Google Program Lets Enterprise Cloud Customers Control Their Own Security
One of the things enterprise customers fear most when putting data on the public cloud is having to depend on someone else’s security to protect it. Well, leave it to eternal innovator Google (GOOG) to find an answer to that. The company is putting cloud security in the hands of its customers with a new program that lets customers bring their own encryption keys to Google Compute Engine.
One of the things enterprise customers fear most when putting data on the public cloud is having to depend on someone else’s security to protect it. Well, leave it to eternal innovator Google (GOOG) to find an answer to that. The company is putting cloud security in the hands of its customers with a new program that lets customers bring their own encryption keys to Google Compute Engine.
The Customer-Supplied Encryption Keys for Google Compute Engine program provides enterprise customers with encryption keys that are owned and controlled exclusively by those customers, Google Product Manager Leonard Law said in a Google blog post.
“You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at-rest data without possession of your keys,” he said. “Google does not retain your keys, and only holds them transiently in order to fulfill your request.”
Encryption keys turn data into unreadable cipher by applying a set of complex algorithms to the original material. These algorithms transfer the data into streams or blocks of seemingly random alphanumeric characters.
Google already protects data on its cloud with industry-standard AES-256 bit encryption, so in theory the data already is secure. The keys—which protect all forms of data at rest for Compute Engine, including boot and data persistent disks—are merely more insurance for cloud customers that want to feel in control over their data, Law said.
“Security is as much about control as it is about data protection,” he wrote in the post. “With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine.”
But customers also take a risk when using the keys because they also mean that Google can’t help them retrieve data if they lose their keys, since the company won’t have access to them, he added.
“Keep in mind, though, if you lose your encryption keys, we won’t be able to help you recover your keys or your data,” Law wrote, adding that “with great power comes great responsibility!”
There are several ways Google’s customers in select countries can take advantage of the encryption keys, which are available free of charge. Customers can either access them through Google’s API, Developers Console or command-line interface, gcloud.
I like the idea that “Google
I like the idea that “Google does not retain your keys, and only holds them transiently in order to fulfill your request,” but your encryption keys and your clear text data will still be exposed in the Google cloud infrastructure.
Gartner released the report “Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data” in June 2015 that highlighted key challenges as “cloud increases the risks of noncompliance through unapproved access and data breach.”
The report recommended CIOs and CISOs to address data residency and compliance issues by “applying encryption or tokenization,” and to also “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys.”
Ulf Mattsson, CTO Protegrity