Manage compliance obligations

This document in the Google Cloud Architecture Framework provides best practices for managing compliance obligations.

Your cloud regulatory requirements depend on a combination of factors, including the following:

• The laws and regulations that apply your organization's physical locations.
• The laws and regulations that apply to your customers' physical locations.
• Your industry's regulatory requirements.

These requirements shape many of the decisions that you need to make about which security controls to enable for your workloads in Google Cloud.

A typical compliance journey goes through three stages: assessment, gap remediation, and continual monitoring. This section addresses the best practices that you can use during each stage.

Assess your compliance needs

Compliance assessment starts with a thorough review of all of your regulatory obligations and how your business is implementing them. To help you with your assessment of Google Cloud services, use the Compliance resource center. This site provides you with details on the following:

• Service support for various regulations
• Google Cloud certifications and attestations

You can ask for an engagement with a Google compliance specialist to better understand the compliance lifecycle at Google and how your requirements can be met.

For more information, see Assuring compliance in the cloud (PDF).

Deploy Assured Workloads

Assured Workloads is the Google Cloud tool that builds on the controls within Google Cloud to help you meet your compliance obligations. Assured Workloads lets you do the following:

• Select your compliance regime. The tool then automatically sets the baseline personnel access controls.
• Set the location for your data using organization policies so that your data at rest and your resources remain only in that region.
• Select the key management option (such as the key rotation period) that best fits your security and compliance requirements.
• For certain regulatory requirements such as FedRAMP Moderate, select the criteria for access by Google support personnel (for example, whether they have completed appropriate background checks).
• Ensure that Google-managed encryption keys are FIPS-140-2 compliant and support FedRAMP Moderate compliance. For an added layer of control and separation of duties, you can use customer-managed encryption keys (CMEK). For more information about keys, see Encrypt your data.

Review blueprints for templates and best practices that apply to your compliance regime

Google has published blueprints and solutions guides that describe best practices and that provide Terraform modules to let you roll out an environment that helps you achieve compliance. The following table lists a selection of blueprints that address security and alignment with compliance requirements.

Standard	Description
PCI	Security blueprint: PCI on GKE PCI Data Security Standard compliance Limiting scope of compliance for PCI environments in Google Cloud PCI DSS compliance on GKE
FedRAMP	Google Cloud FedRAMP implementation guide (PDF) Setting up a FedRAMP Aligned Three-Tier Workload on Google Cloud
HIPAA	Protecting healthcare data on Google Cloud (PDF) Setting up a HIPAA aligned workload using Data Protection Toolkit (PDF)

Monitor your compliance

Most regulations require you to monitor particular activities, including access controls. To help with your monitoring, you can use the following:

• Access Transparency, which provides near real-time logs when Google Cloud admins access your content.
• Firewall Rules Logging to record TCP and UDP connections inside a VPC network for any rules that you create yourself. These logs can be useful for auditing network access or for providing early warning that the network is being used in an unapproved manner.
• VPC Flow Logs to record network traffic flows that are sent or received by VM instances.
• Security Command Center Premium to monitor for compliance with various standards.
• OSSEC (or another open source tool) to log the activity of individuals who have admin access to your environment.
• Key Access Justifications to view the reasons for a key access request.

Automate your compliance

To help you remain in compliance with changing regulations, determine if there are ways that you can automate your security policies by incorporating them into your infrastructure as code deployments. For example, consider the following:

• Use security blueprints to build your security policies into your infrastructure deployments.

• Configure Security Command Center to alert when non-compliance issues occur. For example, monitor for issues such as users disabling two-step verification or over-privileged service accounts. For more information, see Setting up finding notifications.

• Set up automatic remediation to particular notifications. For more information, see Cloud Functions code.

Fore more information about compliance automation, see the Risk and Compliance as Code (RCaC) solution.

What's next

Learn more about compliance with the following resources:

• Implement data residency and sovereignty requirements (next document in this series)
• Compliance Resource Center
• Google security whitepaper (PDF)
• Assured Workloads