What is Google Cloud Platform’s Assured Workloads?
Google Cloud Platform’s (GCP) Assured Workloads provides a way for control packages to be applied to support meeting regulatory, compliance or data residency requirements. An organization applies Assured Workloads to a new GCP folder and selects a specific control package to implement. Those folders and projects/resources contained within will then be restricted to using only the control package approved GCP products or regions, helping the organization meet these burdens. Assured Workloads also monitors resources and alerts when one becomes non-compliant, helping you maintain your regulated environment.
When Would You Use GCP Assured Workloads?
Organizations with specific compliance or regulatory requirements may be required to use only authorized or approved services. If your organization falls under one of these programs, then using Assured Workloads will ensure that only approved products can run. Furthermore, Assured Workloads can ensure that only approved Google personnel that meet the requirements of your relevant compliance program can access the necessary data as part of support activities.
As of the writing of this blog, Assured Workloads offers control packages for the following compliance programs:
- Criminal Justice Information Systems (CJIS)
- FedRAMP High
- FedRAMP Moderate
- HIPAA (Preview)
- HITRUST (Preview)
- Department of Defense (DOD) Impact Level (IL) 2
- DOD IL 4
- DOD IL 5
- International Traffic in Arms Regulations (ITAR)
Additionally, country-specific data residency requirements can be met using regional Assured Workloads. This ensures that data is stored in the approved region or country. Current Assured Workload regions include:
- Australia
- Brazil
- Canada
- Chile
- EU
- India
- Indonesia
- Israel
- Japan
- Singapore
- South Korea
- Saudi Arabia
- Switzerland (Preview)
- Taiwan
- UK
- US
Use Cases for Assured Workloads
Assured Workloads control packages will help you meet your regulatory burdens, along with supporting controls dependent on the use case. Below we will walk through two common use cases:
Residency Requirements
Organizations may be required to keep all data within a region or country by law. One way to ensure that data residency is met is to use Assured Workloads at the GCP folder level. All supported products in this folder will store data in only the approved regional GCP locations.
For example, if the “Australia Regions” control package were selected, then only the ~45 products that store data in GCP data centers physically located in Australia are available. When you run any of these services, you are assured that the data resides on Australian soil.
Compliance Requirements
Organizations may need to meet regulatory requirements in order to process certain types of data or to connect to government systems. Once again, Assured Workloads can be applied to a folder to ensure that only authorized or approved GCP-products are capable of being used within that folder.
For example, in order for the US government to purchase cloud services from a company, those services must be FedRAMP authorized. Companies seeking FedRAMP authorization are only allowed to use FedRAMP-authorized services within their product. A convenient way to ensure that only FedRAMP authorized GCP services are used is to create a folder with the “FedRAMP” control package assigned (either Moderate or High). This ensures that unauthorized GCP services cannot be run in the assured folder.
How Does Assured Workloads Work?
The following steps should be followed when implementing Assured Workloads in GCP:
- Analyze the pros and cons of using Assured Workloads. If this makes sense for your organization, move forward with the following steps.
- Design an architecture for your application(s) to ensure that they will run within the new Assured Workload folders you will have to create. (Assured Workloads cannot be applied to existing folders, though you can migrate existing projects under the Assured Workloads folder if the project and its resources don’t violate any of the controls.)
- Create an Assured Workload folder by following GCP’s instructions and choosing the Control Package that is required.
- Note: This will automatically enable Access Transparency to your GCP organization.
- Create sub-folders or projects as detailed in your architecture.
- Deploy your application in the new project.
- Note that some services may not be enabled by default, requiring enabling steps to be followed.
- Configure monitoring to ensure that notifications of Assured Workloads violations are seen and acted on.
Pros and Cons of Assured Workloads
Before implementing Assured Workloads, many factors should be examined to ensure this is the proper approach for your organization. Let’s examine the pros and cons of using this:
Pros
Advantages of using Assured Workloads:
- Ensures that only approved services are run in a folder.
- Ensures that data residency requirements are met in a folder..
- Pricing is free unless you require Assured Support (to ensure that all personnel that can access the data meet control requirements).
- Less complicated organization architecture if all regulated services and data reside in controls folders.
- Assured Workloads monitors organizational policy constraints and will notify of violations.
Cons
While there are many advantages to using Assured Workloads, there are disadvantages to consider:
- Many GCP products and services will not be available in an Assured Workload folder.
- Pricing with Assured Support requires the “Premium Tier” offering, which adds 20% to the costs of services used within that folder.
- Assured Workloads must be applied when the folder is created, potentially adding difficulty to migrate existing applications into the new folder.
Conclusion
Assured Workloads offer many benefits to ensure that your regulated environments maintain their compliance posture. Prior to implementing Assured Workloads, you should perform a thorough examination of the pros and cons of this product. If your organization chooses to move forward with Assured Workloads, be sure to develop a solid architecture and monitoring approach before you begin deployment. If you want more information or would like assistance with implementing Assured Workloads, please feel free to reach out to our experts at ScaleSec.