The Thales partnership with Google Cloud takes a huge step forward with the announcement of Google Cloud ubiquitous data encryption. I’d like to review a few things before discussing the latest technology because this innovation builds on previous ones like a well-crafted skyscraper depends on a great foundation!
First, kudos to Google Cloud for providing crucial tools to enable customers to fulfill their part of the shared responsibility model for cloud security. Shared responsibility implies that customers and the cloud service provider are responsible for the security of their data in the cloud. Google has gone a step further to facilitate assurances beyond the notion of shared responsibility, but that is a topic for another blog. A lesser known interpretation of the model on which Google is taking the lead is the notion of reducing implicit trust in cloud providers.
Google refers to partners like Thales to help their customers with the shared responsibility model. Thales has been delivering innovation for Google Cloud and Google Workspace for many years, beginning with support in 2017 for Google’s first BYOK solution, Customer-Supplied Encryption Keys (CSEK). CipherTrust Cloud Key Manager (CCKM) is the industry-leading multicloud encryption key lifecycle management solution, with support for Google Cloud, Microsoft, AWS and Salesforce Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) technologies. CCKM delivered support for Google Cloud Platform Customer-Managed Encryption Keys for the first time in 2020. Our latest innovations in 2021 are worth a closer look:
- In June, we launched support for Google Workspace Client-side encryption by architecting the first “service listener” in CipherTrust Cloud Key Manager so that it could instantly field requests from browsers for key wrap or unwrap operations
- Just last month, we created another service listener to support Google Cloud Platform’s HYOK system known as External Key Management or EKM
HYOK with EKM delivers customer key ownership with revocation by default. The key that data initially was encrypted with exists in Google only ephemerally. Robust access controls are based on granting access to keys for each Google Cloud Project before they can be used.
This takes me to the news in this article. Google is implementing a new use case for EKM called Ubiquitous Data Encryption, or UDE. UDE leverages the power of Google Cloud Confidential Computing to enable our customers to trust Google Cloud more by removing implicit trust. But this requires both Confidential Computing and an External Key Manager working together with CCKM. Support for UDE is offered as an option for the existing EKM service listener in CCKM. Using CipherTrust Cloud Key Manager to configure rules for wrapping and unwrapping keys you can see a wealth of specific use cases for the technology. In the illustration, you can see that confidential computing attestation can be required for encryption, decryption, both or neither. The choices result in these sample use cases:
- Confidential computing required for decryption and encryption: A data encryption key (DEK) generated within a GCP confidential VM is wrapped by a CCKM key encryption key (KEK). Key unwrapping and data access is possible only by an attested, confidential VM.
- Confidential computing required only for decryption: a DEK may be generated on-premises, then wrapped by a CCKM KEK. Data encrypted with the DEK is uploaded to Google Cloud. If confidential computing is required for the DEK to be decrypted, there is assurance that data access is only allowed by a verified confidential VM.
- Confidential computing required only for encryption: A DEK generated within a GCP confidential VM is then wrapped by a CCKM KEK. In the cloud, use of the unwrapped DEK is possible only by an attested, verified confidential VM. However, if the data is migrated from cloud to on premises, unwrapping may be permitted by a non-confidential computing environment, while retaining the assurance that data originated in a confidential VM.
- Confidential computing not required: A DEK may be generated on- premises in a non-confidential environment and wrapped by a CCKM KEK. The data moves to another regular environment (on cloud or on-premises). Key unwrapping and hence data access is possible in a second regular environment but only with access to and permission from CCKM.
We’re proud to deliver this innovative new technology in support of UDE coincident with Google Cloud’s announcement of UDE at Google Cloud Next ‘21.