How to set compliance controls for your Google Cloud Organization
Luis Urena
Developer Relations Engineer
Anil Nandigam
Product Marketing Lead, Google Cloud Security
Assured Workloads is a modern cloud solution that allows companies to more easily run regulated workloads in many of Google Cloud’s global regions. Assured Workloads can help you ensure comprehensive data protection and regulatory compliance across your Google Cloud Organization. It allows you to apply specific security and compliance controls to a folder in support of your compliance requirements. Assured Workloads supports many compliance programs to create regulated boundaries in Google Cloud.
Assured Workloads in action
Many companies have requirements to meet multiple global compliance standards. For example, if your company must adhere to compliance requirements in more than one geographic region, such as FedRAMP High in the U.S. and General Data Protection Regulation (GDPR) in the European Union, Assured Workloads can help you to easily create regulatory boundaries using a folder structure that meets your needs.
As a best practice, we would recommend placing the data subject to FedRAMP High requirements in one folder, while data subject to GDPR can be processed in a separate EU Regions and Support folder. Each folder serves as a logical boundary that maintains your compliance controls while allowing you to maintain visibility into your data in a single Google Cloud Organization.
Assured Workloads folders supporting EU Regions and FedRAMP High
In some cases, you may want compliance controls to apply to the entire Organization, not just a single folder. For example, your Google Cloud Organization is designed to only process data subject to FedRAMP High requirements, and doesn’t need to adhere to other compliance requirements. Instead of creating a FedRAMP High Assured Workloads environment for each of your folders, we recommend creating a single Assured Workloads environment at the Organization level and treating it as the parent node in your Resource Hierarchy.
Assured Workloads at Organization level
By treating Assured Workloads folder as the parent node, you are enforcing a compliance boundary that applies to the entire Organization: each folder and project created in this hierarchy retains the policies and controls enforced by Assured Workloads.
Assured Workloads can also help with addressing compliance requirements for existing Organizations in Google Cloud running production workloads: you can move your existing folders into the Assured Workloads folder. Before moving any projects to an Assured Workloads folder, we recommend performing a move analysis to uncover any non-compliant resources. With the analyzeWorkloadMove API, you can compare your current configurations to your desired compliance state and determine whether your project is:
- Processing data in locations that would be deemed non-compliant in your Assured Workloads folder;
- Relying on non-compliant services and features; and
- Restricted by Organization Policies that may contradict or are otherwise incompatible with the Policies in your Assured Workloads folder.
You can take the analyzeWorkloadMove API’s findings report and proactively resolve resource violations so that they’re abiding by your compliance requirements. Once you’ve made these changes, you can move the projects to your Assured Workloads and rely on Assured Workloads Monitoring for alerts and updates.
Learn more and get started with Assured Workloads
Google Cloud customers can get started with a free trial of Assured Workloads. You can check out how Assured Workloads helped Iron Mountain’s InSight product achieve and maintain compliance with government standards. And we encourage you to learn more by reviewing these resources: