Enterprise ready Security

Encryption at rest
Encryption at rest by default, with various key management options

Data stored in Google Cloud Platform is encrypted at the storage level using either AES256 or AES128. Google uses several layers of encryption to protect customer data at rest in Google Cloud Platform products, encrypting customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms. The data stored is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with key encryption, keys that are exclusively stored and used inside Google’s central Key Management Service, which is redundant and globally distributed.

Google uses a common cryptographic library, Keyczar, to implement encryption consistently across almost all Google Cloud Platform products. Because this common library is widely accessible, only a small team of cryptographers needs to properly implement and maintain this tightly controlled and reviewed code.
https://cloud.google.com/security/encryption-at-rest/

Secure Internet Communication
In this section we turn to describing how we secure communication between the internet and these services. Google infrastructure consists of a large set of physical machines which are interconnected over the LAN and WAN and the security of inter-service communication is not dependent on the security of the network.

However, Google do isolate its infrastructure from the internet into a private IP space so that we can more easily implement additional protections such as defenses against denial of service (DoS) attacks by only exposing a subset of the machines directly to external internet traffic.

Google Front End Service
When a service wants to make itself available on the Internet, it can register itself with an infrastructure service called the Google Front End (GFE). The GFE ensures that all TLS connections are terminated using correct certificates and following best practices such as supporting perfect forward secrecy. The GFE additionally applies protections against Denial of Service attacks (which we will discuss in more detail later). The GFE then forwards requests for the service using the RPC security protocol discussed previously.

Denial of Service (DoS) Protection
The sheer scale of our infrastructure enables Google to simply absorb many DoS attacks. That said, we have multi-tier, multi-layer DoS protections that further reduce the risk of any DoS impact on a service running behind a GFE.

After GCP backbone delivers an external connection to one of our data centers, it passes through several layers of hardware and software load-balancing. These load balancers report information about incoming traffic to a central DoS service running on the infrastructure. When the central DoS service detects that a DoS attack is taking place, it can configure the load balancers to drop or throttle traffic associated with the attack.
https://cloud.google.com/security/security-design/

Securing data in transit
Data is vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Google. The Google Front End (GFE) servers mentioned previously support strong encryption protocols such as TLS to secure the connections between customer devices and Google’s web services and APIs. Cloud customers can take advantage of this encryption for their services running on Google Cloud Platform by using the Google Cloud Load Balancer. The Cloud Platform also offers customers additional transport encryption options, including Google Cloud VPN for establishing IPSec virtual private networks.