Infrastructure Security and Availability
Hardening
The service is deployed in a microservices architecture orchestrated by Kubernetes. Containers are deployed from hardened images and are patched regularly.
Intrusion Detection
The service network environment is protected against DDoS attacks and other web attacks using Google Cloud Armor, which also provides WAF protection. Cloud Armor is also configured with rules that mitigate OWASP Top 10 risks, preventing amongst others, cross site scripting, sql injection and remote code execution.
Scanning
We implement a comprehensive CNAPP approach that includes multiple scans of code, infrastructure, and networks, leveraging internal Google commercial scanning tools.
A CSPM tool is used for ongoing monitoring and enhancing of the service security posture.
Monitoring and Alerts
Critical infrastructure components and services produce detailed logs which are monitored 24x7. Alerts are generated and addressed based on event criticality by on-call personnel. Tier-3 support available on shift to handle escalated situations.
In addition, Google Security Operations runs services that constantly monitor solution components such as services, disk space availability and web services availability. In the case of failure, notification is automatically sent to on-call personnel who can restore service according to SLA terms.
Backup and Restore
Customers' data is stored in the Google Security Operations service database, which is deployed in a multi-zone architecture. The DB undergoes continuous backup and a daily full backup snapshot.