Overview of Assured Workloads frameworks

Frameworks for Assured Workloads provide new and equivalent cloud controls for data residency, access, and personnel, similar to those in Assured Workloads folders.

You can use Assured Workloads frameworks to meet the security and regulatory requirements of your folders and projects in the following ways:

  • Choose a predefined data boundary to enforce and monitor your Google Cloud environment's compliance
  • Define your own compliant and secure configuration for your Google Cloud environment
  • View dashboards that show your environment's alignment with your compliance and security requirements
  • Audit your cloud environments, including collecting evidence and generating reports

Assured Workloads frameworks use software-defined controls that let you assess support for multiple compliance programs and security requirements within a Google Cloud folder or project.

Assured Workloads frameworks components

The following table describes the components of Assured Workloads frameworks:

Rule A technical item within a cloud control that lets you meet a compliance, security, or privacy requirement. Rules can be organization policies, IAM policies, cloud settings, and detection logic based on Common Expression Language (CEL).
Cloud control

A set of rules and associated metadata that you can use to define the security or compliance intent for your folder or project. Assured Workloads frameworks include a library of built-in cloud controls and lets you create your own.

The metadata in a cloud control includes the remediation instructions and finding severity.

Cloud controls have the following modes:

  • Detective: Assured Workloads frameworks apply the cloud control to the defined resources for monitoring purposes. Any violations are detected and findings are generated. No preventive actions are taken automatically.
  • Preventive: Assured Workloads frameworks apply the cloud control to the defined resources and actively enforces the rules. Any resource activity that violates the cloud control is blocked.

    Some cloud controls require that you provide additional information to work. For example, if you want to use a cloud control that checks whether your workloads and resources are running in particular regions, you must specify the permitted regions when you create the cloud control.

Framework

A collection of cloud controls and regulatory controls that represent security best practices or industry-defined standards. A framework can include a mapping between cloud controls and the regulatory controls, such as data boundaries like FedRAMP Moderate or IL2.

Assured Workloads includes a library of built-in frameworks. You can customize these frameworks or create your own.

Framework deployment The binding between a particular framework and a folder or project when you deploy the framework.

Supported frameworks

Assured Workloads supports built-in frameworks for Google Cloud, such as Assured Workloads data boundaries. You can deploy these frameworks as is or customize them for your needs.

Supported Assured Workloads data boundaries

The following Assured Workloads data boundary frameworks are available:

Supported Compliance Manager frameworks

The following Compliance Manager frameworks are available in Assured Workloads frameworks if you have a Security Command Center subscription at the Premium or Enterprise tiers:

What's next