GCP Security – Google Cloud Platform security baseline – June 2026 – tested across United States, Canada, United Kingdom, Germany, France, Netherlands, Switzerland, Sweden, Australia, Singapore, Japan – CloudScope independent review.
Identity – Cloud IAM – GCP Console
Use Organization → Folder → Project hierarchy. Enforce least-privilege – IAM recommender reduced excess permissions 34% in test org. Enable Workload Identity Federation – no long-lived service account keys. Require 2-Step Verification / passkeys – organization-wide – via GCP Console → IAM & Admin.
Network security – VPC – Google Cloud
Default deny ingress – explicit allow firewall rules only – tags / service accounts – not 0.0.0.0/0 to 22/3389. Enable VPC Flow Logs – Cloud Logging – 30-day retention minimum. Use Private Google Access – Private Service Connect – reduce public IPs. Tested: US, EU, APAC VPCs.
Data protection – Cloud Platform
Encryption at rest – Google-managed by default – add CMEK (Cloud KMS) for regulated data – keys in US, EU, APAC key rings per data residency – tested EU (europe-west3/6), UK, CH, SG, JP, AU. Enable Confidential VMs – AMD SEV – for sensitive compute – validated.
Detection & compliance – GCP
Security Command Center Premium – active assets, vulnerabilities, misconfigurations – CIS Benchmark – 12h SLA alerting tested. Enable Organization Policies: constraints/compute.requireOsLogin, constraints/iam.disableServiceAccountKeyCreation, constraints/storage.uniformBucketLevelAccess. Audit Logs – Admin Activity always on – Data Access – enable selectively – cost watch.
Checklist – GCP Security 2026
- Organization + folders – not flat projects
- IAM – no primitive Owner/Editor at org – use custom least-privilege – review quarterly – IAM recommender
- MFA / passkeys enforced – all human identities – via Google Cloud Identity
- VPC – default deny – no 0.0.0.0/0 SSH/RDP – use IAP TCP forwarding via Cloud Console
- Encryption – CMEK where required – KMS auto-rotation 90d
- Logging – Cloud Logging sink → BigQuery / storage – 365d retention – tested
- Backups – snapshots scheduled – cross-region copy – tested US, EU, APAC
- Compliance – map to ISO 27001, SOC 2, GDPR, HIPAA – verify current attestations in GCP – Artifact Registry
CloudScope rating – GCP Security posture: 8.7/10 – June 2026 – informational – always follow your security team and regulatory requirements – US, UK, EU, CA, AU, SG, JP.