Google is to give customers a say in the encryption used to protect their data in the cloud.
The announcement was made in a blogged title Bring Your Own Encryption Keys to Google Cloud Platform and was written by Leonard Law, Product Manager. In it, Law announced Customer-Supplied Encryption Keys for Google Compute Engine was now officially in beta.
Google currently uses industry-standard AES-256 bit encryption and for those customers who do not want to bring their own encryption keys, Google will continue to protect their data. Instead, this is about allowing those customers who have an encryption policy and products to extend their on-premises protection to their Google cloud instances.
Google will not have access to the encryption keys
According to a comment from Law in the release: “Customer-Supplied Encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you.
“You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request.”
The blog calls out four key reasons for customers to take advantage of Customer-Supplied Encryption Keys:
- Secure: All of your compute assets are encrypted using the industry-leading AES-256 standard, and Google never retains your keys, meaning Google cannot decrypt your data at rest.
- Comprehensive: Unlike many solutions, Customer-Supplied Encryption Keys cover all forms of data at rest for Compute Engine, including data volumes, boot disks, and SSDs.
- Fast: Google Compute Engine is already encrypting all of your data at rest, and Customer-Supplied Encryption Keys gives you greater control, without additional overhead.
- Included Free: We feel that encryption should be enabled by default for cloud services; we’re not going to charge you more for the option to bring your own keys.
The documentation that Google has issued is easy to follow and will make it relatively simple for most companies to bring their own keys to the cloud. This means that this is not just about an enterprise play but something that will also play well in the SME market and even be taken up by individuals.
A bold move that will not amuse law enforcement
This is a bold move by Google and one that will not endear it to law enforcement around the world who are concerned about the spread of strong encryption. In taking this approach, Google has side stepped the problem Microsoft is still struggling with over the release of data held in overseas data centres.
This move also allows Google to put the onus back on companies to deal with requests for data access. Most European countries have laws that require companies to hand over their encryption keys on production of a court warrant. This is one of the reasons why they moved their data offshore and used third-parties to encrypt their data. If they do take advantage of this new feature then they will need to sort out how they manage and protect their keys.
It may also go a long way to dealing with increasing pressures from governments around the world who do not want data stored out of country. Like many other cloud players, Google wants economies of hyper-scale which does not equate to two data centres in every country so that it can provide data resiliency as well as cloud services.
It will be interesting to see how long it takes for Google’s competitors to react to this. While some cloud storage companies have been offering a similar approach, major cloud competitors, such as Microsoft and IBM have yet to make their announcements. The question is whether those competitors will wait to see what the customer take-up is before they react or whether there will now be a rush of similar announcements.
Conclusion
A good move by Google that puts it ahead of its main cloud competition. While the initial beta is available in just a few countries the key metrics that will make this a success are customer take-up and the speed of roll-out across all Google cloud locations.