Google is finally giving administrators the ability to manage their encryption keys in Google Cloud Platform (GCP) with its Cloud Key Management Service (KMS). Google is the last of the three major cloud providers to provide the key management service, as Amazon and Microsoft already have similar offerings.
The Cloud KMS, currently in beta, helps administrators manage the encryption keys for their organization without having to maintain an on-premise key management system or deploy hardware security modules. With Cloud KMS, administrators can manage all the organization’s encryption keys, not only the ones used to protect data in GCP.
Administrators can create, use, rotate, and destroy AES-256 symmetric encryption keys via the Cloud KMS API. Multiple versions of a key can be active at any time for decryption, but only one primary key version can be used for encrypting new data. The rotation schedule can be defined to automatically generate a new key version at fixed time intervals. There’s also a built-in 24-hour delay when trying to destroy keys to prevent accidental or malicious loss. Cloud KMS integrates with GCP’s Cloud Identity Access Management and Cloud Audit Logging services so that administrators can manage permissions for individual keys and monitor usage.
Cloud KMS also provides a REST API that allows AES-256 encryption or decryption in Galois/Counter Mode, which is the same encryption library used internally to encrypt data in Google Cloud Storage. AES GCM is implemented in the BoringSSL library maintained by Google, and the company continually checks for weaknesses in the encryption library using several tools, “including tools similar to the recently open-sourced cryptographic test tool Project Wycheproof,” said Google product manager Maya Kaczorowski on the Google Cloud Platform blog.
Compared to AWS and Windows Azure, GCP has lagged in encryption. Amazon introduced customer-supplied encryption keys (CSEK) to AWS customers for its S3 service in June 2014, and it introduced the AWS Key Management Service later that year. Microsoft added CSEK via Key Vault in January 2015. Google began offering CSEK in June 2015 and is only now rolling out Cloud KMS.
Google Cloud Storage manages server-side encryption by default, and administrators have to specifically select “Cloud Key Management Service” to manage the keys in the cloud service, or “Customer Supplied Encryption Keys” to manage the keys on-premise. CSEK is also available with Compute Engine.
Kaczorowski said organizations in regulated industries, such as financial services and health care, can benefit from hosted key management services “for the ease of use and peace of mind that they provide.” However, administrators should evaluate whether the convenience is worth the possibility that if the government has a legal order compelling Google to provide information about the keys, the company will have to comply because it has access to all the keys managed by the service.
There’s another potential hiccup for administrators to consider if the organization gathers personal information from Europeans. The European General Data Protection Regulation applies to European personal data, regardless of where it is stored in the world, and regulators in the past have recommended not storing encryption keys with the same cloud provider. If the key is kept securely with the organization, the cloud provider can’t do anything beyond just maintaining access to and availability of the data. Using GCP and Cloud KMS simultaneously may or may not be acceptable to European regulators.
“Encryption is only effective is you separate the encrypted data from the key storage. Using the same vendor, be it AWS or Google to store the keys and data still raises compliance and security challenges for many businesses,” said Pravin Kothari, founder, chairman, and CEO of cloud encryption company CipherCloud. 

Leave a Reply