Governance overview

What are the different policies available in Verily Workbench?
Tags:
Categories:

Purpose: This document provides a high-level understanding of how various policies can be applied in Verily Workbench.

What are policies in Workbench?

Policies are restrictions that may be attached to workspaces and data collections and dictate how the data can be accessed and used, chiefly for the purposes of privacy and legal compliance. When a collection or resource with a policy is brought into a workspace, it attaches to the workspace. Policies can’t be removed from workspaces, even if the associated resources are deleted, to ensure that any analysis outputs remain in compliance with the policy.

What types of policies exist in Workbench?

Currently Workbench offers the following policies:

  • Group policy
  • Region policy
  • Perimeter policy

A group policy limits the eligible access of workspace and data sharing to members of all selected groups. A group policy does not grant access, but can be used as an additional layer of access control. Like other policy types, a group policy can’t be removed once it’s been applied, and carries over to any duplicates.

Learn more about group policies here.

A region policy is a type of policy that limits which regions may be used to create cloud resources and environments. For example, if you used data from a collection that had a region policy, your cloud environment and analysis outputs must be kept within the regions specified by the policy. When a region policy is applied to a workspace outside of the prescribed regions, the default resource region must be updated in order to comply with the policy requirements. You don’t need to migrate data that was in the workspace before the policy was applied, and references to data aren’t affected.

Learn more about region policies here.

A perimeter policy limits data access and exfiltration by requiring that data can only be accessed from workspaces within a particular perimeter. When the policy is applied to a workspace, that workspace will be enrolled in the perimeter and cannot be removed. The data inside this perimeter cannot be copied into other workspaces, or be read from workspaces outside the perimeter.

Learn more about perimeter policies here.

Additional policies

Policies are an important framework for Workbench and we expect to expand our policy offerings in the near future. If you have an important governance need that isn’t currently covered, please contact Workbench support.

Last Modified: 21 October 2024