How to set compliance controls for your Google Cloud Organization

Assured Workloads is a modern cloud solution that allows companies to more easily run regulated workloads in many of Google Cloud’s global regions. Assured Workloads can help you ensure comprehensive data protection and regulatory compliance across your Google Cloud Organization. It allows you to apply specific security and compliance controls to a folder in support of your compliance requirements. Assured Workloads supports many compliance programs to create regulated boundaries in Google Cloud.

Assured Workloads in action

Many companies have requirements to meet multiple global compliance standards. For example, if your company must adhere to compliance requirements in more than one geographic region, such as FedRAMP High in the U.S. and General Data Protection Regulation (GDPR) in the European Union, Assured Workloads can help you to easily create regulatory boundaries using a folder structure that meets your needs.

As a best practice, we would recommend placing the data subject to FedRAMP High requirements in one folder, while data subject to GDPR can be processed in a separate EU Regions and Support folder. Each folder serves as a logical boundary that maintains your compliance controls while allowing you to maintain visibility into your data in a single Google Cloud Organization.

Assured Workloads folders supporting EU Regions and FedRAMP High

In some cases, you may want compliance controls to apply to the entire Organization, not just a single folder. For example, your Google Cloud Organization is designed to only process data subject to FedRAMP High requirements, and doesn’t need to adhere to other compliance requirements. Instead of creating a FedRAMP High Assured Workloads environment for each of your folders, we recommend creating a single Assured Workloads environment at the Organization level and treating it as the parent node in your Resource Hierarchy.

Assured Workloads at Organization level

By treating Assured Workloads folder as the parent node, you are enforcing a compliance boundary that applies to the entire Organization: each folder and project created in this hierarchy retains the policies and controls enforced by Assured Workloads.

Assured Workloads can also help with addressing compliance requirements for existing Organizations in Google Cloud running production workloads: you can move your existing folders into the Assured Workloads folder. Before moving any projects to an Assured Workloads folder, we recommend performing a move analysis to uncover any non-compliant resources. With the analyzeWorkloadMove API, you can compare your current configurations to your desired compliance state and determine whether your project is:

  1. Processing data in locations that would be deemed non-compliant in your Assured Workloads folder;
  2. Relying on non-compliant services and features; and
  3. Restricted by Organization Policies that may contradict or are otherwise incompatible with the Policies in your Assured Workloads folder.

You can take the analyzeWorkloadMove API’s findings report and proactively resolve resource violations so that they’re abiding by your compliance requirements. Once you’ve made these changes, you can move the projects to your Assured Workloads and rely on Assured Workloads Monitoring for alerts and updates.

Related posts

Built with BigQuery: How Atlas AI helps build a more resilient future

by Cloud Ace Indonesia
1 year ago

Google Cloud Deploy adds Cloud Run and deployment verification support

by Cloud Ace Indonesia
2 years ago

Understanding Gmail’s spam filters

by Kartika Triyanti
2 years ago