Overview of Assured Workloads

This page provides information about Assured Workloads.

What is Assured Workloads?

Assured Workloads provides Google Cloud users with the ability to apply controls to a folder in support of regulatory, regional, or sovereign requirements.

When to use Assured Workloads

You can use Assured Workloads to achieve compliance-based outcomes on Google Cloud, using the following controls to support your requirements:

  • Data residency: Ensures Google Cloud customer data is stored in a customer-selected Google Cloud region. If a customer's developer attempts to store data at rest in a region outside of the selection, the action will be blocked.

    Learn more about Data residency.

  • Data sovereignty: Ensures Google Cloud customers have mechanisms to exercise independent control over service provider's access to their data, approving access only for specific provider behaviors that are deemed appropriate and necessary by the customer.

    The Sovereign Controls for EU control package is a key component of data sovereignty. See Restrictions and limitations in Sovereign Controls for EU for more information.

  • Personnel data access controls based on attributes: Ensures that only Google personnel who are able to satisfy certain physical location and background check requirements are able to access Google Cloud customer data when fulfilling support obligations. For example, Impact Level 4 (IL4) requires anyone accessing data be a US Person who has completed an ADP-1 Single Scope Background Investigation (SSBI).

    Learn more about Personnel data access controls based on attributes.

  • Personnel support case ownership controls based on attributes: Ensures that only Google support personnel who satisfy certain requirements are able to provide support to Assured Workloads customers.

    Learn more about Personnel support case ownership controls based on attributes.

  • Encryption: Google-owned and Google-managed encryption keys, provided by default, are FIPS-140-2 compliant and support FedRAMP Moderate compliance. Customer-managed encryption keys (CMEK) represent an added layer of control and separation of duties. For example, IL4 requires FIPS 140-2 validated modules.

    Learn more about Supporting compliance with key management.

When not to use Assured Workloads

How to use Assured Workloads

You are required to create an organization prior to using Assured Workloads.

After you create an organization, create an Assured Workloads folder to start using Assured Workloads.

What's next