Google Cloud Storage

Cloud Storage isn't where data lives. It's where data begins.

Google Cloud built its object storage service as the foundation of an analytics platform — the entry point before BigQuery queries it, before Dataflow reads it into a pipeline, before Vertex AI trains on it. Every object in Cloud Storage is either in motion or about to be.

That integration depth distinguishes Cloud Storage from storage-only alternatives. Autoclass tiers data automatically across Standard, Nearline, Coldline, and Archive classes with no lifecycle rules required. Multi-region and dual-region buckets provide resilience and low-latency access across geographies. Pub/Sub notifications fire the moment objects land, enabling event-driven pipelines that respond to data as it arrives. For regulated industries and government programs, Assured Workloads delivers the FedRAMP High, ITAR, and CJIS compliance structure that sensitive workloads require — without giving up the analytics capabilities that brought organizations to GCP in the first place.

When paired with the Virtru Data Security Platform, Google Cloud Storage becomes the governed entry point for an entire analytics stack — not just a data lake. Each object is TDF-encrypted with embedded ABAC policy at write time, so protection persists through every BigQuery query, every Dataflow transformation, and every Vertex AI training run that follows. Organizations running analytics on sensitive data — clinical trial records, financial transactions, controlled government information, etc — gain persistent, object-level governance that Cloud IAM cannot carry beyond the Cloud Storage API boundary, without modifying the pipelines or applications driving their data workflows.

Key Capabilities

• Eleven nines of data durability (99.999999999%) across redundant, distributed infrastructure built for long-lived enterprise and government data programs
• Autoclass storage management transitions objects automatically between Standard, Nearline, Coldline, and Archive tiers based on access patterns — eliminating lifecycle rule configuration overhead
• Multi-region and dual-region buckets for resilience, geographic redundancy, and low-latency access across distributed teams and workloads
• Native Google Cloud data ecosystem integration — direct query from BigQuery (external tables and BigLake), pipeline ingestion via Dataflow and Dataproc, model training via Vertex AI, without copying data out of Cloud Storage
• Pub/Sub object notifications for real-time, event-driven pipeline triggers when objects are created, modified, or deleted
• Object Versioning and Object Lifecycle Management for immutable storage, retention enforcement, and automated object expiration
• Assured Workloads for FedRAMP High, ITAR, CJIS, and DoD IL4/IL5 regulated environments requiring data sovereignty and compliance controls
• Google Cloud Marketplace availability for streamlined procurement and consolidated GCP billing
• Object-level data governance when paired with the Virtru Data Security Platform — attribute-based access policies applied per object, independent of bucket-level permissions

Better Together

Cloud Identity and Access Management enforces who can call the Cloud Storage API. That's where its authority stops.

IAM governs which principals can perform which operations on which buckets — with condition-based policies, organizational hierarchy, and auditability across the full GCP estate. It does this reliably. At scale. Without exception. The moment an object leaves Cloud Storage, IAM has no further reach. Exported to a BigQuery external table, read by a Dataflow pipeline, passed to a Vertex AI training job — the data crosses the boundary. No policy travels with it.

For organizations running analytics on sensitive data, this gap is concrete. A BigQuery analyst querying an external table over a Cloud Storage bucket sees every row the table exposes — governed by IAM, not by what the data contains or who should be permitted to see it. A Dataflow pipeline reads objects from a source bucket, transforms them, and writes to a destination. The output carries no governance context from the source. Whatever sensitivity lived in the original records — clinical trial data, financial transactions, controlled unclassified information — now exists at the destination under whatever policy that bucket happens to carry.

The Virtru Data Security Platform closes the gap at the object level. TDF encryption applied per object embeds the access policy inside the data itself — not in the bucket, not in the IAM binding, not in the pipeline's service account. Protection travels with the data through every pipeline stage, every transformation, every downstream landing point. Decryption requires a live attribute check against the Key Access Service at the moment of access. Revoke a user's entitlements and the next access attempt is denied — regardless of where the object lives, which service is requesting it, or how many pipeline stages have processed it.

This also resolves the bucket proliferation problem. Without object-level governance, teams create separate buckets for separate sensitivities: one per classification tier, one per project, one per team boundary. Each bucket multiplies IAM policies, access reviews, and cost allocation overhead. With the Virtru Data Security Platform, one Cloud Storage bucket holds objects under entirely different governance profiles. A data engineer and a compliance analyst access the same bucket; each sees only what their attributes authorize — enforced by the data itself.

Protecting data stored in GCP Cloud Storage with the Virtru Data Security Platform requires an active Google Cloud account, a deployed Virtru instance, and an identity provider that can supply the user and environmental attributes that drive access decisions.

• Active Google Cloud account with Cloud Storage enabled — all storage classes and bucket configurations supported; Google Cloud Free Tier for evaluation, Standard pricing for production workloads
• Virtru Data Security Platform deployment (SaaS, customer VPC, on-premises, or hybrid)
• GCP IAM service account with appropriate Cloud Storage permissions for target buckets, or Workload Identity Federation for keyless authentication
• Compatible OIDC/OAuth2 identity provider (e.g., Google Workspace, Cloud Identity, Okta, Microsoft Entra ID, Ping Identity) for ABAC attribute sourcing
• Network connectivity between the Virtru Data Security Platform deployment and Cloud Storage API endpoints
• Optional: Google Cloud KMS integration with Virtru Private Keystore for organizations requiring customer-managed encryption keys within their own GCP project

Security: GCP Cloud Storage and the Virtru Data Security Platform operate at complementary layers of the security stack. Google Cloud encrypts data at rest by default using AES-256, enforces TLS in transit, and provides infrastructure-level access controls through Cloud IAM and VPC Service Controls. Customer-managed encryption is available via Cloud KMS (CMEK) or customer-supplied keys (CSEK).

The Virtru Data Security Platform adds a data-centric layer that persists beyond the Cloud Storage boundary. TDF encryption with ABAC policy enforcement travels with every object — regardless of which service accesses it, which pipeline transforms it, or where it lands after retrieval. 

Compliance: Google Cloud holds FedRAMP High authorization, SOC 2 Type II, ISO 27001, PCI DSS, and HIPAA eligibility, with ITAR and CJIS coverage through Assured Workloads. The Virtru Data Security Platform is FedRAMP Moderate authorized, SOC 2 Type II, and PCI DSS certified.

Virtru is the 2024 Google Cloud Partner of the Year in Education and Government — a designation reflecting the joint solution's track record in regulated and public sector environments. More than 3,500 joint customers rely on the Virtru and Google Cloud combination to meet compliance requirements that demand persistent data protection, not just perimeter access control.

Privacy: TDF encryption ensures objects stored in Cloud Storage remain protected at rest. Google Cloud infrastructure cannot decrypt the contents; only users whose attributes satisfy the embedded ABAC policy can access plaintext. The Virtru Data Security Platform manages key exchange and policy evaluation without exposing decryption keys to the storage layer.

For organizations with strict data sovereignty requirements, Virtru Private Keystore with Google Cloud KMS keeps all cryptographic operations within the customer's own GCP project — no Virtru-managed keys, no third-party escrow. Data sovereignty stays with the data owner.