What’s new in Assured Workloads: Region expansion, TLS version restrictions, new supported services
Product Manager, Google Cloud
To maximize the benefits of digital transformation, organizations need to be comfortable bringing sensitive and regulated workloads to the cloud. Assured Workloads is a modern cloud solution that allows our customers to run regulated workloads in many of Google Cloud's global regions.
Core to our strategy for Assured Workloads is to build security and compliance controls as software. Software allows us to scale globally and combine technologies to help our customers achieve specific compliance outcomes.
This approach has enabled us to make Assured Workloads available in more countries, and expand the list of available services across multiple compliance frameworks. As a result, Assured Workloads can help organizations more easily achieve and maintain compliance with relevant regimes around the world without refactoring. Here are several new features and services that are now generally available (GA) in Assured Workloads:
Assured Workloads in Australia (GA): Data residency and Australia region support.
Canada Protected B (GA): Data residency in Canada and support provided by personnel with reliability status.
New supported products and services (GA): Standardizing our list of supported products and services across global regions.
TLS version restrictions (GA): Helps with compliance requirements by denying requests to Google Cloud APIs made using older versions of TLS encryption.
Assured Workloads for Australia
Australia Regions and Assured Support is now generally available. This offering enforces data residency for customer data at-rest to our two cloud regions in Australia (Sydney and Melbourne). It’s coupled with our new Assured Support service, which means that customer support will be provided from only five countries (United States, Australia, Canada, New Zealand, and the United Kingdom).
We are proud of the work we have done with to help ensure that Australia Regions and Assured Support meets the requirements of the Australian government’s Information Security Registered Assessors Program (IRAP) and the Hosting Certification Framework (HCF), which is administered by the Australian Government’s Digital Transformation Agency.
Canada Protected B
Google Cloud’s Protected B offerings available to Canadian government customers under Google Cloud’s Framework Agreement with Shared Services Canada are being formalized into an Assured Workloads program that is available in a limited general availability. This offering will build on the work previously done for our Canadian regions program, layering in enhanced security, supported by personnel with appropriate security screening. To gain access to the limited GA, please request an Assured Workloads free trial, noting your interest in Protected B.
In addition to the Protected B Assured Workloads program, Google Cloud has also made the Protected B landing zone work available in GitHub with recommended platform capabilities and security settings to help customers build faster with compliance in mind from the start.
A standard list of supported Assured Workloads products across our global regions
Our vision for Assured Workloads is to enable customers to configure regulated workloads the same way even as they change or adopt new frameworks in different geographic regions (such as moving from U.S. regulatory programs to Australian regulatory programs). To support this vision, we need to support a consistent set of Google Cloud products in every region where Assured Workloads is available. We have launched one list of supported services in all regions where Assured Workloads and Support is available:
TLS version restrictions
One common regulatory requirement is to only use the modern versions of the TLS protocol. Usually, customers have to wait until their cloud provider deprecates particular TLS versions for all customers to be brought into compliance. We have built something special for our regulated customers who have this need, without having to impact all customers using Google Cloud who may have reasons to support older versions and for whom the risk of using older ciphers is acceptable.
TLS version restriction is an organization policy that allows customers to deny access to their cloud resources if the TLS version of the request fails to meet the policy requirements. If the authenticated user does not use an up-to-date version of TLS, we write a log entry to Cloud Logging indicating that a 403 was returned instead of data. This policy also helps follow the published guidance in NIST 800-52. Please try out this org policy and tell us what you think.
How to get started
Google Cloud customers are invited to start a free trial of Assured Workloads to test these new controls and capabilities. To learn more about Assured Workloads, please review these resources: