Understanding Firebase and GCP Complaince certifications (SOC, HIPAA, etc)
253 views
Skip to first unread message
David DeRemer
Feb 19, 2019, 8:55:36āÆAM2/19/19
to Firebase Google Group
There are a number of threads here about HIPAA and SOC and other compliances relative to Firebase and GCP, but I cannot find an answer to the specific details Iām looking for. Please forgive me if this is redundant.
I understand that āFirebaseā is not currently listed on any of the approved product lists. I know that to be HIPAA compliant you must get a BAA with GCP, and Firebase is not available for that (as of now).
What I donāt understand is the relationship between Firebase products that also are available on GCP and ARE listed as covered products when under the GCP umbrella.
For instance, on the list of covered products for HIPAA are: Cloud Firestore, Cloud Storage, Cloud Functions, etc. https://cloud.google.com/security/compliance/hipaa/
How does this relate to Firebase? If we use these products under the Firebase umbrella (ie, use the Firebase console, SDKs, Firebase Functions vs Cloud Functions, etc), would they not be coverable under a BAA?
In other words, is it correct that to use these tools AND be able to get a BAA would we have to set them up and manage them through the GCP console and then use the GCP libraries and SDKs, instead of the Firebase console and Firebase SDKs?
If I were to setup a bucket on Cloud Storage via the Firebase console, would this be outside of the HIPAA coverage?
Whatās confusing is that my Firebase project, IAM, storage buckets, etc. are all available on GCP console as a normal project.
Obviously the safest course of action would be to not use Firebase at all, but there are a wide array of features in the platform that would be useful to use for aspects unrelated to sensitive data / PII / PHI / etc.
Thanks in advance for any insight on this topic.
I understand that āFirebaseā is not currently listed on any of the approved product lists. I know that to be HIPAA compliant you must get a BAA with GCP, and Firebase is not available for that (as of now).
What I donāt understand is the relationship between Firebase products that also are available on GCP and ARE listed as covered products when under the GCP umbrella.
For instance, on the list of covered products for HIPAA are: Cloud Firestore, Cloud Storage, Cloud Functions, etc. https://cloud.google.com/security/compliance/hipaa/
How does this relate to Firebase? If we use these products under the Firebase umbrella (ie, use the Firebase console, SDKs, Firebase Functions vs Cloud Functions, etc), would they not be coverable under a BAA?
In other words, is it correct that to use these tools AND be able to get a BAA would we have to set them up and manage them through the GCP console and then use the GCP libraries and SDKs, instead of the Firebase console and Firebase SDKs?
If I were to setup a bucket on Cloud Storage via the Firebase console, would this be outside of the HIPAA coverage?
Whatās confusing is that my Firebase project, IAM, storage buckets, etc. are all available on GCP console as a normal project.
Obviously the safest course of action would be to not use Firebase at all, but there are a wide array of features in the platform that would be useful to use for aspects unrelated to sensitive data / PII / PHI / etc.
Thanks in advance for any insight on this topic.
Kato Richardson
Feb 19, 2019, 1:48:23āÆPM2/19/19
to Firebase Google Group
Hi David,
The best resource on Firebase compliance is https://firebase.google.com/support/privacy/
Firebase productsĀ that are also Cloud products are covered under the Cloud ToS and data processing terms. So yes, if Cloud says it's compliant then it's compliant. Using them viaĀ Firebase SDKs or accessing the projects via Firebase consoleĀ doesn't change that.
Do keep in mind that you might need to opt out of some services as explained in the privacy link above. Also keep in mind that some products have caveats around region availability when used through Firebase. For example, Cloud Functions are available in multiple regions but can only be located in central U.S. for functions integrated through Hosting endpoints. So there are a few tricky bits, depending on what your venn diagram of products to compliances looks like.
ā¼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/4358dd90-9fe5-43d4-8ccb-0909f58ce168%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David DeRemer
Feb 19, 2019, 5:25:15āÆPM2/19/19
to Firebase Google Group
Hi Kato,
Thank you for the response! This is exactly the clarity I was hoping to get. As usual you are š„
This was very confusing for me, and many of the other posts on similar threads didn't give me the confidence to consider using any of the Firebase tools in a HIPAA (or other certification-specific) application.
But, your response is what I was hoping for. Thank you for taking the time.
Joe B.
Feb 22, 2019, 10:46:04āÆAM2/22/19
to Firebase Google Group
But how can you sign BAA with Google as a self-employed developer without having an account manager?Ā
Reply all
Reply to author
Forward
0 new messages