Trust Google Cloud More With Ubiquitous Data Encryption

As you move data to the cloud, you face the important question of how to verifiably protect data from unauthorized access without limiting your options for storage and processing. Using public cloud services requires you to place inherent trust in your cloud provider, which can be uncomfortable for your most sensitive data and workloads. On Google Cloud Platform, you can use solutions such as Cloud External Key Manager (EKM) when encrypting data-at-rest to store and manage keys outside of Google’s infrastructure and Confidential Computing to encrypt data-in-use with keys that remain resident in the processor and unavailable to Google.  However, while these solutions can reduce the level of implicit trust surrounding data at-rest or in-use, you still need to trust the cloud provider when data  transitions from one state to another, or when the data is in-transit.  So how do you deal with these challenges?

At Cloud Next 2021, we announced a first of its kind solution that provides customers with ubiquitous data encryption which delivers unified control over data at-rest, in-use, and in-transit, all with keys that are under your control.  With ubiquitous data encryption:

• You control the access to your data regardless of whether it’s on storage, in memory, or in flight
• You can take full advantage of compute and storage power of GCP
• You can reduce your level of implicit trust in Google

To build this solution, we leveraged Google Cloud’s confidential computing and Google Cloud EKM, working with partners, including Thales, to ensure that you can continue to use your existing EKM setup. In doing so, we made it possible to seamlessly encrypt your data as they are sent to the cloud, using your external key management solution, in a way that only a confidential VM can decrypt and compute on it. In order to make sure the key can only be used in a confidential environment, we leverage Confidential VM’s attestation feature.

How to setup and use ubiquitous data encryption

The workflow to set up and use this capability is designed to be simple:

1. Start by creating an encryption key outside GCP using your current external key management solution (for this solution, we currently support Thales Ciphertrust, with more EKM partner integrations to come)
2. Grant access to your EKM encryption keys to the Confidential VM service
3. Use the gsutil tool to upload your data to Google Cloud Storage (GCS) using our lib. This will seamlessly encrypt your data using the key generated in Step 1.
4. In your application running in a confidential VM, use gsutil to download the GCS data using our lib. This will seamlessly decrypt your data without revealing the key outside the confidential VM.
5. If the application tries to access the GCS data on a non-confidential VM, it will fail when attempting to decrypt the data.

Advanced configuration options

You can also add additional safeguards and optionally require more than one party to authorize access to your encryption key: for example, you can require a Cloud KMS key, in addition to your on-prem encryption key, to be present for every decryption operation. This provides even more control over the key access model, because it splits the ability to encrypt and decrypt across multiple parties.

Customers handling highly regulated financial services data have started seeing immediate results from this integration between Confidential Computing and Cloud EKM:

“Google’s new ubiquitous data encryption capabilities will allow us to bring more of our data and workloads to the cloud. Being able to encrypt data at-rest, in-use, and in-transit with a key that we control allows us to continue to meet our strict data security standards while being able to take advantage of the powerful storage and compute capabilities of Google Cloud.”– Jörn-Marc Schmidt, Vice President, Cryptography Engineering & Solutions, Deutsche Bank

Take the next step

In summary, this new ubiquitous data encryption solution can help reduce your implicit trust in Google Cloud so you can bring even more of your sensitive data to  GCP. Please see our documentation for more information and reach out via this form to get started or with comments or questions.