After more than a year of beta testing, Google Cloud Platform now officially supports customer-supplied encryption keys (CSEK) for Compute Engine, the company's infrastructure-as-a-service offering.
For IT organizations that take data security seriously, the ability to supply, control, and manage encryption keys has become highly desirable, for the sake of legal compliance and for simple reassurance. In a statement, Neil Palmer, CTO of advanced technology at FIS Global, a Google Cloud Platform customer, characterizes CSEK as "a critical feature."
Since Edward Snowden's 2013 revelations about the extent of online surveillance by government agencies, it has become clear that third-party cloud services can be compelled to provide encryption keys that they control. There's also the risk that cloud service providers may lose control of keys through vulnerabilities.
"With CSEK, disks at rest are protected with your own key that cannot be accessed by anyone, inside or outside of Google, unless they present your key," explain Google product managers Maya Kaczorowski and Eric Bahna in a blog post. "Google does not retain your keys and only holds them transiently to fulfill your request, such as attaching a disk or starting a VM."
According to Google's Transparency Report, government demands for user data have increased every year since the company began keeping track in 2009. The number of data breaches in the US reached 781 in 2015, only two shy of the record 783 breaches in 2014, according to the Identity Theft Resource Center.
Google began allowing customers to supply and manage their own encryption keys in June of last year. It's somewhat late to the game. Amazon Web Services began offering CSEK, also referred to as "bring your own key" (BYOK), on its S3 storage service in June 2014, and it added the AWS Key Management Service in November that year.
While data encryption is advisable for any organization that has to protect data, it's not a guarantee that that data will remain secure. Earlier this year, the FBI sought to compel Apple's assistance to create a special version of iOS that would allow it to undo the encryption features built into the iPhone.
Apple resisted the demand, and the FBI ultimately was able to access the device with the help of a third party and an undisclosed vulnerability. The lesson here for information technology professionals is that any third-party involvement with data represents a potential point of failure for security.
Google presently offers CSEK in Canada, Denmark, France, Germany, Japan, Taiwan, the UK, and the US. Later this month, it plans to expand availability to Australia, Italy, Mexico, Norway, and Sweden.
(Cover Image: D3Damon/iStockphoto)