View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 21, 2019updated 19 Jul 2022 10:05am

GCP Touts New “Lock Google Out” Encryption Offerings

GCP: You can use third-party key management and set tight access controls...

By CBR Staff Writer

Two new Google Cloud encryption tools will let users “deny Google the ability to decrypt your data for any reason” – and let customers create, use and store their own encryption keys outside of GCP’s infrastructure.

(Azure lets customers “bring your own key”, or BYOK, but it must be stored in Azure Key Vault. To use an Hardware Security Module-protected key, customers have to fork out for a premium service tier. With AWS, BYOK is also possible, but storage is via AWS’s key management service).

The external key manager programme and complementary “key access justifications” toolkit are coming to beta and alpha releases “soon” GCP said, without naming a specific date – suggesting work is still ongoing to finesse the offering; which will initially just be available for two GCP services.

The New Google Cloud Encryption Tools

External Key Manager

The first of the two is an external key manager offering, dubbed – unsurprisingly – “External Key Manager”.

This lets users encrypt data in the cloud provider’s BigQuery and Compute Engine, with encryption keys stored and managed in a third-party key management system deployed outside Google’s infrastructure.

GCP is teaming up with five key management vendors to launch the offering: EquinixFortanixIonicThales and Unbound, it said.

Read this: This Old Brewery Hides Three Data Centres, 90 ISPs and 14 Generators: We Paid a Visit to Learn More

The launch comes as many cloud users remain sceptical about the security of cloud services and indeed, of the cloud providers themselves: co-location data centres like Interxion and Equinix typically already provide “key guardian” services – hosted Hardware Security Module (HSM) units so customers can manage their cryptographic keys on-site – and facilitating tighter integrations with cloud-hosted data or infrastructure is a logical next step.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Key Access Justifications

The second new offering, Key Access Justifications provides a “detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set.”

Key Access Justifications is coming “soon” to alpha for BigQuery, and Compute Engine/Persistent Disk and covers the transition from data-at-rest to data-in-use, GCP said, with early adopters able to sign up here.

The company has promised further technical details and Computer Business Review will update this piece when we see them.

BYOK and increasingly customisable encryption offerings are increasingly popular and both SaaS and IaaS vendors are racing to provide more offerings.

Slack in March announced that it would let customers bring their own encryption keys, while MongoDB earlier this year trumpeted its new “Field Level Encryption” that lets users encrypt specific database fields with their own key, whilst allowing application code to run unmodified for most database read and write operations so devs don’t need to modify their query code.

Read this: Field Level Encryption: A Database Security Game-Changer?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.