When you manage your data in your own data centers, your organization is responsible for all aspects of its security. The advantage of using Cloud technology is that the responsibility to secure data is shared between you and your Cloud provider. First, let's be clear about everyone's role in this model. When you adopt the Cloud, the Cloud service provider typically becomes the data processor. You are the data controller. While the cloud service provider manages the security of its infrastructure and its data centers, you gain the benefit of multiple built-in security layers of this infrastructure. This is referred to as defense in depth. Your core responsibility is to secure access to your data. Google for example, has run its services and a multi-tenant Cloud environment for nearly 20 years. It now has at least seven global services with nearly one billion daily users. With that many users, and that much data, Google has been the target for security attacks at global scale. So having security, privacy, and data compliance measures in place at scale was a problem that Google needed to solve early on. Everything Google has ever learned over the past 20 years has driven how we design and secure our infrastructure. This is the same infrastructure that is used by Google enterprise customers. Let's look at how Google, as the data processor, protects its infrastructure. Google implements a defense in depth approach to security as a secure foundation. As of 2019, Google Cloud has over a 134 points of presence worldwide, connecting 18 data center regions, and that's where the security efforts start. There's layer upon layer of security built into Google Cloud's products and services. Let's look at Google Cloud's multi layer approach more closely, starting with the hardware. Google designs its own servers, it's own storage, and its own networking gear. In fact, it manufacturers almost all of its own hardware, and third parties never see the overall process. This hardware is housed in our highly secure data centers, that are located around the world. New server builds have a chip called Titan imbedded. Titan checks a machine for integrity every time it boots up. The next step is software. The Titan micro controller continues to verify the operating systems, and the rest of the deployed software stack. The server is not allowed onto the network, and holds zero data until a servers health is confirmed. Moving up a layer to storage. Let's talk about data encryption at rest. Encryption at rest protects data when it's stored on physical media, like a hard disk. And that's not all. All data at rest is also encrypted by default, to help guard against unauthorized access. Let me explain how this works. When data is going to be stored on Google Cloud, it goes through the following process. First, it's broken into many pieces in memory. These pieces or chunks are encrypted with their own data encryption key or DEK. These encryption keys are then encrypted a second time with a rep key, generating something we call a key encryption key or KEK. Encrypted chunks and wrapped encryption keys are distributed across Google's infrastructure. In the unlikely event that someone compromises an encryption key, they could only access one tiny piece of data which, without all the other pieces, would be unreadable. Next we come to identity. Google Cloud operates a zero trust model, instead of relying on the traditional perimeter approach to security. This means that every user and every machine that tries to access data or services, must strongly authenticate at each stage for each file. Anyone accessing the Cloud does so over a network. So that's the next layer. Encryption in transit protects data as it moves across a network. The data in transit, that is all the data, moving into and out of Google's Cloud infrastructure is encrypted in transit. Multiple layers of defense are in place to help customers protect against network attacks, like distributed denial of service attacks. The final layer is the operations layer. At Google, a global team of more than 900 security experts, monitor the system, 24 hours a day, 365 days a year. Their role is to detect attacks and other issues, and promptly respond to them. In addition to these multiple layers of security, Google Cloud has an array of features and policies that its customers can use to control access to their data. More information about using these features and policies are in the Shared Responsibility Model explained in the next section.