ASSURED WORKLOADS — Managing Data Sovereignty and Regulatory Compliance the Google way!

In today’s digital landscape, maintaining robust security and meeting regulatory compliance requirements are paramount for organisations across industries. Implementing these compliance requirements on workloads running on GCP manually can be a huge mountain to climb as it could require great input of resources and administrative overhead. It still can be achieved to a great extent by implementing necessary Organisational policies, data encryption, enabling necessary logs like Access Transparency logs, log sinks etc. This is where Google Cloud Platform’s Assured Workloads comes into play. Assured Workloads provides a comprehensive solution that enables businesses to create and manage secure and compliant work environments in the cloud.

In this article, let’s discuss the features that Assured workload offers, how to create an Assured Workload folder and some tips to further build up security.

Compliance Programs currently supported:

Assured Workloads provides compliance programs to create regulated boundaries in Google Cloud. These are a set of security controls, when implemented meet the regulatory baseline for compliance. There are 2 tiers offered under this service — Free tier and Premium Tier. Each tier supports certain level of compliance programs as listed below:

Each compliance programme has different set of security controls enabled based on the type and the region the workloads are to be set up. The details on each compliance is provided here.

Assured Workload Folder Creation:

Before creation of AW folder, there are few pre-requisites that must be fulfilled:

• Have a Cloud Identity setup and domain verified
• Create an Organisation using the registered domain
• Enable access Transparency for the Organisation
• Have roles/assuredworkloads.admin permission granted to the user.

Once these prerequisite steps are completed, proceed to AW folder creation with the following steps,

1. Under Compliance>Assured Workloads, click on CREATE.(AW workloads can be created at an Org level). Check whether all the prerequisite conditions are met and proceed to the next step.
2. Select the origin of the compliance type based on your requirement
3. Select the region where you want to deploy(Based on your compliance type, data may be restricted to this particular region only)
4. Set your folder location and name of your folder.
5. Configure Key Management Project and key Ring.(This will set up the CMEK project under the AW folder where the CMEK keys would be stored. NOTE: This just creates a project where the keys would be stored and the actual keys must be created by the user)
6. Review your details and click on CREATE.

Thats it! Every project that you add under this Assured Workload folder, will have to follow the set of compliance set at the folder. This helps an organisation to have both compliant and non-compliant workloads under the same organisation.

Under the Assured folder, a separate CMEK project would be created based on your input under which your keys would be stored. During development, when you provision and configure in-scope Google Cloud resources that require a CMEK encryption key, you request the resource ID of the key from your administrator. This is to make sure that all the keys stored are under a particular location and provide clear distinction between security administrators and developers. For more info on AW encryption and usage check this link.

It is important to note that the restrictions applied only meet the BASELINE. Make sure to apply stricter security controls if necessary based on the requirements. There is a list of supported services for each compliance type as listed here. Based on the requirements, kindly go through the list and allow or deny the services using the Resource Usage Restriction organisational policy. This would help setup a more robust security measures.

Sovereign Controls by Partners:

This is one step further in managing your compliant workloads in GCP. Google also provides another way to manage the compliance workloads through their partners. Sovereign Controls by Partners offerings are now generally available from two partners: T-Systems International (TSI) and S3NS. Each partner provides sovereign controls on Google cloud workloads in specific regions. More details provided in the link.

In conclusion, Assured Workloads in Google Cloud Platform offers organizations a secure and compliant solution for protecting their workloads in the cloud. With robust features, such as data encryption and comprehensive compliance certifications, businesses can confidently leverage the scalability and agility of the cloud while maintaining data security and regulatory compliance. Assured Workloads enables organisations to focus on their core objectives, knowing their data is protected in a trusted environment.