A FCA-regulated payments firm migrated to Google Cloud last quarter, passed their internal review, and felt confident. Then our consultants ran a CloudAuditX scan against their project hierarchy. Result: a service account with Editor role at the organisation node, three VPCs with default firewall rules permitting 0.0.0.0/0 on RDP, and Cloud Audit Logs disabled for Data Access events across BigQuery. None of this showed up in their Cloud Security Command Center dashboard because the premium tier wasn't enabled.
This isn't unusual. GCP's security posture is strong by default for the platform itself — but the configuration responsibility sits squarely with the customer. For UK financial services firms operating under the FCA's PS21/3 Operational Resilience requirements and the Bank of England's SS2/21 outsourcing rules, the gap between "deployed" and "hardened" is where regulatory exposure lives.
Below are seven GCP security best practices our team consistently finds missing during audits of UK financial services environments. None are exotic. All are exploitable.
1. Organisation Policies Are Not Optional — Set Them First
Most teams configure IAM at the project level and ignore the Organisation node. That's backwards. Organisation Policies are the only way to enforce constraints that survive project sprawl: blocking external IP assignment on VMs, restricting which domains can be added as IAM principals, disabling service account key creation, and enforcing VPC Service Controls perimeters.
Set iam.disableServiceAccountKeyCreation to true at the organisation level. Service account keys are the single most common credential leak vector in GCP. Use Workload Identity Federation for CI/CD instead. If a team genuinely needs a key, they request an exception with documented justification — not a default capability.
Also enforce compute.requireOsLogin and compute.vmExternalIpAccess with an explicit allowlist. These two alone eliminate a significant portion of the attack surface our consultants find on greenfield deployments.
2. The Default VPC Is a Liability — Delete It
Every new GCP project ships with a default VPC containing pre-configured firewall rules that allow ICMP, RDP (3389), and SSH (22) from anywhere. For a development sandbox, that might be tolerable. For anything touching customer data or payment flows, it's a finding waiting to happen.
Disable the default network via Organisation Policy (compute.skipDefaultNetworkCreation) before any project is created. Then design custom VPCs with explicit subnets, Private Google Access enabled, and Cloud NAT for egress. Internal services should never have external IPs — full stop. Use Identity-Aware Proxy for administrative access instead of SSH bastions exposed to the internet.
3. VPC Service Controls — The Control Most Teams Skip
VPC Service Controls create a security perimeter around GCP-managed services like BigQuery, Cloud Storage, and Pub/Sub, preventing data exfiltration via stolen credentials. A compromised service account key cannot pull data from a Cloud Storage bucket inside a perimeter unless the request originates from an approved network.
For UK firms processing personal data under UK GDPR and the Data Protection Act 2018, this is the strongest technical control available to demonstrate that "appropriate technical measures" (Article 32) have been implemented against credential-based exfiltration. Implementing it is non-trivial — you'll need to enumerate every legitimate access path and configure ingress/egress rules — but the audit value alone justifies the work.
4. Cloud Audit Logs: Enable Data Access Logs Explicitly
Admin Activity logs are on by default and free. Data Access logs are off by default for most services, and they're the ones you actually need for incident investigation. Without Data Access logs on BigQuery, Cloud Storage, and Cloud SQL, you cannot reconstruct who read what.
Enable Data Access logs across the organisation for DATA_READ and DATA_WRITE on sensitive services. Route logs to a dedicated logging project with restricted IAM, export to a Cloud Storage bucket with Bucket Lock for immutable retention, and stream to your SIEM. The FCA expects firms to demonstrate forensic readiness — gaps in audit logging are not defensible.
5. Security Command Center Premium — Not the Free Tier
The Standard tier of GCP Security Command Centre gives you basic asset discovery. The Premium tier gives you Event Threat Detection, Container Threat Detection, vulnerability scanning, and continuous compliance reporting against CIS, PCI DSS, and ISO 27001 benchmarks.
For any UK financial services workload, the Standard tier is insufficient. The cost of Premium is materially lower than the cost of a single incident response engagement, and it gives compliance teams a defensible monitoring narrative.
6. IAM: Conditional Access and Principle of Least Privilege
Stop granting primitive roles (Owner, Editor, Viewer). They predate IAM and grant overly broad permissions. Use predefined roles or custom roles scoped to the specific resources and actions required.
Apply IAM Conditions to time-bound access (e.g., engineer access expires in 4 hours), restrict by resource tag, and require Access Context Manager attributes for privileged operations. Pair this with Recommender — GCP's IAM Recommender flags roles where the granted permissions exceed the principal's actual usage over the last 90 days. Review and act on these recommendations monthly.
7. Customer-Managed Encryption Keys (CMEK) and Key Rotation
Google Cloud encrypts data at rest by default with Google-managed keys. For Google Cloud compliance UK requirements where firms need to demonstrate cryptographic control — particularly for FCA-supervised workloads handling client money or sensitive personal data — switch to CMEK via Cloud KMS. Configure automatic rotation (90-day default) and use Cloud HSM for keys protecting Tier 1 data. Critically, restrict the cloudkms.cryptoKeyEncrypterDecrypter role tightly — possession of that role is equivalent to possession of the data.
How Pyralink Helps
Pyralink Innovation Ltd, led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), supports UK financial services firms with GCP hardening, ISO 27001 implementation, and ongoing compliance programme management. Our CloudAuditX platform scans GCP, AWS, and Azure environments against CIS Benchmarks and sur