Google Lets Cloud Customers Supply Encryption Keys - InformationWeek
IoT
IoT
Government // Cloud computing
News
7/28/2015
03:09 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
Fearless & Secure Cloud Migration
Dec 14, 2017
In this webinar, learn how to make a safe, secure migration to the cloud, that both manages risks ...Read More>>

Google Lets Cloud Customers Supply Encryption Keys

Users of Google Compute Engine can now provide their own keys to secure data, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Windows 10: 10 Things To Know At Launch
Windows 10: 10 Things To Know At Launch
(Click image for larger view and slideshow.)

BYOB stands for "bring your own beer." BYOD stands for "bring your own device." And BYOEC stands for "bring your own encryption keys."

Google on Tuesday said it is now supporting Customer-Supplied Encryption Keys for Google Compute Engine, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Product manager Leonard Law said in a blog post Google is committed to security and to giving customers more control over the Google Cloud Platform. "You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys," said Law. "Google does not retain your keys, and only holds them transiently in order to fulfill your request."

While Google claims that it only holds keys briefly for processing, it remains open to question whether the company, or any cloud service provider offering a similar service, could be compelled under US or foreign security laws to create a mechanism capture encryption keys.

[ What good is a kill switch? Read iPhone Kill Switch: How Effective Is It? ]

Such scenarios aside, allowing customers to control their own encryption keys should provide some reassurance that data can be stored as securely in the cloud as anywhere else, a fear that has plagued companies since Edward Snowden's 2013 revelations about the vast reach of NSA spying.

(Image: Marcus Sumnick via Flickr under CC By 2.0)

(Image: Marcus Sümnick via Flickr under CC By 2.0)

Forrester analyst James Staten in 2013 estimated that the cost of NSA surveillance to US businesses could reach $180 billion by 2016. While Staten's estimate is higher than some others, it's clear that US intelligence-gathering has sown mistrust among technology businesses and their customers. Concerns about the security of data in the cloud prompted IBM last year to commit $1.2 billion to build data centers overseas as a way to assure foreign customers that it can store their data safely. In December 2013, Reuters reported that Brazil awarded a $4.5 billion jet contract to Saab instead of Boeing because of unhappiness with NSA spying. Many other companies have been affected.

Google's enhancement of Compute Engine represents a continuation of a broad tech industry effort to enhance security in response to the Snowden leaks, and to meet compliance requirements in industries with strict data rules.

"Bringing your own encryption keys is going to provide even greater security on Google Cloud Platform addressing one of the key concerns for Consolidated Audit Trail (CAT)," said Neil Palmer, CTO of SunGard's Advanced Technology business, in an email to InformationWeek. "Specifically, the transmitted data from the broker dealers and securities exchanges will be independently encrypted and owned by the market participants allowing even greater control."

Amazon Web Services and Microsoft Azure have implemented support for customer-held keys through AWS Key Management Service and Azure Key Vault, and through partner services like SafeNet's Protectv. Google however is offering Customer-Supplied Encryption Keys for free.

Google is making Customer-Supplied Encryption Keys available as beta software in Canada, France, Germany, Japan, Taiwan, the UK, and US. As such, it's not covered under the Cloud Platform SLA.

Google Compute Engine customers may not have to pay to bring their own keys, but they'd be well advised to pay attention to keeping their keys: Google won't be able to help customers recover their data if they lose their keys.

As Law observed, "With great power comes great responsibility!"

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
7/29/2015 | 6:43:51 PM
Ghost of Snowden
LOL Encryption keys won't matter if Congress green lights #CISA  -the mass surveillance bill masquerading as a cybersecurity bill that turns all of your favorite web sites, espeically Google, into legally immune spies on behalf of the NSA.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
7/29/2015 | 2:57:29 PM
I like the idea
I like the idea that "Google does not retain your keys, and only holds them transiently in order to fulfill your request," but the keys and the clear text data is still exposed exposed in the cloud infrastructure.

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach."

The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys."

Ulf Mattsson, CTO Protegrity
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll