Google's Cloud Lets You Bring Your Own Encryption Keys

By supplying their own encryption keys, organizations can reduce the chance that an outside party will be able to gain access to their data, at least while it's at rest. Now Google's cloud platform offers the option.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 3, 2016

3 Min Read
<p style="text-align:left">(Image: <a href="https://pixabay.com/en/enigma-encryption-cryptologic-army-883925/">Pixabay</a>/Enigma encryption machine)</p>

10 Hot Security Technologies Enterprises Need Now

10 Hot Security Technologies Enterprises Need Now


10 Hot Security Technologies Enterprises Need Now (Click image for larger view and slideshow.)

After more than a year of beta testing, Google Cloud Platform now officially supports customer-supplied encryption keys (CSEK) for Compute Engine, the company's infrastructure-as-a-service offering.

For IT organizations that take data security seriously, the ability to supply, control, and manage encryption keys has become highly desirable, for the sake of legal compliance and for simple reassurance. In a statement, Neil Palmer, CTO of advanced technology at FIS Global, a Google Cloud Platform customer, characterizes CSEK as "a critical feature."

Since Edward Snowden's 2013 revelations about the extent of online surveillance by government agencies, it has become clear that third-party cloud services can be compelled to provide encryption keys that they control. There's also the risk that cloud service providers may lose control of keys through vulnerabilities.

"With CSEK, disks at rest are protected with your own key that cannot be accessed by anyone, inside or outside of Google, unless they present your key," explain Google product managers Maya Kaczorowski and Eric Bahna in a blog post. "Google does not retain your keys and only holds them transiently to fulfill your request, such as attaching a disk or starting a VM."

According to Google's Transparency Report, government demands for user data have increased every year since the company began keeping track in 2009. The number of data breaches in the US reached 781 in 2015, only two shy of the record 783 breaches in 2014, according to the Identity Theft Resource Center.

Google began allowing customers to supply and manage their own encryption keys in June of last year. It's somewhat late to the game. Amazon Web Services began offering CSEK, also referred to as "bring your own key" (BYOK), on its S3 storage service in June 2014, and it added the AWS Key Management Service in November that year.

Microsoft Azure introduced support for CSEK in January, 2015. Box followed suit a month later. Last month, Salesforce jumped on the self-supplied encryption key bandwagon.

[See 7 Ways Cloud Computing Propels IT Security.]

While data encryption is advisable for any organization that has to protect data, it's not a guarantee that that data will remain secure. Earlier this year, the FBI sought to compel Apple's assistance to create a special version of iOS that would allow it to undo the encryption features built into the iPhone.

Apple resisted the demand, and the FBI ultimately was able to access the device with the help of a third party and an undisclosed vulnerability. The lesson here for information technology professionals is that any third-party involvement with data represents a potential point of failure for security.

Google presently offers CSEK in Canada, Denmark, France, Germany, Japan, Taiwan, the UK, and the US. Later this month, it plans to expand availability to Australia, Italy, Mexico, Norway, and Sweden.

(Cover Image: D3Damon/iStockphoto)

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights