Please enable JavaScript.
Coggle requires JavaScript to display documents.
Cloud Storage - Security - Coggle Diagram
Cloud Storage - Security
- Cloud Storage - IAM and ACL
Members can be granted access to Cloud Storage at the organization, folder, project, or bucket levels
-
-
-
- Cloud Storage - Auditing data
-
-
- Cloud Storage - Signed URLs and Policy documents
- Cloud Storage -
Encrypting with CMEK and CSEK
(Google managed encryption key) On data storage request:
- Data is broken into chunks.
- Chunk data is Encrypted with DEK (Data Encryption Key)
- DEK are encrypted (/wrapped) by Key Encryption Key (KEK).
- Wrapped key is stored along with encrypted chunk data. Encrypted chunk data along with Wrapped keys are distributed across Google's storage infrastructure.
- KEK are managed by Keystore (a repository built specifically for storing keys.
On data retrieval request:
- Wrapped DEK are sent to the Keystore to get unencrypted DEK.
- Unencrypted DEK is used to unencrypt the data.
- How data is aligned together? Does data has links to previous and Next dataset?
-
CSEK => Customer Supplied Encryption Keys
Google doesn't store it. Customer is responsbile for Key mgmt and Rotation.
-
- HSM
Hardware Security Module
- Physical device that manages keys.
- keys to encrypt and decrypt data with secure microprocessing chips.
- Big Query IAM roles and Authorized views
-