banner

Thales Blog

Implement Signed Access Approval in Google Cloud External Key Manager with CipherTrust Data Security Platform

September 29, 2022

Scotti Woolery-Price Scotti Woolery-Price | Partner Marketing Manager, Thales More About This Author >

As a trusted technology partner, Thales enhances Google Cloud by delivering superior data protection that empowers customers to seize greater control of their sensitive data. With ever-increasing requirements for digital sovereignty and data control across public clouds, Thales and Google Cloud have a history of offering best-in-class platform integrations that exceed regulatory requirements and mitigate the increasing risks present in the cyber threat landscape.

Google Cloud has long been a proponent of the shared fate model within the cloud security ecosystem. They do this by securing their cloud infrastructure while empowering customers to secure their own data themselves. This shared responsibility model goes hand-in-hand with the core concept of separation of duties. While not a new concept, the separation of duties becomes increasingly more important in the cloud.

This latest innovation enables the next level of trust in the shared responsibility model by giving customers more control over who has access to their sensitive data. Signed Access Approval is a new feature that allows customers to grant their explicit approval whenever Google support and engineering need to access their data.

Signed Access Approval creates enhanced control for the customer over their own data. Customers that wish to use their own signing key can bring an externally-managed key using Google Cloud External Key Manager. This provides an additional layer of defense against cyberattacks especially those that include rogue insiders or bad actors impersonating an actual user.

Google Cloud’s latest integration with Thales allows for asymmetric keys (one public and one private) to be issued through External Key Manager with Signed Access Approvals in conjunction with Thales’ CipherTrust Cloud Key Manager.

For this solution, a customer brings their own key for signing approvals. The customer then defines their separation of duties by assigning a trusted person outside of Google Cloud Platform. Signed Access Approval is currently available for customer configurations that use Thales external key management systems.

For this solution, a customer brings their own key for signing approvals. The customer then defines their separation of duties by assigning a trusted person outside of Google Cloud Platform. Signed Access Approval is currently available for customer configurations that use Thales external key management systems.

CipherTrust Cloud Key Manager is the industry-leading multicloud encryption key lifecycle management solution; with support for major cloud providers such AWS, Google Cloud Platform (GCP), Microsoft Azure Cloud and key SaaS solutions like Google Workspace, M365, SAP and Salesforce.

Thales has been leading technology innovation with Google Cloud integrations since Google’s first BYOK offering in 2017. Our most recent joint technology solutions includes:

  • Encryption for Google Meet, Google Calendar and Google Drive on Google Workspace.
  • Google Cloud Virtual Private Cloud (VPC) network which allows the connection between Google Cloud and CipherTrust Cloud Key Manager to take place over the internet, or mediated through a VPC. VPC can increase performance for wrap and unwrap operations, and consolidate network management in a secure Google Cloud environment.
  • Support for Google Workspace Client-side encryption by architecting the first “service listener” in CipherTrust Cloud Key Manager so that it could instantly field requests from browsers for key wrap or unwrap operations.
  • Service listener to support Google Cloud Platform’s HYOK system known as Google Cloud External Key Management or EKM.
  • HYOK with EKM delivers customer key ownership with revocation by default. The key that data initially was encrypted with exists in Google only ephemerally. Robust access controls are based on granting access to keys for each Google Cloud Project before they can be used.
  • External Key Management for Ubiquitous Data Encryption which leverages the power of Google Cloud Confidential Computing to enable customers to trust Google Cloud more by removing implicit trust. Using CipherTrust Cloud Key Manager to configure rules for wrapping and unwrapping keys you can see a wealth of specific use cases for the technology.

To learn more, join us as we participate in Google Cloud NEXT on October 11-13, 2022 with a security session, “Solutions for Protecting Your Data and Meeting Compliance Using Encryption,” hosted by Il-Sung Lee, Cloud Security at Google and Sol Cates, Principal Technologists at Thales. This talk we will go over best practices on how to securely configure, manage and deploy a cloud key infrastructure using the powerful and easy to use tools in Google Cloud Platform.