Key concepts

This page provides information about the components of Assured Workloads.

Assured Workloads lets you apply security controls to Google Cloud in support of compliance requirements without compromising the quality of your cloud experience.

Assured Workloads environment

An Assured Workloads environment supports compliance for regulated data by managing one or more Google Cloud folders, depending on your regulatory requirement. The environment can comprise one or more resource folders for the Google Cloud services you use, and a customer-managed encryption key (CMEK) project for your CMEK keys if your regulatory compliance program requires them. For example, if your compliance program is Impact Level 4 (IL4) or CJIS, Assured Workloads automatically creates both a resource and CMEK project.

You create an Assured Workloads folder during the set up process.

To support the compliance requirements of the compliance program you choose, these folders are created with a specified regulated data type, personnel controls, and data location packaged into preconfigured compliance programs.

Assured Workloads environment folders

An Assured Workloads environment folder is a folder registered to hold one or more Assured Workloads environments containing regulated data. Registering the environment folder with Google Cloud enables security controls that support compliance. This folder provides a regulatory boundary within an organization to identify regulated data types. Each data type is specified when creating an Assured Workloads environment and provides security controls based on customer selections to support compliance.

Assured Workloads resources folder

When you create an Assured Workloads environment, Assured Workloads automatically creates a resources folder that contains your child Google Cloud resources. These resources are in-scope products and services that support your compliance program. Security controls are mapped to the Assured Workloads environment, and those controls are inherited by any other resources created within the resources folder. These controls restrict the resources so that only Google Cloud personnel who meet the compliance requirements of the environment can access the resource. These controls can also prevent resources from being deployed outside of compliant regions.

Assured Workloads key management project

Depending on the compliance program you select, Assured Workloads can also create a key-management project to store your CMEK encryption keys. Having one project for keys and another for resources establishes separation of duties between security administrators and developers.

What's next