Cyber Security is top of mind for most executives at the board level for enterprises. The financial impact of data breaches is expected to increase by 15 percent per year over the next five years, reaching USD 10.5 trillion annually by 2025.

Google Cloud, being a recognized leader in IaaS security, Google Cloud keeps more people safe online than anyone else, allowing it to deliver pioneering approaches to cloud-native security. Google does this by defending against threats using the same secure-by-design infrastructure to protect its customers.

From Shared Responsibility to Shared-Fate

Google has moved from the shared responsibility model to the shared-fate model for managing risks in what Google calls Trusted Cloud, differentiating itself from other cloud competitors. With the shared-fate model for a Trusted Cloud, Google emphasizes being an active cloud service partner for customers to deploy workloads securely instead of only determining where their responsibility would end.

Through its shared fate model, Google operates a layered security model to support customers by protecting workloads, users, and assets using GCP security & resiliency solutions to adopt the cloud securely. Like other cloud providers like Microsoft’s CAF, Google has released the Security and Resilience Framework (SRF) to support the secure cloud adoption journey of its customers.

SRF Overview 

Google has released the SRF as a programmatic risk-based approach for secure cloud adoption.  The SRF is aligned with industry security standards and best practices to strategically manage a cloud security transformation program. The SRF is a foundational risk framework for secure adoption of Google Cloud by establishing a set of controls and mapping these to Google Security solutions. In violation of these security controls, the SRF provides response and recovery capabilities to ensure the resiliency of workloads running on GCP. The SRF itself is available and free of charge to use.

Guiding Principles of the SRF

The SRF follows a risk-based approach based on the NIST Cyber Security Framework (CSF) as a foundational framework, defining guiding principles aligned with NIST  to address each phase of the secure systems lifecycle.  Guiding principles map to Google Cloud Native Security Solutions and corresponding asset types. Asset types are the assets that an organization needs to protect, encompassing users, data, applications, devices, and networks. The six principles are as follows:

Identify: The identify principle provides an approach to managing security risk to cloud systems, people, assets, data, and related capabilities. To achieve this, Google provides solutions for risk assessments through Google’s Risk Protection Program. There is also an offering for critical asset discovery through the Cloud Asset Inventory service. Google Cloud security services like Google Security Command Center can help to achieve asset inventory management and risk protection.

Protect: The protect principle enables an organization to define safeguards to deliver secure and resilient critical infrastructure services. Google offers a solution to implement Zero Trust with BeyondCorp Enterprise via solutions such as the identity-aware proxy (IAP) to enable a flexible workforce without the need for VPN technologies.  Google also protects against application security threats via Web App and API protection, including hybrid and multi-cloud scenarios.  The protection phase also provides capabilities to mitigate the risk of supply chain threats via solutions such as Binary Authorization, allowing only trusted and verified workloads.

Detect: The detection principle supports an organization in defining a set of activities to identify security-relevant events and enable timely investigation. Google provides a capability to support SOC modernization via Autonomic Security Operations (ASO), combining a set of practices, tools, and principled approaches. With ASO, an organization can withstand attacks through an adaptive and automated method to threat management. A prime capability of the ASO suite is Google Chronicle and BigQuery, which allows scalable and modern threat detection particularly well suited for detecting security incidents in GCP workloads.

Respond: The respond principle establishes activities for taking the corresponding action when a security incident is detected. Incident response capabilities are enhanced through Siemplify, which is a security orchestration and response (SOAR) solution. Siemplify provides playbook automation, case management, and integrated threat intelligence.

Recover: In the recover principle, an organization identifies activities to allow the continuation of business operations in case of a breach. Google’s capabilities ensure business continuation against threats like ransomware through Actifio Go. This solution is a backup and disaster recovery vault with rapid access to a point-in-time copy of data, enabling a fast business recovery to an operational state from ransomware attacks. 


For customers to get started with assessing and implementing these principles as part of their secure cloud adoption journey, Google provides the SRF checklist and the SRF discovery tool. These two mechanisms allow us to assess the cloud security posture and identify relevant control gaps.

SRF Checklist and Discovery

SRF checklist:

The SRF checklist is handy for initial assessment and available to use for Google customers. It gives an overview of google cloud-native security capabilities mapped back to different guiding principles of SRF. The checklist is particularly well suited for customers who are early in the cloud adoption journey.  The SRF checklist provides a set of controls across different domains such as governance, risk management, and threat management. The set of controls is aligned with Google’s security solution and helps to get a quick understanding of the overall cloud security maturity.

SRF discovery: The step after the SRF is the SRF Discovery, which is a free online questionnaire (currently in private preview) that addresses customer concerns around security challenges and threats.  It also provides objectives for security and compliance requirements to drive secure cloud adoption. With the SRF discovery tool, a customer can identify relevant control gaps within the SRF. Once completed, it helps a customer which solutions need to be implemented and provides a capability maturity score for customers. The discovery also includes recommendations relating to the Google Cloud Architecture Framework.

Overall, the SRF checklist and the discovery tool guide customers on how to fully use security capabilities for specific use cases, improving overall cloud security program maturity. Some use cases might include Web application & API Protection, Autonomic Security Operations, and Zero Trust with BeyondCorp.

The SRF  scores against people, process, and technology elements of cloud transformations and guides for a customer to fully use GCP security capabilities for specific outcomes. 

Benefits of SRF for Secure Cloud Adoption

Accelerated Secure Cloud Adoption: Customers can benefit from SRF to align with best practices for securely migrating and operating workloads within GCP. The outcome of the SRF Google Google Cloud native capabilities are aligned with each guiding principle, allowing customers to understand which Google Security Solutions to leverage. One solution that drives secure cloud adoption through SRF is the Secure Foundation using blueprints, reference architectures, and best practices. 

Enhance cloud security posture: With the help of the SRF guiding principles, customers can build a mature cloud security program built upon  GCP Security Best Practices. The risk-based approach of SRF also provides customers with recommendations and a set of controls for GCP security solutions to reduce the risk of security events resulting in data breaches and outages due to unauthorized access. If these controls are breached, the SRF provides response and recovery capabilities to ensure resiliency. The SRF also helps in identifying threats against assets that the organization is aiming to protect (“crown jewels”).

Recommendations for GCP Cloud Security Solutions: The output of the SRF is a capability maturity assessment score with recommendations mapping back to Google Cloud security solutions. The output can be used as a road map for the secure cloud adoption journey and highlighting specific use cases for remediating security gaps control using Google solution guidance. The solution guidance allows reducing risk using Google Cloud Security Best Practices. 

Security and Resiliency as Business Enabler: Using the GCP cloud in a secure way also enables to have security as a business enabler, allowing accelerated business agility due to increased operational efficiency and reduced cost. 

Overall, the SRF suits organizations early in the adoption journey looking for a risk-based approach to migrate to GCP and operate workloads in a secure and resilient manner, aligned with Google Cloud Security and Resilience Best Practices. The SRF checklist and SRF discovery tool is a handy tool to kick-start the secure adoption journey to Google Cloud customers and is free of charge. 

How Cloudreach, an Atos company, Can Help

Cloudreach, an Atos company, has more than a decade of experience helping clients make the most of Google Cloud. We’ve been recognized as a Premier Partner, and we’re a three-time winner of the Google Cloud Specialization Partner of the Year Award for Security

In recent years, we’ve worked to advance Google Cloud’s already-robust security by building solutions like the Minimum Viable Cloud for Financial Services. These solutions help our clients accelerate their journey to Google Cloud without sacrificing security. We also implemented a fully compliant massive-scale Event Threat Detection Platform — built on GCP — for a major U.S. city. The project includes a Security Event and Information Management (SIEM) data pipeline that can log and aggregate event streams from over 400,000 devices.

Want to learn more about how Cloudreach, an Atos company can help your organization increase the speed of your migration to Google Cloud — while advancing your security post


Dan is a Cloud Security Architect Lead at Cloudreach based in Edinburgh, Scotland. He has over a decade of professional service experience in cyber security, particularly in Cloud Security Engineering, Architecture, and DevSecOps. During the past few years at Cloudreach, he has delivered cloud security transformation and migration programs for enterprises in financial services and logistics


Dan from Cloudreach