Thales Blog

Keep your encryption keys to increase control of data you store and process in the cloud

December 7, 2020

Paul Hampton Paul Hampton | Cloud Security Expert, Thales More About This Author >

According to the 2020 Thales Data Threat Report-Global Edition:

  • Nearly all (98%) of organizations surveyed have some data in the cloud
  • Half of all data is in the cloud
  • An estimated 48% of that data in the cloud is sensitive

This brings us to the quandary my colleague Sol Cates outlined in his blog post late last year regarding who should hold the keys to encrypted data and how they should hold them to achieve compliance, meet internal security requirements, and reduce the risk of reputational damage caused by a breach.

What is Google Cloud’s EKM?

Google Cloud’s response has been to develop the Cloud External Key Manager (Cloud EKM) service, which helps organizations achieve this next level of control over how and when their encryption keys are used to protect and access encrypted data. According to Google Cloud, EKM lets you “use keys that you manage within a supported external key management partner to protect data within Google Cloud. You can protect data at rest in BigQuery, Compute Engine, Google Kubernetes Engine: Data on VM disks or Application-layer Secrets, Cloud SQL or by calling the Cloud Key Management Service API directly.”

Integrating with CipherTrust Key Broker

To help organizations benefit from this enhanced level of control, we have integrated our CipherTrust Key Broker service with Google Cloud EKM. The CipherTrust Key Broker for Google Cloud EKM is available on Thales’s Data Protection on Demand platform.

CipherTrust Key Broker makes it easy for organizations to follow security and key management best practices while leveraging the power of Google Cloud for computing and analytics. By generating encryption keys using CipherTrust Key Broker, organizations can verify the origin and quality of the keys they are providing to the cloud provider, while maintaining the original version of the key outside of the Google Cloud environment. Organizations hold their master keys in a Thales Luna Cloud HSM, which acts as the trust anchor for the CipherTrust Key Broker solution. This provides a FIPS 140-2 Level 3 certified root-of-trust, and ensures separation between sensitive data and encryption keys, helping to fulfill compliance and security requirements.

Moreover, CipherTrust Key Broker for Google Cloud EKM provides fast round trip latency without compromising performance when carrying out key management operations and controls.

Addressing key management

Google Cloud’s EKM is a cloud native service that interacts with the CipherTrust Key Broker service via a single URL. This simplifies configuration and deployment. Keys created externally by the CipherTrust Key Broker are then managed from a single location in a user friendly console in Thales Data Protection on Demand. Master keys are stored outside of Google Cloud in the Luna Cloud HSM. There is no new hardware to buy and deploy, as all CipherTrust Key Broker services use Luna Cloud HSM as a root-of-trust.

Enhanced key use policies and access control

CipherTrust Key Broker enables organizations to control who can access encryption keys, and create policies around why, where, and how a key can be used. The crypto operations and master encryption keys are always stored outside of Google Cloud, which ensures that access to data-at-rest for compute, storage and analytics requires the key holder to explicitly provide access to the external key.

Key Access Justifications decide when and why data can be decrypted

Key Access Justifications, a feature of Google Cloud External Key Manager, let you decide when and why data can be decrypted. They provide a detailed justification each time a key is requested to decrypt data. And they provide a mechanism by which users can explicitly approve or deny key use through an automated policy that they set. Organizations can deny Google the ability to decrypt their data for any reason. As a result, the customer organization ultimately controls access to its data. This level of control is not yet available from most leading cloud providers.

Maintain key provenance

CipherTrust Key Broker for Google Cloud EKM lets organizations maintain strict control of the location and distribution of important keys and gain visibility into who has access to keys, when they have been used, and where they are located.

Audited/distributed key availability

CipherTrust Key Broker enables externally archiving and removing encryption keys and key caches from the cloud environment in which sensitive data is hosted.

For more information, please see this press release and read Thales’s CipherTrust Key Broker for Google Cloud EKM product brief.