Google Offers New Encryption Key Management Option for Cloud Customers

Google’s Customer-Managed Encryption Keys offers Cloud Platform customers better control over data encryption without the associated overhead, company says.


Business customers of Google's cloud platform now have another option for protecting data on disks, images and backup resources in the cloud. 

The company June 22 announced beta availability of a customer-managed encryption keys (CMEKs) feature that is aimed at giving enterprises more control over the default encryption that Google uses to protect data at rest in the cloud. 

With the CMEK option, businesses can use Google's Cloud Key Management Service (KMS) to create and manage keys for protecting the keys that Google uses to encrypt their data.  

The so-called 'key encryption keys' that organizations can create with KMS cannot be used to directly encrypt or decrypt data on Google's cloud infrastructure. Instead they are meant to protect the encryption keys that Google has already used to encrypt data. 

The idea is to give enterprises a way of ensuring that nobody, including Google employees, can access encrypted data in Google's cloud without the additional key. 

"These customer-managed encryption keys (CMEKs) provide you with granular control over which disks, images and snapshots will be encrypted," Google product manager Sirui Sun, said in a blog announcing beta availability of the feature. 

CMEK is one of two options that Google now offers for creating key encryption keys on its cloud platform. The other option is one that the company has been offering for sometime and is called customer-supplied encryption keys (CSEK). 

The CSEK option is designed for organizations that want the highest level of control available over the encryption used to protect their data. With CSEK, enterprises entirely create and manage their own key encryption keys. Enterprises keep the encryption keys on their own premises and are responsible for managing them as well. 

With the new CMEK on the other hand, the key encryption keys are stored in one central cloud key management service. The option gives organizations a way to manage encryption in the same manner they would on premise, according to Google. It provides enterprise with a root of trust over their data that can be monitored. 

With the new customer-managed encryption keys option, Google's key management service also automatically knows the keys that are assigned to specific encrypted resources. With CSEK, enterprises are responsible for specifying the customer-supplied keys that are assigned to each resource. 

The CMEK feature extends the range of encryption management options available with Google cloud, Sun said. At one end of the spectrum is the default encryption of data at rest, the Google offers all customers. 

With this option, all data on disks are automatically encrypted and Google manages the keys for the customers. The CSEK option represents the other end of the spectrum and is meant specifically for organizations that are required to meet and demonstrate adherence to specific data protection mandates. 

The customer managed key management option that Google announced this week sits in the middle of the spectrum. It is targeted at organizations that want more control over the encryption used to protect their data but do not want to deal with the associated work, Sun said. 

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.