Shared security responsibilities

Security for Cloud Workstations is a shared responsibility between Google and you, the customer. Google manages the security of the infrastructure for Cloud Workstations, and provides tools and controls to help you secure your workloads in the cloud.

This document details the key security responsibilities for Google and for you within this shared model.

Google's responsibilities

Our responsibilities include:

  • Protect the infrastructure. Google is responsible for providing secure infrastructure for its services, including physical security of data centers, network security, and application security. This includes compliance with applicable industry standards and regulations.

  • Harden and patch default images.

    • Google hardens and maintains the operating system of container images used by the Cloud Workstations preconfigured images. This includes applying security patches and updates from upstream open source maintainers.
    • Google automatically hardens, patches, and updates the operating system of the virtual machines that run underneath Cloud Workstations containers. These virtual machines run Container-Optimized OS.

  • Maintain platform security. Google is responsible for maintaining the security of the Cloud Workstations platform. This responsibility includes managing platform-level access controls, monitoring for security incidents, and responding to security events. Google also provides tools and controls for you to manage your specific security settings and configurations.

  • Maintain compliance. Google maintains compliance with relevant data protection laws and regulations.

  • Provide security integrations.

    • Google provides integrations for Identity and Access Management (IAM), Cloud Audit Logs, Google Cloud Observability, Cloud Key Management Service, Security Command Center, and others.
    • Restrict and log Google administrative access to customer clusters for contractual support purposes with Access Transparency and Access Approval.

Your responsibilities

Your responsibilities as a customer include:

  • Comply with applicable laws and regulations for your use cases. You are responsible for understanding the security and regulatory requirements specific to your business and ensuring your use of Cloud Workstations meets them.

  • Select appropriate workstation images. Cloud Workstations offers preconfigured images for various use cases. You are responsible for verifying that all software in your chosen image, beyond the base OS and editor, meets your security and regulatory requirements.

    For more information, see Customize container images.

  • Use the latest versions of Cloud Workstations base images. Cloud Workstations provides prebuilt container images to simplify the use of its services. Google creates new versions of the base images to address identified security vulnerabilities. You are responsible for ensuring your workstation configurations use the latest image version, either by updating your configuration to pull the latest version automatically or by manually upgrading.

    For more information, see Automate container image rebuilds.

  • Manage access controls. You are responsible for managing access controls to your own data, services, and workstations instances. This includes managing user access, authentication, and authorization controls, and securing your own applications and data.

    You are also responsible for managing access controls to the resources stored in your projects that are used to back workstation instances, such as Compute Engine instances and Persistent Disks.

    For more information about user-managed resources, see the Cloud Workstations architecture.

  • Secure applications and source code. You are responsible for securing your own applications and source code accessed on the Cloud Workstations platform, including implementing secure coding practices and regularly testing for vulnerabilities.

    For more information, see Set up security best practices, Encrypt workstation resources using CMEK, and Configure VPC Service Controls and private clusters.

  • Monitor for security incidents. You are responsible for monitoring your own applications for security incidents, and reporting any incidents to Google as necessary.

    For more information, see Cloud Workstations resource monitoring and Cloud Workstations audit logging.

What's next