You can use Compliance Manager in Google Cloud to help ensure that your Google Cloud infrastructure, workloads, and data meet the security and regulatory requirements of your organization. Compliance Manager lets you do the following:
- Define and deploy a compliant and secure configuration for your Google Cloud environment.
- View dashboards that show your environment's alignment with your compliance and security requirements.
- Audit your cloud environments, including collecting evidence and generating assessment reports.
Compliance Manager uses software-defined controls that let you assess support for multiple compliance programs and security requirements within a Google Cloud organization.
Compliance Manager components
The following table describes the components of Compliance Manager.
| Rule | A technical item within a cloud control that lets you meet a compliance, security, or privacy requirement. Rules can be organization policies, IAM policies, cloud settings, and detection logic based on Common Expression Language (CEL). |
|---|---|
| Cloud control | A set of rules and associated metadata that you can use to define your organization's security or compliance intent. Compliance Manager includes a library of built-in cloud controls and lets you create your own. The metadata in a cloud control includes remediation instructions and finding severity. Cloud controls have the following modes:
|
| Regulatory control | An industry-defined security or regulatory compliance requirement. The relationship mapping between cloud controls and regulatory controls defines how one or more cloud controls satisfy a regulatory control requirement. Consider the following:
|
| Framework | A collection of cloud controls and regulatory controls that represent security best practices or industry-defined standards such as FedRAMP or NIST. A framework can include a mapping between cloud controls and the regulatory controls. Compliance Manager includes a library of built-in frameworks. You can customize these frameworks or create your own. |
| Framework deployment | The binding between a particular framework and an organization, folder, or project when you deploy the framework. |
The following diagram shows the components of Compliance Manager.
Built-in frameworks
Compliance Manager supports built-in frameworks for Google Cloud and Microsoft Azure. You can deploy these frameworks as-is, or you can customize them to meet your particular needs.
Frameworks for Google Cloud
The following frameworks are available:
- Center for Information Security (CIS) Controls 8.0
- CIS Google Cloud Computing Platform 3.0
- CIS Kubernetes Benchmark v1.1.7
- Cloud Controls Matrix (CCM) 4
- International Organization for Standardization (ISO) 27001, 2022
- National Institute of Standards and Technology (NIST) 800-53 R5
- NIST Cybersecurity Framework (CSF) 1.0
Frameworks for Microsoft Azure
The following frameworks are available:
Enable Compliance Manager
Complete the following to enable Compliance Manager at the organization level:
-
To get the permissions that you need to enable Compliance Manager, ask your administrator to grant you the following IAM roles on your organization, folder, or project:
-
Organization Policy Administrator (
roles/orgpolicy.policyAdmin) -
Security Center Admin Editor (
roles/securitycenter.adminEditor)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Organization Policy Administrator (
- Enable Compliance Manager using one of the following methods:
- If you haven't activated Security Command Center in your organization, then activate Security Command Center Enterprise. Compliance Manager is automatically enabled as part of that process.
- If you've already activated the Enterprise service tier of Security Command Center, add Compliance Manager using the Activate Compliance Manager page.
- Sensitive Data Protection to use data sensitivity signals for default data risk assessment.
- Event Threat Detection (part of Security Command Center) at the organization level.
- To support Azure cloud controls and frameworks, Connect Security Command Center to Azure.
When you enable Compliance Manager, the following services are also enabled:
The Cloud Security Compliance service agent (service-org-ORGANIZATION_ID@gcp-sa-csc-hpsa.iam.gserviceaccount.com) is created when you enable Compliance Manager.
Using Compliance Manager with Security Command Center services and features
You can enable other Security Command Center services and features and use them in the same organization where you enable Compliance Manager. Consider the following:
If you deploy a framework to a folder or project that has Security Health Analytics enabled, you might receive duplicate findings. Compliance Manager uses a different evaluation engine then Security Health Analytics.
You can deploy a framework on the same folder or project that you deploy a security posture using the security posture service. Compliance Manager and security posture don't interact and what you set in a posture doesn't affect what you set in a framework. However, because security posture uses Security Health Analytics, you might receive duplicate findings.
Compliance Manager uses the global endpoint, not the endpoint that you might specify when you enable data residency for Security Command Center. However, you can specify the location that you want to audit your environment in. For more information, see Audit your environment with Compliance Manager.