Security

Security Command Center

Centralized security and risk dashboard for GCP

AWS equivalent

AWS Security Hub + GuardDuty

SecurityCSPMThreat Detection

Architecture Diagram

GCP Security — Defense in Depth Model

Your AppCode, secrets, access control

Data EncryptionAt-rest, in-transit, CMEK, Cloud KMS

IAM & IdentityRoles, service accounts, Workload Identity

InfrastructureHypervisor, managed services patching

Network SecurityPrivate backbone, DDoS, Cloud Armor

Physical SecurityData centers, hardware, Titan chip

Google secures: All layers up to & including managed service internals.
You control: IAM, data classification, network config, application security.

🔄

▸
Security Command Center ≈ AWS Security Hub + GuardDuty.
▸
Premium tier adds: Event Threat Detection (similar to GuardDuty), Container Threat Detection.
▸
Built-in integration with all GCP services — no agents to deploy for most findings.

📌

1
Security Health Analytics: scans GCP configuration for misconfigurations (open firewall rules, public buckets).
2
Event Threat Detection: detects threats in Cloud Logging — cryptomining, data exfiltration, brute force.
3
Web Security Scanner: scans App Engine, Compute Engine, GKE for web vulnerabilities.
4
Findings: security issues surfaced with severity, asset, and remediation guidance.

💡

★
'Security Command Center gives your security team a single dashboard showing all misconfigurations, vulnerabilities, and active threats across your entire GCP environment.'
★
'Instead of checking each service manually, SCC automatically flags if a Cloud Storage bucket is public or if someone is mining crypto in your environment.'

⚠️

!
Standard tier is free but has limited findings. Premium tier has the most value but costs significantly more.
!
SCC is Organization-level — requires an Organization resource hierarchy.