Google Lets Cloud Customers Supply Encryption Keys

Users of Google Compute Engine can now provide their own keys to secure data, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 28, 2015

3 Min Read
<p style="text-align:left">(Image: <a href="" target="_blank">Marcus Sümnick</a> via Flickr under CC By 2.0)</p>

Windows 10: 10 Things To Know At Launch

Windows 10: 10 Things To Know At Launch

Windows 10: 10 Things To Know At Launch (Click image for larger view and slideshow.)

BYOB stands for "bring your own beer." BYOD stands for "bring your own device." And BYOEC stands for "bring your own encryption keys."

Google on Tuesday said it is now supporting Customer-Supplied Encryption Keys for Google Compute Engine, turning Infrastructure-as-a-Service (IaaS) into even more of a self-service affair.

Product manager Leonard Law said in a blog post Google is committed to security and to giving customers more control over the Google Cloud Platform. "You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys," said Law. "Google does not retain your keys, and only holds them transiently in order to fulfill your request."

While Google claims that it only holds keys briefly for processing, it remains open to question whether the company, or any cloud service provider offering a similar service, could be compelled under US or foreign security laws to create a mechanism capture encryption keys.

[ What good is a kill switch? Read iPhone Kill Switch: How Effective Is It? ]

Such scenarios aside, allowing customers to control their own encryption keys should provide some reassurance that data can be stored as securely in the cloud as anywhere else, a fear that has plagued companies since Edward Snowden's 2013 revelations about the vast reach of NSA spying.

Forrester analyst James Staten in 2013 estimated that the cost of NSA surveillance to US businesses could reach $180 billion by 2016. While Staten's estimate is higher than some others, it's clear that US intelligence-gathering has sown mistrust among technology businesses and their customers. Concerns about the security of data in the cloud prompted IBM last year to commit $1.2 billion to build data centers overseas as a way to assure foreign customers that it can store their data safely. In December 2013, Reuters reported that Brazil awarded a $4.5 billion jet contract to Saab instead of Boeing because of unhappiness with NSA spying. Many other companies have been affected.

Google's enhancement of Compute Engine represents a continuation of a broad tech industry effort to enhance security in response to the Snowden leaks, and to meet compliance requirements in industries with strict data rules.

"Bringing your own encryption keys is going to provide even greater security on Google Cloud Platform addressing one of the key concerns for Consolidated Audit Trail (CAT)," said Neil Palmer, CTO of SunGard's Advanced Technology business, in an email to InformationWeek. "Specifically, the transmitted data from the broker dealers and securities exchanges will be independently encrypted and owned by the market participants allowing even greater control."

Amazon Web Services and Microsoft Azure have implemented support for customer-held keys through AWS Key Management Service and Azure Key Vault, and through partner services like SafeNet's Protectv. Google however is offering Customer-Supplied Encryption Keys for free.

Google is making Customer-Supplied Encryption Keys available as beta software in Canada, France, Germany, Japan, Taiwan, the UK, and US. As such, it's not covered under the Cloud Platform SLA.

Google Compute Engine customers may not have to pay to bring their own keys, but they'd be well advised to pay attention to keeping their keys: Google won't be able to help customers recover their data if they lose their keys.

As Law observed, "With great power comes great responsibility!"

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights