Google Cloud

From LIMSWiki
Jump to navigationJump to search
Google Cloud
Industry Cloud computing, Web services
Founder(s) Sergey Brin, Larry Page
Headquarters Mountain View, California, United States
Area served Worldwide
Key people Thomas Kurian (CEO)
Products IaaS, PaaS, DBaaS, DaaS
Revenue $3.83 billion (2020, Q4)[1]
Parent Google

Google Cloud is a Google-driven suite of public, private, hybrid, and multicloud computing services that runs on the same infrastructure that Google uses internally for its end-user products.[2] Google Cloud boasts data centers in 25 regions, 76 zones, and 144 network edge locations.[3] More than 100 different products and services are associated with Google Cloud, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, media management, container management, developer support, scientific computing, internet of things, and artificial intelligence.[4]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.

1. What experience do you have working with laboratory customers in our specific industry?

Examples of labs that have worked with Google Cloud at some point include the Department of Energy's National Labs[5], Hologic[6], IDEXX Laboratories[7], Spectra Laboratories[8], and Washington Laboratories.[9] It's also worth noting that some laboratory information management system (LIMS) developers have offered their solution on Google Cloud over the years, including GoMeyra Corporation[10], Online LIMS Canada Limited[11], and Persistent Systems Ltd.[12] A Google Cloud representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used Google Cloud.

2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Google Cloud integrations. Google provides documentation about how to integrate your applications with its backend and frontend, including its APIs. Additionally, Google Cloud discusses at length the concept of data integration, including its Cloud Data Fusion (CDF) offering for hybrid and multicloud integration. The CDF library of connectors and transformations, along with its "end-to-end data lineage, integration metadata, and cloud-native security and data protection services," helps customers keep data integrated no matter its location.[13]

3. What is the average total historical downtime for the service(s) we're interested in?

Some public information is made available about historic outages and downtime. Google Cloud has a systems status page with status history (you have to click on the "View Summary and History" link at the bottom). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with a Google Cloud representative may reveal more historical downtime history for the services you are interested in.

4. Do we receive comprehensive downtime support in the case of downtime?

Google Cloud does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Google Cloud what downtime support they provide based on the services your organization are interested in.

5. Where are your servers located, and how is data securely transferred to and from those servers?

Google Cloud has 25 regions it operates in[3], with each region having at least three zones[14], with more three-zone regions planned.[3] Google Cloud uses its content delivery network Cloud CDN, which "brings consistently great web and video experiences to users anywhere, provides privacy and data security, and activates with a single click for Cloud Load Balancing users."[15] When moving data to and from on-premises and Google Cloud systems, multiple transfer options exist, including normal online transfer, a full-scale transfer service, transfer appliances, and schedules SaaS data transfers.[16] Data in motion is encrypted following a strict company policy. As for data localization and residency requirements, Google Cloud gives customers many controls, including organization policies, Cloud IAM configurations, and VPC service controls.

6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

In its security whitepaper, Google states the following[17]:

Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Our data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Googlers will ever set foot in one of our data centers.

For information about specific certifications and compliance training, discuss this with a Google Cloud representative.

7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all Google Cloud machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.

8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

Unlike other cloud providers, it's not entirely clear what Google Cloud's stance is on physical separation. The only information to be found was a sentence in their security whitepaper[17]: "To keep data private and secure, Google logically isolates each customer's data from that of other customers and users, even when it's stored on the same physical server." Presumably the type of data you have will determine which servers you should use, based upon those servers compliance ratings. You'll have to have a discussion with a Google Cloud representative to learn more about their position on physical separation of data.

Tenant isolation is addressed by Google Cloud under the scope of Kubernetes both here and here. However, like many aspects of security, configuration and best practices are a shared responsibility. Additional details about multi-tenancy and related security on Google Cloud can be found under the "Secure Service Deployment" section of their Google Infrastructure Security Design Overview document. Consult with a representative to learn more.

9. Do you have documented data security policies?

Google Cloud documents its security practices in several places:

Some security-related documents may not be publicly available, requiring direct discussion with a Google Cloud representative to obtain them.

10. How do you test your platform's security?

Google Cloud has information scattered around in its documentation. Most notable is this passage from its security whitepaper[17]:

Google administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated.

The company also mentions that they "conduct Red Team exercises to measure and improve the effectiveness of our detection and response mechanisms."[18]

There are other pieces of information related to non-Google Cloud personnel testing the platform. Under its Data Processing and Security Terms, customers have some audit rights, though there are limited to those affected by GDPR or Model Contract Clauses. Otherwise, the customer must rely on third-party audit results.[19]

11. What are your policies for security audits, intrusion detection, and intrusion reporting?

Audits: Google Cloud has this to say about security audits:

  • "We vet component vendors we work with and choose components with care, while working with vendors to audit and validate the security properties provided by the components."[18]
  • "Google has a dedicated internal audit team that reviews compliance with security laws and regulations around the world. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties."[17]
  • "Googler access is monitored and audited by our dedicated security, privacy, and internal audit teams, and we provide audit logs to customers through Access Transparency for GCP."[17]

Intrusion detection and reporting: Google Cloud provides Security Command Center to its customers for intrusion detection and reporting.[20] As for its own intrusion detection, Google Cloud discusses this in its Google Infrastructure Security Design Overview document[18]:

Google has sophisticated data processing pipelines which integrate host-based signals on individual devices, network-based signals from various monitoring points in the infrastructure, and signals from infrastructure services. Rules and machine intelligence built on top of these pipelines give operational security engineers warnings of possible incidents. Our investigation and incident response teams triage, investigate, and respond to these potential incidents 24 hours a day, 365 days a year.

12. What data logging information is kept and acted upon in relation to our data?

Google Cloud mentions data logging in several places:

  • Google employee access to end user information[17]
  • speech-to-text information and various other types of information (if opted in to data logging program)[21]

However, it's not clear what other data logging they may conduct and act upon related to your data. Talk to a representative to determine this.

13. How thorough are those logs and can we audit them on-demand?

Google Cloud users can view their own logs through tools like Google's Cloud Logging service and its Cloud Audit Logs. However, unlike Alibaba, it's unclear if you are able to audit internal Google Cloud operation logs on-demand. This is a conversation to have with a Google Cloud representative.

14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

Yes, AWS will sign a business associate agreement.[22] Consult their HIPAA compliance page for more details on their approach to HIPAA compliance.

15. What happens to our data should the contract expire or be terminated?

Google Cloud makes several statements about customer data in its platform terms:

  • "If the Agreement is terminated, then (a) all rights and access to the Services will terminate (including access to Customer Data, if applicable), unless otherwise described in this Agreement ..."[23]
  • "On expiry of the Term, Customer instructs Google to delete all Customer Data (including existing copies) from Google’s systems in accordance with applicable law. Google will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European or National Law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer is responsible for exporting, before the Term expires, any Customer Data it wishes to retain."[19]

16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how Google Cloud would handle your data should they go out of business, nor do they mention much about catastrophic loss on their site. Google Cloud discusses disaster recovery and data loss in its Cloud Architecture Center. The company states in their platform terms, however, that "neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control, including acts of God, natural disasters, terrorism, riots, or war."[23] Like other cloud providers, Google Cloud uses three-zone regions for redundancy: "Putting resources in different zones in a region reduces the risk of an infrastructure outage affecting all resources simultaneously. Putting resources in different regions provides an even higher degree of failure independence. This lets you design robust systems with resources spread across different failure domains."[24] It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with a Google Cloud representative.

17. Can we use your interface to extract our data when we want, and in what format will it be?

Google Cloud advertises their Cloud Storage Transfer Service as "a software service that enables you to transfer large amounts of data from your data center to a Cloud Storage bucket."[25] They also provide guidance on extracting data out of its multi-cloud data warehouse BigQuery. Google Cloud has also published a Transparency Declaration that maps their processes to the voluntary SWIPO (Switching Cloud Providers and Porting Data) codes of conduct.[26] Read more about this on their SWIPO page.

18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a Google Cloud representative.

Managed security services

Google discontinued its managed services offerings in the United States in 2019.[27]

Additional information

Documentation and other media

External links


  1. Gagliordi, N. (2 February 2021). "Alphabet beats Q4 estimates, Google Cloud revenue climbs". ZDNet. Retrieved 25 April 2021. 
  2. "Why Google Cloud". Google. Retrieved 25 April 2021. 
  3. 3.0 3.1 3.2 "Cloud locations". Google Cloud. Retrieved 25 April 2021. 
  4. "Google Cloud Products". Google. Retrieved 25 April 2021. 
  5. Nyczepir, D. (15 October 2020). "DOE research facilities move to Google Cloud". FedScoop. Retrieved 15 April 2021. 
  6. Ford, O. (2 February 2021). "Hologic is Reaching for the (Google) Cloud with New Collaboration". Medical Device and Diagnostic Industry. Retrieved 15 April 2021. 
  7. "IDEXX Laboratories: Using big data to be the top dog in animal diagnostics". Google Cloud. Retrieved 15 April 2021. 
  8. "Spectra Laboratories". ZoomInfo. Retrieved 15 April 2021. 
  9. "Washington Laboratories". ZoomInfo. Retrieved 15 April 2021. 
  10. "GoMeyra Policies". GoMeyra Corporation. Retrieved 15 April 2021. 
  11. "Online LIMS Canada". ZoomInfo. Retrieved 15 April 2021. 
  12. "Accelerating your journey to the cloud with Google Cloud Platform". Persistent Systems Ltd. Retrieved 15 April 2021. 
  13. "Cloud Data Fusion". Google Cloud. Retrieved 15 April 2021. 
  14. "Regions and zones". Compute Engine Documentation. Google Cloud. Retrieved 15 April 2021. 
  15. "Cloud CDN". Google Cloud. Retrieved 15 April 2021. 
  16. "Cloud Data Transfer". Google Cloud. Retrieved 15 April 2021. 
  17. 17.0 17.1 17.2 17.3 17.4 17.5 "Google security whitepaper". Google Cloud. January 2019. Retrieved 15 April 2021. 
  18. 18.0 18.1 18.2 "Google Infrastructure Security Design Overview" (PDF). Google Cloud. January 2017. Retrieved 16 April 2021. 
  19. 19.0 19.1 "Data Processing and Security Terms (Customers)". Google Cloud. 19 August 2021. Retrieved 16 April 2021. 
  20. "Security Command Center". Google Cloud. Retrieved 16 April 2021. 
  21. "Data logging". Cloud Speech-to-Text. Google Cloud. Retrieved 16 April 2021. 
  22. "HIPAA Compliance on Google Cloud Platform". Google Cloud. Retrieved 16 April 2021. 
  23. 23.0 23.1 "Google Cloud Platform Terms of Service". Google Cloud. 1 April 2021. Retrieved 16 April 2021. 
  24. "Regions and zones". Compute Engine Documentation. Google Cloud. Retrieved 16 April 2021. 
  25. "Transfer service for on-premises data overview". Google Cloud. Retrieved 16 April 2021. 
  26. "SWIPO Data Portability Code of Conduct". Google Cloud. Retrieved 16 April 2021. 
  27. Weissbrot, A. (26 November 2019). "Google Exits Managed Services, Welcome News For Its Key Agency Partners". Ad Exchanger. Retrieved 27 May 2021.