Overview of Assured Workloads

This page provides information about Assured Workloads.

What is Assured Workloads?

Assured Workloads provides Google Cloud users with the ability to apply security controls to a folder in support of compliance requirements.

When to use Assured Workloads

You can use Assured Workloads to achieve compliance-based outcomes on Google Cloud, using the following security controls to support your requirements:

  • Data residency: Ensures Google Cloud customer data is stored in a customer-selected Google Cloud region. If a customer's developer attempts to store data at rest in a region outside of the selection, the action will be blocked.

    Learn more about Data residency.

  • Data sovereignty: Ensures Google Cloud customers have mechanisms to exercise independent control over service provider's access to their data, approving access only for specific provider behaviors that are deemed appropriate and necessary by the customer.

    The EU Regions and Support with Sovereignty Controls compliance program is a key component of data sovereignty. See Restrictions and limitations in EU Regions and Support with Sovereignty Controls for more information.

  • Personnel data access controls based on attributes: Ensures that only Google personnel who are able to satisfy certain physical location and background check requirements are able to access Google Cloud customer data when fulfilling support obligations. For example, Impact Level 4 (IL4) requires anyone accessing data be a US Person who has completed an ADP-1 Single Scope Background Investigation (SSBI).

    Learn more about Personnel data access controls based on attributes.

  • Personnel support case ownership controls based on attributes: Ensures that only Google support personnel who satisfy certain requirements are able to provide support to Assured Workloads customers.

    Learn more about Personnel support case ownership controls based on attributes.

  • Encryption: Google-managed encryption keys, provided by default, are FIPS-140-2 compliant and support FedRAMP Moderate compliance. Customer-managed encryption keys (CMEK) represent an added layer of control and separation of duties. For example, IL4 requires FIPS 140-2 validated modules.

    Learn more about Supporting compliance with key management.

When not to use Assured Workloads

How to use Assured Workloads

You are required to create an organization prior to using Assured Workloads.

After you create an organization, create an Assured Workloads folder to start using Assured Workloads.

What's next