Overview of Assured Workloads
This topic provides information about Assured Workloads.
What is Assured Workloads?
Assured Workloads provides Google Cloud customers with the ability to apply security controls to an environment, in support of compliance requirements, without compromising the quality of their cloud experience.
When to use Assured Workloads
You use Assured Workloads to achieve compliance-based outcomes on Google Cloud, using the following security controls to support your requirements:
Data residency: Ensures Google Cloud customer data is stored in a customer-selected Google Cloud region. If a customer's developer attempts to store data at rest in a region outside of the selection, the action will be blocked.
Learn more about Data residency.
Data sovereignty: Ensures Google Cloud customers have mechanisms to exercise independent control over service provider's access to their data, approving access only for specific provider behaviors that are deemed appropriate and necessary by the customer.
The Assured Workloads control EU Regions and Support with Sovereignty Controls is a key component of data sovereignty. See Restrictions and limitations in EU Regions and Support with Sovereignty Controls for more information about which controls help to provide data sovereignty for users in this environment.
Personnel data access controls based on attributes: Ensures that only Google personnel who are able to satisfy certain physical location and background check requirements are able to access Google Cloud customer data when fulfilling support obligations. For example, Impact Level 4 (IL4) requires anyone accessing data be a US Persons who has completed an ADP-1 Single Scope Background Investigation (SSBI).
Learn more about Personnel data access controls based on attributes.
Personnel support case ownership controls based on attributes: Ensures that only Google support personnel who satisfy certain requirements are able to provide support to Assured Workloads customers.
Learn more about Personnel support case ownership controls based on attributes.
Encryption: Google-managed encryption keys, provided by default, are FIPS-140-2 compliant and support FedRAMP Moderate compliance. Customer-managed encryption keys (CMEK) represent an added layer of control and separation of duties. For example, IL4 requires FIPS 140-2 validated modules.
Learn more about Supporting compliance with key management.
When not to use Assured Workloads
How to use Assured Workloads
You are required to create an organization prior to using Assured Workloads.
After you create an organization, use the Create function in the compliance section of the Google Cloud console or the Assured Workloads API.
- Supporting compliance with key management
- Learn how to create a new folder for the Assured Workloads environment
Create a project in the Assured Workloads environment that supports your compliance regime, as follows:
Learn how to encrypt Cloud Storage using CMEK
Learn how to encrypt Persistent Disk using CMEK
Learn how to encrypt Compute Engine snapshots using CMEK
Learn how to encrypt BigQuery using CMEK