers and users, even when it's stored on the same physical server." Presumably the type of data you have will determine which servers you should use, based upon those servers compliance ratings. You'll have to have a discussion with a Google Cloud representative to learn more about their position on physical separation of data.
Tenant isolation is addressed by Google Cloud under the scope of Kubernetes both here and here. However, like many aspects of security, configuration and best practices are a shared responsibility. Additional details about multi-tenancy and related security on Google Cloud can be found under the "Secure Service Deployment" section of their Google Infrastructure Security Design Overview document. Consult with a representative to learn more.
9. Do you have documented data security policies?
Google Cloud documents its security practices in several places:
- Google cloud security showcase
- Google infrastructure security design overview
- Google security whitepaper
- Google SOC 2 documents
Some security-related documents may not be publicly available, requiring direct discussion with a Google Cloud representative to obtain them.
10. How do you test your platform's security?
Google Cloud has information scattered around in its documentation. Most notable is this passage from its security whitepaper[16]:
Our dedicated security team includes some of the world's foremost experts in information security, application security, cryptography, and network security. This team maintains our defense systems, develops security review processes, builds security infrastructure, and implements our security policies. The team actively scans for security threats using commercial and custom tools. The team also conducts penetration tests and performs quality assurance and security reviews.
The company also mentions that they conduct "intensive automated and manual penetration efforts, including extensive Red Team exercises."[16]
There are other pieces of information related to non-Google Cloud personnel testing the platform. Under its Cloud Data Processing Addendum, customers have some audit rights, though there are limited to those affected by GDPR or Model Contract Clauses. Otherwise, the customer must rely on third-party audit results.[17]
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: Google Cloud has this to say about security audits:
- "We vet the component vendors that we work with and choose components with care. We work with vendors to audit and validate the security properties that are provided by the components."[18]
- "We have a dedicated internal audit team that reviews our products' compliance with security laws and regulations around the world. As new auditing standards are created and existing standards are updated, the internal audit team determines what controls, processes, and systems are needed in order to help meet them. This team supports independent audits and assessments by third parties."[16]
- "Our dedicated security teams, privacy teams, and internal audit teams monitor and audit employee access, and we provide audit logs to you through Access Transparency for Google Cloud."[16]
Intrusion detection and reporting: Google Cloud provides Security Command Center to its customers for intrusion detection and reporting.[19] As for its own intrusion detection, Google Cloud discusses this in its Google Infrastructure Security Design Overview document[18]:
We use sophisticated data processing pipelines to integrate host-based signals on individual devices, network-based signals from various monitoring points in the infrastructure, and signals from infrastructure services. Rules and machine intelligence built on top of these pipelines give operational security engineers warnings of possible incidents. Our investigation and incident-response teams triage, investigate, and respond to these potential incidents 24 hours a day, 365 days a year.
12. What data logging information is kept and acted upon in relation to our data?
Google Cloud mentions data logging in several places:
- Google employee access to end user information[16]
- speech-to-text information and various other types of information (if opted in to data logging program)[20]
However, it's not clear what other data logging they may conduct and act upon related to your data. Talk to a representative to determine this.
13. How thorough are those logs and can we audit them on-demand?
Google Cloud users can view their own logs through tools like Google's Cloud Logging service and its Cloud Audit Logs. However, unlike Alibaba, it's unclear if you are able to audit internal Google Cloud operation logs on-demand. This is a conversation to have with a Google Cloud representative.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
Yes, AWS will sign a business associate agreement.[21] Consult their HIPAA compliance page for more details on their approach to HIPAA compliance.
15. What happens to our data should the contract expire or be terminated?
Google Cloud makes several statements about customer data in its platform terms:
- "If the Agreement is terminated, then (a) all rights and access to the Services will terminate (including access to Customer Data, if applicable), unless otherwise described in this Agreement ..."[22]
- "If Customer wishes to retain any Customer Data after the end of the Term, it may instruct Google in accordance with Section 9.1 (Access; Rectification; Restricted Processing; Portability) to return that data during the Term. Subject to Section 6.3 (Deferred Deletion Instruction), Customer instructs Google to delete all remaining Customer Data (including existing copies) from Google’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Google will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage."[17]
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how Google Cloud would handle your data should they go out of business, nor do they mention much about catastrophic loss on their site. Google Cloud discusses disaster recovery and data loss in its Cloud Architecture Center. The company states in their platform terms, however, that "neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control, including acts of God, natural disasters, terrorism, riots, or war."[22] Like other cloud providers, Google Cloud uses three-zone regions for redundancy: "Putting resources in different zones in a region reduces the risk of an infrastructure outage affecting all resources simultaneously. Putting resources in different regions provides an even higher degree of failure independence. This lets you design robust systems with resources spread across different failure domains."[23] It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with a Google Cloud representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
Google Cloud advertises their Cloud Storage Transfer Service as a software service that allows you to "transfer data quickly and securely between object and file storage across Google Cloud, Amazon, Azure, on-premises, and more."[24] They also provide guidance on extracting data out of its multi-cloud data warehouse BigQuery. Google Cloud has also published a Transparency Declaration that maps their processes to the voluntary SWIPO (Switching Cloud Providers and Porting Data) codes of conduct.[25] Read more about this on their SWIPO page.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a Google Cloud representative.
Managed security services
Google discontinued its managed services offerings in the United States in 2019.[26]
Additional information
Documentation and other media
External links
- Google Cloud architecture framework or description
- Google Cloud shared responsibility model
- Google Cloud trust center
References
- ↑ "Why Google Cloud". Google. https://cloud.google.com/why-google-cloud. Retrieved 02 August 2023.
- ↑ 2.0 2.1 2.2 "Cloud locations". Google Cloud. https://cloud.google.com/about/locations. Retrieved 02 August 2023.
- ↑ "Google Cloud Products". Google. https://cloud.google.com/products. Retrieved 02 August 2023.
- ↑ Nyczepir, D. (15 October 2020). "DOE research facilities move to Google Cloud". FedScoop. https://www.fedscoop.com/doe-google-cloud-productivity-tools/. Retrieved 02 August 2023.
- ↑ Ford, O. (2 February 2021). "Hologic is Reaching for the (Google) Cloud with New Collaboration". Medical Device and Diagnostic Industry. https://www.mddionline.com/digital-health/hologic-reaching-google-cloud-new-collaboration. Retrieved 02 August 2023.
- ↑ "IDEXX Laboratories: Using big data to be the top dog in animal diagnostics". Google Cloud. https://cloud.google.com/customers/idexx-laboratories. Retrieved 02 August 2023.
- ↑ "Spectra Laboratories". ZoomInfo. https://www.zoominfo.com/c/spectra-laboratories-inc/112181570. Retrieved 02 August 2023.
- ↑ "Washington Laboratories". ZoomInfo. https://www.zoominfo.com/c/washington-laboratories-ltd/41451684. Retrieved 02 August 2023.
- ↑ "GoMeyra Policies". GoMeyra Corporation. Archived from the original on 19 April 2021. https://web.archive.org/web/20210419034125/https://www.gomeyra.com/policies/. Retrieved 02 August 2023.
- ↑ "Online LIMS Canada". ZoomInfo. https://www.zoominfo.com/c/online-lims-canada-limited/84935207. Retrieved 02 August 2023.
- ↑ "Accelerate your digital transformation journey with Google". Persistent Systems Ltd. https://www.persistent.com/partner-ecosystem/google/. Retrieved 02 August 2023.
- ↑ "Cloud Data Fusion". Google Cloud. https://cloud.google.com/data-fusion/. Retrieved 02 August 2023.
- ↑ "Regions and zones". Compute Engine Documentation. Google Cloud. https://cloud.google.com/compute/docs/regions-zones. Retrieved 02 August 2023.
- ↑ "Cloud CDN". Google Cloud. https://cloud.google.com/cdn. Retrieved 02 August 2023.
- ↑ "Storage Transfer Service". Google Cloud. https://cloud.google.com/storage-transfer-service. Retrieved 02 August 2023.
- ↑ 16.0 16.1 16.2 16.3 16.4 16.5 16.6 "Google security overview". Google Cloud. May 2022. https://cloud.google.com/docs/security/overview/whitepaper. Retrieved 02 August 2023.
- ↑ 17.0 17.1 "Cloud Data Processing Addendum (Customers)". Google Cloud. 20 September 2022. https://cloud.google.com/terms/data-processing-addendum. Retrieved 02 August 2023.
- ↑ 18.0 18.1 "Google Infrastructure Security Design Overview" (PDF). Google Cloud. June 2023. https://cloud.google.com/static/docs/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf. Retrieved 02 August 2023.
- ↑ "Security Command Center". Google Cloud. https://cloud.google.com/security-command-center/. Retrieved 02 August 2023.
- ↑ "Data logging". Cloud Speech-to-Text. Google Cloud. 2 August 2023. https://cloud.google.com/speech-to-text/docs/data-logging. Retrieved 02 August 2023.
- ↑ "HIPAA Compliance on Google Cloud". Google Cloud. 27 July 2023. https://cloud.google.com/security/compliance/hipaa. Retrieved 02 August 2023.
- ↑ 22.0 22.1 "Google Cloud Platform Terms of Service". Google Cloud. 12 July 2023. https://cloud.google.com/terms. Retrieved 02 August 2023.
- ↑ "Regions and zones". Compute Engine Documentation. Google Cloud. https://cloud.google.com/compute/docs/regions-zones. Retrieved 02 August 2023.
- ↑ "Storage Transfer Service". Google Cloud. https://cloud.google.com/storage-transfer-service. Retrieved 02 August 2023.
- ↑ "SWIPO Data Portability Code of Conduct". Google Cloud. https://cloud.google.com/security/compliance/swipo-codes. Retrieved 02 August 2023.
- ↑ Weissbrot, A. (26 November 2019). "Google Exits Managed Services, Welcome News For Its Key Agency Partners". Ad Exchanger. https://adexchanger.com/agencies/google-exits-managed-services-welcome-news-for-its-key-agency-partners/. Retrieved 02 August 2023.