Classical enterprise cloud security is built on a defense-in-depth strategy. Large institutions (like banks, healthcare systems, and governments) assume that a single line of defense will fail. Therefore, they layer security across different vectors: Identity, Network, Data, and Geography.

The four pillars you mentioned represent these layers. Here is how they work and how they interconnect to form a hardened corporate security posture.

1. IAM (Identity & Access Management): The "Who"

IAM is the foundational gatekeeper. It determines who (identity) has what access (role) to which resource.

Modern enterprise IAM relies on the Principle of Least Privilege and uses three core concepts:

• Identities (Principals): Can be a human user ([email protected]) or a Service Account used by an application or an LLM pipeline to talk to other systems.
• Roles: A bundle of specific permissions (e.g., Storage.DataViewer allows reading files but not deleting them). Enterprises strictly avoid basic "Owner/Editor" roles, opting instead for custom, highly granular roles.
• Policies: The binding document that ties an identity to a role on a specific cloud folder, project, or database.

The Enterprise Reality: IAM handles authorization, but it has a blind spot. If an employee with legitimate credentials goes rogue (or their credentials are stolen), IAM alone cannot stop them from downloading the entire corporate database from a public coffee shop. That is why you need the next layer.

2. VPC-SC (VPC Service Controls): The "Where" (Network)

VPC Service Controls (a term popularized by Google Cloud, equivalent to service perimeters and private endpoints in AWS/Azure) moves security from identity to the network layer.

Normally, cloud managed services (like BigQuery, S3, or Vertex AI) sit on public API endpoints. Even if you secure them with IAM, those endpoints are technically reachable from anywhere on the internet.

VPC-SC draws an invisible, iron-clad service perimeter around your data projects.

• Data Exfiltration Prevention: It blocks managed services from talking to anything outside the perimeter. If an identity inside the perimeter tries to copy data to an external, unapproved cloud bucket, the network blocks it—even if that identity has global "Admin" IAM rights.
• No Internet Exposure: It forces all traffic to stay within your private corporate network (using private IP routing), rendering your data completely invisible to the public internet.

https://docs.cloud.google.com/vpc-service-controls/docs/overview

3. CMEK (Customer-Managed Encryption Keys): The "Kill Switch"