Google Lets Cloud Customers Supply Encryption Keys - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cloud computing
03:09 PM
Connect Directly

Google Lets Cloud Customers Supply Encryption Keys

Users of Google Compute Engine can now provide their own keys to secure data, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Windows 10: 10 Things To Know At Launch
Windows 10: 10 Things To Know At Launch
(Click image for larger view and slideshow.)

BYOB stands for "bring your own beer." BYOD stands for "bring your own device." And BYOEC stands for "bring your own encryption keys."

Google on Tuesday said it is now supporting Customer-Supplied Encryption Keys for Google Compute Engine, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Product manager Leonard Law said in a blog post Google is committed to security and to giving customers more control over the Google Cloud Platform. "You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys," said Law. "Google does not retain your keys, and only holds them transiently in order to fulfill your request."

While Google claims that it only holds keys briefly for processing, it remains open to question whether the company, or any cloud service provider offering a similar service, could be compelled under US or foreign security laws to create a mechanism capture encryption keys.

[ What good is a kill switch? Read iPhone Kill Switch: How Effective Is It? ]

Such scenarios aside, allowing customers to control their own encryption keys should provide some reassurance that data can be stored as securely in the cloud as anywhere else, a fear that has plagued companies since Edward Snowden's 2013 revelations about the vast reach of NSA spying.

(Image: Marcus Sumnick via Flickr under CC By 2.0)

(Image: Marcus Sümnick via Flickr under CC By 2.0)

Forrester analyst James Staten in 2013 estimated that the cost of NSA surveillance to US businesses could reach $180 billion by 2016. While Staten's estimate is higher than some others, it's clear that US intelligence-gathering has sown mistrust among technology businesses and their customers. Concerns about the security of data in the cloud prompted IBM last year to commit $1.2 billion to build data centers overseas as a way to assure foreign customers that it can store their data safely. In December 2013, Reuters reported that Brazil awarded a $4.5 billion jet contract to Saab instead of Boeing because of unhappiness with NSA spying. Many other companies have been affected.

Google's enhancement of Compute Engine represents a continuation of a broad tech industry effort to enhance security in response to the Snowden leaks, and to meet compliance requirements in industries with strict data rules.

"Bringing your own encryption keys is going to provide even greater security on Google Cloud Platform addressing one of the key concerns for Consolidated Audit Trail (CAT)," said Neil Palmer, CTO of SunGard's Advanced Technology business, in an email to InformationWeek. "Specifically, the transmitted data from the broker dealers and securities exchanges will be independently encrypted and owned by the market participants allowing even greater control."

Amazon Web Services and Microsoft Azure have implemented support for customer-held keys through AWS Key Management Service and Azure Key Vault, and through partner services like SafeNet's Protectv. Google however is offering Customer-Supplied Encryption Keys for free.

Google is making Customer-Supplied Encryption Keys available as beta software in Canada, France, Germany, Japan, Taiwan, the UK, and US. As such, it's not covered under the Cloud Platform SLA.

Google Compute Engine customers may not have to pay to bring their own keys, but they'd be well advised to pay attention to keeping their keys: Google won't be able to help customers recover their data if they lose their keys.

As Law observed, "With great power comes great responsibility!"

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ulf Mattsson
Ulf Mattsson,
User Rank: Strategist
7/29/2015 | 2:57:29 PM
I like the idea
I like the idea that "Google does not retain your keys, and only holds them transiently in order to fulfill your request," but the keys and the clear text data is still exposed exposed in the cloud infrastructure.

Gartner released the report "Simplify Operations and Compliance in the Cloud by Protecting Sensitive Data" in June 2015 that highlighted key challenges as "cloud increases the risks of noncompliance through unapproved access and data breach."

The report recommended CIOs and CISOs to address data residency and compliance issues by "applying encryption or tokenization," and to also "understand when data appears in clear text, where keys are made available and stored, and who has access to the keys."

Ulf Mattsson, CTO Protegrity
User Rank: Ninja
7/29/2015 | 6:43:51 PM
Ghost of Snowden
LOL Encryption keys won't matter if Congress green lights #CISA  -the mass surveillance bill masquerading as a cybersecurity bill that turns all of your favorite web sites, espeically Google, into legally immune spies on behalf of the NSA.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll