[jeffbee]

They publish a bunch of whitepapers on this stuff, including how storage encryption keys are unwrapped on behalf of services:

https://cloud.google.com/docs/security/encryption/default-en...

How services authenticate each other:

https://cloud.google.com/docs/security/encryption-in-transit...

And how insider risk is mitigated by monitoring the provenance of production software:

https://cloud.google.com/docs/security/binary-authorization-...

[UncleMeat]

The insider risk stuff always was really cool to me and, IMO, represents ways that the big tech companies do way more than everybody else in this space. BCID can be a huge pain in the ass but being able to say "hey, it actually would be pretty tricky for a single disgruntled employee to execute code to steal user data" is quite powerful.