Google Cloud Platform (GCP) for Sensitive and Restricted Data

Google Cloud Platform (GCP) is one of two Cloud Platforms approved for use with Sensitive or Restricted Data (the other being Amazon Web Services (AWS).)

Google Cloud Platform (GCP) is permitted for Restricted & Sensitive data, with a risk assessment of the individual use case by Cybersecurity, and the implementation of the controls and processes identified in the risk assessment (see below for detail).    Please see Cloud Platform Eligibility for Sensitive and Restricted Data for important information regarding the campus approach to security in the public cloud.

(See for eligibility & access to the preferred provider article)

The account owner still maintains the responsibility to achieve & maintain the appropriate security controls per campus policy.   The cloud team can advise and consult on best practices.

  • When requesting an account, the account owner should indicate that they are using Sensitive or Restricted data, to be provided an account with additional security in place (a "high-risk" account).
  • The campus GCP IaaS Platform has been assessed by the Cybersecurity Risk Management Framework, to inform roles and responsibilities in the Shared Responsibility Model.   

  • This assessment focused on the platform level and the controls and security posture shared among all high-risk accounts, as well as evaluation of UW contracts with Google

  • A Cybersecurity Cloud Assessment for Restricted Data is necessary to ensure the security of the data, as well as the customers' planned application and architecture within their individual account.    This assessment should be straightforward for typical projects, but the time required for this assessment will vary based on data risk and desired architecture. The public cloud team can advise and consult on your planned service use and architecture.

  • University of Wisconsin has a Business Associates Agreement (BAA) that governs & protects the vendor's limits regarding access and use of your data (if you use a UW account).   This agreement is focused on HIPAA data.

  • GCP provides physical security of the data center (often referred to as "security OF the cloud") in the Shared Responsibility Model

  • Use of UW Single Sign on provides Multi Factor Authentication (MFA) & meets authentication best practices.

  • Security Command Center Premium provides ongoing monitoring and actionable alerts to the UW Cybersecurity Operations Team (CSOC). The CSOC will escalate any issues they detect for the security contact provided in the account request.

  • The UW-Madison Google Cloud Platform high-risk accounts utilize the RHEDCloud Framework to develop some resources in collaboration with Google, UW Public Cloud team and UW Cybersecurity.  

  • UW GCP High Risk accounts also have some additional security "guardrails" in for high-risk accounts (see Organizational Policies for GCP High Risk data accounts that may require you to work with the public cloud team for some implementation steps, where you would normally have full control in a non-high-risk account. The public cloud team can consult with you on these best practices.
  • Use of services that are considered HIPAA eligible by Google is also highly recommended, and knowledge of the best practices documented therein will help with this process.     More general security documentation & additional white-papers are also available.

Keywordsgoogle gcp data elements classification restricted sensitive internal public security baa   Doc ID115296
OwnerMike V.GroupPublic Cloud
Created2021-12-17 10:28:29Updated2023-12-26 10:14:02
SitesPublic Cloud
Feedback  0   0