Strengthening our European data sovereignty offerings with Assured Workloads for EU
Bryce Buffaloe
Senior Product Manager, CJIS Security Lead
European organizations, both public and private, are migrating their operations and data to the cloud in increasing numbers. In doing so, they need confidence they can meet their unique needs for security, privacy, and digital sovereignty. Key requirements include the ability to store data within a European geographic region, to ensure that support is provided by EU personnel, and the ability to control administrative access to their customer data and encryption keys used to protect that data.
To help meet these needs for customers using Google Cloud Platform, we are pleased to announce the general availability of Assured Workloads for EU. As covered in detail in our introductory blog post, this product allows GCP customers to create and maintain workloads with:
Data residency in their choice of EU Google Cloud regions
Personnel access and customer support restricted to EU persons located in the EU
Cryptographic control over data access, including customer managed encryption keys
Let’s look at how to configure a cloud workload with these controls using the Google Cloud Console:
Configuring Assured Workloads for EU
Assured Workloads functions at the folder level of an organization, allowing for specific controls to be applied to and enforced selectively for cloud workloads with sovereignty requirements. The first step in creating an Assured Workloads folder is to choose where data will be stored:
Selecting the European Union option provides access to two different types of Assured Workloads controls:
EU Regions and Support: This option, now in General Availability, allows customers to restrict storage of their data to the EU, in addition to restricting support and access to EU persons.
EU Regions and Support with sovereignty controls: This option, now in Public Preview, builds on the capabilities of EU Regions and Support, and provides additional levels of sovereign control by encrypting customer data with externally stored and managed keys from Cloud External Key Manager (EKM) and signing Access Approval requests with those same external keys.
Signed Access Approval is a new feature that adds a layer of assurance for actions authorized through Access Approval, a platform control which requires explicit customer consent before administrative access to customer data or configurations is permitted. It signs approvals you grant via Access Approval with an external key from your External Key Manager, helping to verify that an access request was approved by an outside party. Signed Access Approval is currently available for customer configurations that use Thales external key management systems and is coming soon to other external key management systems that integrate with EKM.
Customers can apply either option for Assured Workloads for EU at the folder level, allowing flexibility to selectively run workloads using EU Regions and Support, and applying the additional cryptographic controls to workloads that require a higher level of data sovereignty. In either case, Assured Workloads configures and enforces the chosen controls automatically.
Customer choices for digital sovereignty
Assured Workloads for EU is the latest in a series of offerings from Google Cloud that deliver what we call Software Defined Community Clouds — cloud infrastructure provisioned for exclusive use by a specific set of organizations with controls tailored to their specific jurisdictional needs. Assured Workloads includes offerings for customer groups in the United States, Canada (in Preview), and now in the European Union, while continuing to expand to other regions around the world.
Customers may have additional operational sovereignty needs focused on the independent operation and verification of these controls. This is why as part of our ‘Cloud. On Europe’s Terms.’ initiative, we’ve announced sovereign cloud solutions powered by Google Cloud to be offered through trusted partners like T-Systems in Germany, Thales in France, and Minsait in Spain. For many organizations, however, the ability to meet data sovereignty requirements for specific workloads will be a meaningful step forward in their digital sovereignty journey.
Take the next step
Assured Workloads EU Regions and Support is now generally available for Google Compute Engine, Persistent Disk, BigQuery, Google Cloud Storage, and Cloud KMS (EKM), with EU Regions and Support with sovereignty controls now available in Preview for the same services. Read more about both offerings in our documentation. To learn more, please contact Google Cloud Sales.