Google is broadening its continuum of encryption options available on Google Cloud Platform (GCP), with the addition of the Cloud Key Management Service (KMS).
Now in beta, Cloud KMS offers a cloud-based root of trust that customers in regulated industries, such as financial services and healthcare, can monitor and audit. As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain, Cloud KMS is aimed at making it easy to keep keys safe.
“With the launch of Cloud KMS, Google has addressed the full continuum of encryption and key management use cases for GCP customers,” said Garrett Bekker, principal security analyst at 451 Research. “Cloud KMS fills a gap by providing customers with the ability to manage their encryption keys in a multi-tenant cloud service, without the need to maintain an on-premise key management system or HSM.”
With Cloud KMS, users can manage symmetric encryption keys in a cloud-hosted solution, whether they’re used to protect data stored in GCP or another environment. Users also can create, use, rotate and destroy keys via our Cloud KMS API, including as part of a secret management or envelope encryption solution. It’s directly integrated with Cloud Identity Access Management and Cloud Audit Logging for greater control as well.
“Forward thinking cloud companies must lead by example and follow best practices,” said Maya Kaczorowski, Google product manager, in a blog. “For example, Ravelin, a fraud detection provider, encrypts small secrets, such as configurations and authentication credentials, needed as part of customer transactions, and uses separate keys to ensure that each customer's data is cryptographically isolated. Ravelin also encrypts secrets used for internal systems and automated processes.”
Leonard Austin, CTO at Ravelin, added, “Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’s low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.”
At launch, Cloud KMS uses the Advanced Encryption Standard (AES), in Galois/Counter Mode (GCM), the same encryption library used internally at Google to encrypt data in Google Cloud Storage. This AES GCM is implemented in the BoringSSL library that Google maintains, and continually checks for weaknesses using several tools, including tools similar to the recently open-sourced cryptographic test tool Project Wycheproof.
By default, Cloud Storage manages server-side encryption keys, but if users prefer to manage their cloud-based keys themselves, they can select Cloud KMS. For managing keys on-premise, they can select Customer Supplied Encryption Keys for Google Cloud Storage and for Google Compute Engine.
“While we’re on the topic of data protection and data privacy, it might be useful to point out how we think about GCP customer data,” added Kaczorowski. “Google will not access or use GCP customer data, except as necessary to provide them the GCP services.”
Photo © Shahril KHMD