Google Cloud Platform’s (GCP) Assured Workloads provides a way for control packages to be applied to support meeting regulatory, compliance or data residency requirements. An organization applies Assured Workloads to a new GCP folder and selects a specific control package to implement. Those folders and projects/resources contained within will then be restricted to using only the control package approved GCP products or regions, helping the organization meet these burdens. Assured Workloads also monitors resources and alerts when one becomes non-compliant, helping you maintain your regulated environment.
Organizations with specific compliance or regulatory requirements may be required to use only authorized or approved services. If your organization falls under one of these programs, then using Assured Workloads will ensure that only approved products can run. Furthermore, Assured Workloads can ensure that only approved Google personnel that meet the requirements of your relevant compliance program can access the necessary data as part of support activities.
As of the writing of this blog, Assured Workloads offers control packages for the following compliance programs:
Additionally, country-specific data residency requirements can be met using regional Assured Workloads. This ensures that data is stored in the approved region or country. Current Assured Workload regions include:
Assured Workloads control packages will help you meet your regulatory burdens, along with supporting controls dependent on the use case. Below we will walk through two common use cases:
Organizations may be required to keep all data within a region or country by law. One way to ensure that data residency is met is to use Assured Workloads at the GCP folder level. All supported products in this folder will store data in only the approved regional GCP locations.
For example, if the “Australia Regions” control package were selected, then only the ~45 products that store data in GCP data centers physically located in Australia are available. When you run any of these services, you are assured that the data resides on Australian soil.
Organizations may need to meet regulatory requirements in order to process certain types of data or to connect to government systems. Once again, Assured Workloads can be applied to a folder to ensure that only authorized or approved GCP-products are capable of being used within that folder.
For example, in order for the US government to purchase cloud services from a company, those services must be FedRAMP authorized. Companies seeking FedRAMP authorization are only allowed to use FedRAMP-authorized services within their product. A convenient way to ensure that only FedRAMP authorized GCP services are used is to create a folder with the “FedRAMP” control package assigned (either Moderate or High). This ensures that unauthorized GCP services cannot be run in the assured folder.
The following steps should be followed when implementing Assured Workloads in GCP:
Before implementing Assured Workloads, many factors should be examined to ensure this is the proper approach for your organization. Let’s examine the pros and cons of using this:
Advantages of using Assured Workloads:
While there are many advantages to using Assured Workloads, there are disadvantages to consider:
Assured Workloads offer many benefits to ensure that your regulated environments maintain their compliance posture. Prior to implementing Assured Workloads, you should perform a thorough examination of the pros and cons of this product. If your organization chooses to move forward with Assured Workloads, be sure to develop a solid architecture and monitoring approach before you begin deployment. If you want more information or would like assistance with implementing Assured Workloads, please feel free to reach out to our experts at ScaleSec.