This topic provides information about Assured Workloads.
What is Assured Workloads?
Assured Workloads provides Google Cloud customers with the ability to apply security controls to an environment, in support of compliance requirements, without compromising the quality of their cloud experience.
When to use Assured Workloads
You use Assured Workloads to achieve compliance-based outcomes on Google Cloud, using the following security controls to support your requirements:
Data Residency: Ensures customer data is stored in a customer-selected Google Cloud region. If a customer's developer attempts to store data at rest in a region outside of the selection, the action will be blocked.
Learn more about Data residency.
Personnel data access controls based on attributes: Ensures that only Google personnel who are able to satisfy certain physical location and background check requirements are able to access customer data when fulfilling support obligations. For example, Impact Level 4 (IL4) (Preview) requires anyone accessing data be a US Persons who has completed an ADP-1 Single Scope Background Investigation (SSBI).
Learn more about Personnel data access controls based on attributes.
Personnel support case ownership controls based on attributes: Ensures that only Google support personnel who satisfy certain requirements are able to provide support to Assured Workloads customers.
Learn more about Personnel support case ownership controls based on attributes.
Encryption: Google-managed encryption keys, provided by default, are FIPS-140-2 compliant and support FedRAMP Moderate compliance. Customer-managed encryption keys (CMEK) represent an added layer of control and separation of duties. For example IL4 (Preview) requires FIPS 140-2 validated modules.
Learn more about Supporting compliance with key management.
When not to use Assured Workloads
How to use Assured Workloads
You are required to create an organization prior to using Assured Workloads.
After you create an organization you must create a folder and complete the Assured Workloads environment folder registration form. After you receive an email confirmation for registering the folder you can start creating workload environments inside the registered folder using the Assured Workloads create function in the compliance section of the cloud console or the Assured Workloads API.
- Supporting compliance with key management
- Learn how to create a new folder for the Assured Workloads environment
Create a project in the Assured Workloads environment that supports your compliance regime, as follows:
Learn how to encrypt Cloud Storage using CMEK
Learn how to encrypt Persistent Disk using CMEK
Learn how to encrypt BigQuery using CMEK