Data protection guidelines

The following guidelines for the minimum viable security platform align with the data protection pillar.

Basic level guidelines

Implement the following data protection guidelines first.

Item

Use uniform bucket-level access
Description

The storage.uniformBucketLevelAccess boolean constraint requires buckets to use uniform bucket-level access. Uniform bucket-level access lets you only use bucket-level Identity and Access Management (IAM) permissions to grant access to your Cloud Storage resources.

Using two different and conflicting systems to manage permissions on storage buckets is complex and a common cause of accidental data leaks. This setting turns off the legacy system (access control lists, or ACLs) and makes the modern, centralized system (IAM) the single source of truth for all permissions.
Related information
Item ID MVSP-CO-1.42
Mapping

Related NIST-800-53 controls:

  • AC-3
  • AC-17
  • AC-20

Related CRI profile controls:

  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1

Compliance Manager control:
Item

Restrict Cloud SQL public IP addresses
Description

Prevent Cloud SQL from having a public IP address and being directly exposed to the internet by setting the constraints/sql.restrictPublicIp organization policy constraint. Typically, databases aren't directly exposed to the internet.

Preventing public IP addresses helps prevent your databases from getting public IP addresses, ensuring that they are private and only accessible from trusted, internal applications.
Related information
Item ID MVSP-CO-1.45
Mapping

Related NIST-800-53 controls:

  • SC-7

Related CRI profile controls:

  • PR.AC-3.1

Compliance Manager control:

Intermediate level guidelines

After you implemented the basic guidelines, implement the following data protection guidelines.

Item

Block public access to Cloud Storage buckets
Description

The storage.publicAccessPrevention boolean constraint prevents storage buckets from being accessed from public sources without authentication. It disables and blocks access control lists (ACLs) and Identity and Access Management (IAM) permissions that grant access to allUsers and allAuthenticatedUsers. This constraint acts as an organization-wide safety net that actively blocks any setting that would make a bucket publicly accessible.
Related information
Item ID MVSP-CO-1-43
Mapping

Related NIST-800-53 controls:

  • AC-3
  • AC-17
  • AC-20

Related CRI profile controls:

  • PR.AC-3.1
  • PR.AC-3.2
  • PR.AC-4.1
  • PR.AC-4.2
  • PR.AC-4.3
  • PR.AC-6.1
  • PR.PT-3.1
  • PR.PT-4.1

Compliance Manager control:
Item

Review BigQuery dataset access
Description

Ensure that BigQuery doesn't have datasets that are open to public access unless the datasets are intended to be public. Datasets in BigQuery often contain sensitive data.

Reviewing dataset access helps you ensure that you don't accidentally or unintentionally expose data to the internet.
Related information
Item ID MVSP-CO-1.46
Mapping

Related NIST-800-53 controls:

  • AC-3

Related CRI profile controls:

  • PR.AC-3.1

Compliance Manager control:

Advanced level guidelines

After you implemented the intermediate guidelines, implement the following data protection guidelines.

Item

Create a managed encryption strategy
Description

Create an encryption management strategy using Cloud Key Management Service (Cloud KMS) with Autokey, Cloud External Key Manager (Cloud EKM), or both. This strategy lets your organization use and manage its own encryption keys to meet your specific requirements. Using your own encryption keys provides granular, auditable control over data access, including the ability to immediately block access to data by disabling the key.
Related information
Item ID MVSP-CO-1.44
Mapping

Related NIST-800-53 controls:

  • SC-12

Related CRI profile controls:

  • PR.DS-1.1

What's next