Let's begin by talking about some security concepts and introducing some of the best practices for security design. When you move an application to Google Cloud, Google handles many of the lower layers of the overall security stack. Because of its scale, Google can deliver a higher level of security at these layers than most of its customers could afford to do on their own. This does not mean that Google is responsible for all the security aspects. Google Cloud security is a shared responsibility between you and Google. So it is important that there is a clear separation of duties, and there is no ambiguity between what is provided by the platform and what you are responsible for. For this, there needs to be transparency. There are certain actions you as a client are responsible for ,and some that Google is responsible for. Google Cloud provides the controls and features required to leverage the platform together with the tools to monitor your services. Google implements security in layers. At the base is custom built hardware and servers that are loaded using a verified boot loading system. All the way through the stack, security is at the forefront. When you take your part in security, for example, establishing firewall rules or configuring IAM, as long as they are configured correctly, you have a safe environment. There are tools Google Cloud provides that can be used for monitoring and auditing your networks, which we will discuss shortly, or you can also install your own tools. Let's talk about some best practices when implementing security. The principle of least privilege is the practice of granting a user only the minimal set of permissions required to perform a duty. This should apply to machine instances and processes, as well as users. Google Cloud provides cloud IAM to help apply this principle. You can use it to identify users with their login or identify machines using service accounts. Roles should be assigned to users and service accounts to restrict what they can do, always following the principle of least privilege. Separation of duties is another best practice and it has two primary objectives. One, prevention of conflict of interest and two, the detection of control failures. For example, security breaches and information theft. From a practical perspective, this means that no one person can change or delete data without being detected. No one person can steal sensitive data and no single person is in charge of designing, implementing, and reporting on sensitive systems. For example, a developer who writes the code should not be responsible for deploying that code, and anybody that has the permission to deploy should not be able to change the code. One approach to achieve this separation of duties in Google Cloud is to use multiple projects to separate duties. Different people can be given suitable rights to different projects, with these permissions following the principle of separation of duties. Folders are especially useful for organizing multiple projects. It is also vital to audit Google Cloud logs to discover attacks and potential security breaches. All Google Cloud services write to audit logs, so there is a rich source of information available. These logs include admin, data access, VPC flow, firewall, and system logs. So an in-depth view of activity is provided for audit. Now, moving to the cloud often requires maintaining compliance with regulatory requirements, or guidelines. Google Cloud meets many third party and government compliance standards worldwide. While Google cloud has been certified as secure, for example to ISO/IEC 27001, HIPAA and SOC 1, that does not mean your application running on Google Cloud is certified. Your concern should always be on what you build. Google Cloud also offers the Security Command Center, which provides access to organizational and project security configuration. As as you can see in this screenshot, the Security Command Center provides a dashboard that reports security health analysis, threat detections, anomaly detection, and a summary report. Once a threat is detected, a set of actionable recommendations is provided.