Modify data residency or data encryption configuration

This document explains how to modify the data residency and data encryption configuration on the Standard and Premium tiers after you activate Security Command Center for your organization. This document describes how to do the following:

  • Enable or disable data residency and change the data location.
  • Change the data encryption configuration to use Google-managed encryption keys or Cloud Key Management Service keys.
  • Change the Cloud KMS key.

Limitations

The following limitations apply to this capability:

Before you begin

Before you change the configuration, complete the following:

  1. Plan for the change.
  2. Ensure you have the required roles.
  3. Create or locate the Cloud Key Management Service keys if you're changing the data location or keys.
  4. Prepare mute rules and export configurations if you're changing the data location.

Plan for the change

If you're migrating from the default global data location, read Planning for data residency to learn how Security Command Center supports data residency.

If you plan to change the data encryption from Google-managed encryption keys to a Cloud KMS key, read Enable CMEK for Security Command Center to learn about using customer-managed encryption keys (CMEKs) with Security Command Center.

Plan the configuration change during a time when you aren't performing bulk exports. If you started a bulk export, wait until after that process completes.

After you change the configuration, the data migration process can take between 4 hours and 24 hours, depending on the volume of findings. During this time, Security Command Center and enabled built-in detection services are temporarily paused:

  • Security Command Center doesn't generate or update findings. Findings sent to Security Command Center from integrated or third-party services aren't received.
  • Data exports from Security Command Center to other resources are paused.
  • Security Command Center pages in the console aren't accessible.
  • The following Security Command Center APIs are unavailable:

    • securitycenter.googleapis.com
    • securitycentermanagement.googleapis.com

    If an API method is called during migration, it returns a FAILED_PRECONDITION error with the message API access is temporarily unavailable due to an ongoing data migration.

When the migration is complete, Security Command Center and built-in services restart automatically.

If Security Command Center integrates with other products, expect these connections to be disrupted during the migration.

When you change the data residency configuration, specific fields are updated with the new location identifier (for example from global to us). This affects the following resources:

  • Findings: name and canonicalNames values.
  • Mute rules: name value in the MuteConfig.

Plan to update finding search queries, external systems, and scripts that depend on these field values.

Required roles

To get the permissions that you need to migrate Security Command Center data location or data encryption, ask your administrator to grant you the Security Center Admin (roles/securitycenter.admin) IAM role on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create or locate the Cloud Key Management Service keys

Create a key project and Cloud Key Management Service keys if either of the following applies:

  • You plan to change the Cloud Key Management Service keys.

  • You plan to change the data residency configuration while using Cloud Key Management Service keys. In this case, you must select the Cloud Key Management Service keys again.

For more information, see Enable CMEK for Security Command Center.

Prepare mute rules and export configurations

If you plan to change the data location, update the following configurations that depend on field values with a location identifier:

  • Finding mute rules
  • Pub/Sub continuous exports

Change the field values to use the new location identifier (for example, from global to us).

Change the configuration and start the migration

You can use either the global and jurisdictional Google Cloud console to change the data residency or data encryption configuration. Keep the following in mind when choosing a console:

  • Selecting the CMEK key: The Cloud KMS key menu displays only keys that are in the same jurisdiction as the console. If you use the global console, the menu displays all keys.
  • Getting notifications: Google Cloud console notifications notifications appear for only the user who started the data residency migration and only in the same console used to configure the settings (either global or jurisdictional).

You can change the data residency configuration, the data encryption configuration, or both.

  1. In the Google Cloud console, go to the Settings > Setup details.

    Go to Setup details

  2. Select the organization where Security Command Center is activated.

  3. Click Manage data residency and encryption.

  4. Under Manage data residency, enable or disable data residency. If you enable data residency, select the Data location. If you don't change the existing selection, the data migration process doesn't change the location identifiers in finding and resource field values.

  5. Click Continue.

  6. Under Manage data encryption, select the Encryption configuration.

    • Select Google-managed encryption key or Cloud KMS key.
    • If you select Cloud KMS key, do the following:

      • Click Browse to select the project where the keys are stored.
      • Select the customer-managed key.

    If the organization uses Cloud KMS keys and you changed the data residency configuration, you must re-select the key project and Cloud Key Management Service key.

  7. Review the changes, and then click Start migration. Click Cancel to return and change the selections.

  8. In the Start data migration dialog, confirm by entering the organization ID, and then clicking Confirm data migration.

  9. The data migration status page appears, indicating that the migration is in progress.

    Security Command Center pages are not accessible while data migration is in progress. If you attempt to access Security Command Center during migration, you'll see the migration status page.

  10. When the migration is complete, the status page displays a link to open the console in the newly configured location.

Verify capabilities after the data migration

After the migration completes, ensure that Security Command Center, related services, and integrations work as expected.

  • Verify that Security Command Center is available and previously enabled services are enabled.

  • Review and verify that data export configurations specify the correct resources:

  • If you changed the data residency configuration, update the following:

    • Mute rules: update rules that depend on the finding name or canonicalName.

    • Update filters and finding queries that depend on finding name or canonicalName to specify the new location.

    • Verify that finding queries work as expected.

  • Verify that integrations with other Google Cloud services, such as Cloud Hub, Application Design Center, GKE security posture dashboard, or Google SecOps data ingestion are working as expected.

What's next