Google has announced a new beta capability: support for customer-supplied encryption keys.
The feature lets users create and hold the keys, determine when data is active or "at rest," and prevent anyone accessing their at-rest data within the Google Cloud Platform.
“Google Compute Engine already protects all customer data with industry-standard AES-256 bit encryption,”” explained Leonard Law, a Google researcher, in a post. “Customer-supplied encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you….Google does not retain your keys, and only holds them transiently in order to fulfill your request.”
The feature may be especially useful for larger enterprises in certain verticals, like banking.
"Google Compute Engine gives us the performance and scale to process high-volume transactions in the financial markets,” said Neil Palmer, CTO of Sungard Consulting Services. “With customer-supplied encryption keys, we can independently control data encryption for our clients without incurring additional expenses from integrating third-party encryption providers. This control is critical for us to realize the price/performance benefits of the cloud in a highly regulated industry."
Not everyone is impressed. Secure Channels CEO and co-founder Richard Blech said in an e-mailed comment that the feature positions itself as bring-your-own encryption (BYOE), but that it’s nothing more than a “marketing ploy by Google, who is implying that using their custom encryption engine allows you, the consumer, to control your own encryption key(s) for Google’s Compute Engine.”
He commented that Google’s platform is not agnostic and uses its own engine to create the keys as well as protect the data.
“Whether this is good or not is not the question, but what is certain, is that it is not BYOE,” he said. “In order to have true BYOE, the user must be able to define and control the encryption and the keys themselves, and be able to use them agnostically with all environments and applications."
He added, “The consumer is given a false sense of security because they are bringing ‘their own’ encryption keys to the cloud.”
Photo Credit: photogearch / Shutterstock.com