Google Cloud Shared Responsibility Model
In the cloud, security is a partnership. The Shared Responsibility Model (SRM) defines where Google Cloud’s obligations end and where the customer’s obligations begin. For the ACE exam, understanding this boundary is critical because it changes based on the type of service you use (IaaS, PaaS, or SaaS).
The Apartment Analogy
Imagine you are renting an apartment:
- The Landlord (Google Cloud): Is responsible for the building’s structural integrity, the plumbing, the electrical wiring, and the main gate security. If the roof leaks, it is their job to fix it.
- The Tenant (You/Customer): Is responsible for who you give your keys to, locking your front door, how you arrange your furniture, and ensuring your stove isn’t left on. If you leave your door wide open and someone enters, that is your responsibility, not the landlord’s.
Detail Elaboration: The Spectrum of Control
As you move from Infrastructure as a Service (IaaS) to Software as a Service (SaaS), Google takes on more responsibility, reducing your operational burden but also reducing your granular control.
- Infrastructure as a Service (IaaS): Example: Compute Engine. You manage the OS, the middleware, and the runtime. Google handles the physical hardware and virtualization layer.
- Platform as a Service (PaaS): Example: App Engine or Cloud Functions. Google manages the OS and the runtime. You only manage the application code and data.
- Software as a Service (SaaS): Example: BigQuery or Google Workspace. Google manages almost everything. You are primarily responsible for the data you put in and the access permissions (IAM).
Comparison Table: Responsibility by Service Type
| Component | On-Premises | IaaS (GCE) | PaaS (App Engine) | SaaS (BigQuery) |
|---|---|---|---|---|
| Physical Security | Customer | |||
| Hardware/Network | Customer | |||
| OS Patching | Customer | Customer | ||
| Application Code | Customer | Customer | Customer | |
| Data & IAM | Customer | Customer | Customer | Customer |
Decision Matrix: Scenario-Based Learning
If the requirement is…
- Full control over the Operating System kernel: Use Compute Engine (IaaS). You are responsible for security patches.
- To focus only on code without managing servers: Use Cloud Functions (PaaS). Google handles the underlying scaling and security.
- A data warehouse with zero infrastructure management: Use BigQuery (SaaS). You only manage dataset permissions.
- Strict compliance requiring specific hardware: Use Sole-Tenant Nodes on Compute Engine.
ACE Exam Tips: Golden Nuggets
- The “Always” Rule: The customer is ALWAYS responsible for their data, the security of their service accounts, and Identity and Access Management (IAM) configurations.
- The “Never” Rule: The customer is NEVER responsible for the physical security of Google Data Centers (biometrics, cameras, guards).
- Distractor Alert: If a question asks who patches the OS on a Compute Engine instance, the answer is the customer. If it’s App Engine, the answer is Google.
- Encryption: While Google encrypts data at rest by default, the management of encryption keys (CMEK vs. CSEK) is a shared responsibility.
Visualizing the Shared Responsibility Model
Key GCP Services
IaaS: Compute Engine, Cloud Storage.
PaaS: App Engine, GKE (Autopilot), Cloud Run.
SaaS: BigQuery, Looker, Google Workspace.
Common Pitfalls
- Assuming Google backs up your VM data automatically (Use Snapshots!).
- Leaving Cloud Storage buckets public (Check IAM!).
- Using ‘Primitive Roles’ (Owner/Editor) instead of ‘Predefined Roles’.
Quick Patterns
- Hierarchy: Org > Folder > Project > Resource.
- Least Privilege: Only grant the minimum permissions needed.
- Firewalls: VPC Firewalls are Customer responsibility.