Thales background banner

Google Cloud Platform Security

Bring Your Own Encryption, Bring or Hold Your Own Key, Secure Identity Verification

Google Cloud Security

Secure Workloads Across Hybrid Clouds Including Google Cloud

Information technology workloads in Google Cloud can deliver both convenience and cost savings. However, you still need to follow security, privacy and compliance rules, as well as best practices, for protecting data. Further, you need rapid data mobility across all clouds you currently use and those in your future, a need which can be compromised with cloud-vendor-specific encryption solutions. And, as one of the few hyperscaler cloud service providers, Google Apps qualify Google as both an IaaS/PaaS and SaaS provider. And the best way to protect SaaS is with comprehensive identity verification.

While Google Cloud encrypts all customer data at rest, Thales and Google have forged a relationship to help Google Cloud customers further protect their sensitive information. The solutions discussed here are part of the Thales and Google Cloud relationship.

Google Cloud Partner Logo

How do you secure Google Cloud Platform?

Multiple tools are needed to secure Google Cloud Platform (GCP): Google Cloud Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK), bring your own encryption, and policy-based access management with smart single sign on (SSO) and multifactor authentication (MFA).

Find and Classify Sensitive Data to Protect and Control on GCP

Choose solutions that give you discovery, protection and control of data stored on premises, in Google Cloud, and in other clouds.

Use technology that  enables you to find and classify sensitive data subject to data privacy or protection mandates worldwide and then protect and control the data with advanced encryption and policy-based access management. Or you can architect applications to be cloud-native and protect data using vaultless tokenization with dynamic data masking.

Locate regulated data with streamlined workflows that help eliminate security blind spots. Built-in discovery and classification templates offer a quick start with the flexibility needed to create new policies. Detailed reports can demonstrate compliance with rules, regulations and laws. Discover how CipherTrust Data Discovery and Classification can help.

When is advanced data encryption needed and what will it do for Google Cloud Data Security?

Advanced data encryption is needed if you're either:

  • 100% Google Cloud-based with stringent data security controls, OR
  • Running hybrid clouds with data distributed across your on-premises private cloud, multiple cloud providers, and in Google Cloud

What will Transparent Encryption do for Google Cloud Data Security?

  • Strengthen data security with granular access policies that protect against unauthorized access – even ransomware attacks
  • Deliver a fast return on investment with a non-intrusive, flexible implementation. Encryption agents are available for many Windows versions and Linux distributions that run in Google Cloud Platform

CipherTrust Transparent Encryption protects data without changes to applications, databases, infrastructure or business practices. Google Cloud encrypts all data at rest, but, like other “full disk encryption” solutions, delivers data to operating systems in the clear. Most data thefts are due to compromises in the operating system, applications, or users. Thales’s bring your own encryption (BYOE) solutions protect data in the operating system or at the application layer, depending on your needs.

Cloud native applications might not have operating systems on which to run Transparent Encryption. Thales can help secure your data in cloud native applications:

Key Lifecycle Management

Google Cloud Platform offers three mechanisms that allow you to own encryption key material.

Thales supports all three mechanisms: Customer-Managed Encryption Keys (CMEK), External Key Manager (EKM) and Customer-Supplied Encryption Keys (CSEK): 

  • CipherTrust Cloud Key Manager, a multicloud encryption key life cycle management offering from Thales, supports both EKM and CMEK. Read more about CipherTrust Cloud Key Manager
  • The CipherTrust Key Broker service on Data Protection on Demand offers an EKM Service
  • A BYOK application available with CipherTrust Application Data Protection supports the CSEK service

High Assurance Root of Trust with Thales Luna HSMs

Secure and protect your data in Google Cloud with high assurance FIPS 140-2 Level 3-validated Hardware Security Modules (HSMs)

Luna HSMs support Google Customer-Supplied Encryption Keys (CSEK) and the Google Cloud EKM service. For encryption key quality, ownership and convenience, Thales Data Protection on Demand (DPoD) provides a wide range of Cloud HSM and key management services through a simple online marketplace.

Google Recommends Policy-based Access Management for Google Cloud

Use an external Identity Provider (IDP) to protect your access security -- keep control even if the Google Cloud back end is breached.

It is important to not be locked into a single cloud vendor. We recommend you choose an IDP that supports multiple clouds, so when your business needs change -- you aren’t locked in to a single cloud vendor.

SafeNet Trusted Access (STA)

STA is a cloud-based service that acts as the trusted identity provider for on-premises and cloud apps in Google Cloud, other public clouds, and private clouds.

STA provides the ability to securely deploy an access management solution across an organization’s entire environment, across all operating systems and clouds.

STA protects cloud resources at the log in point by using authentication and conditional access, and enforcing policy-based access controls every time a user logs into an app. Read more about SafeNet Trusted Access.

2FA Compliance

Various compliance regulations require two-factor authentication (2FA) for managing cloud resources. STA supports 2FA and can be configured to support multi-factor authentication (MFA) in Google Cloud.

Cloud SSO and MFA for Administrators and Customers

In addition to supporting compliance regulations, STA improves productivity for IT administrators and customers without decreasing security by providing support for Cloud Single Sign On (SSO) and MFA in Google Cloud.

Data Discovery and Protection

Effective, secure use of cloud services involves an increasing number of decisive moments, such as when you consider beginning or expanding your cloud migration. Thales data discovery and classification, advanced encryption, centralized key management, and identity verification solutions give you protection and control of data stored on your premises, Google Cloud, and other clouds. Thales technology enables you to:

  • Take secure advantage of Google Cloud Key Management Services with centralized key management that spans multiple clouds
  • Find and classify sensitive data subject to data privacy or protection mandates worldwide
  • Reduce or eliminate risks arising from compromised credentials with advanced encryption including privileged user access controls
  • Identify attacks faster with data access logging to industry leading SIEM applications
  • Architect applications for the cloud with built-in security using vaultless tokenization with dynamic data masking

 

data discoveryCompatible with Google Cloud direct-attached and network storage resources accessible to Windows and Linux servers in Google IaaS environments, CipherTrust Data Discovery and Classification locates regulated data across unstructured and structured data stores, with a streamlined workflow that helps eliminate security blind spots. The product offers a quick start with built-in discovery and classification templates with the flexibility you need to create new policies. Detailed reports can demonstrate compliance with internal rules as well as external regulations and laws. The solution enables smart decisions on what data to protect with advanced encryption.

Advanced encryption for Google Cloud and beyond

If you’re 100% Google Cloud based with stringent data security controls, or if you’re running hybrid clouds with data distributed across your on-premises private cloud, multiple cloud providers, and in Google Cloud, you need an advanced data encryption solution.

CipherTrust Transparent EncryptionCipherTrust Transparent Encryption protects your files, databases or applications like SAP HANA deployed anywhere, including Google Cloud, without any changes to applications, databases, infrastructure or business practices. Bring your own encryption (BYOE) to Google Cloud and other infrastructure as a service providers! While Google Cloud encrypts data by default, the vast majority of threats to data occur due to compromises in the operating system, applications, or users. Google Cloud serves disk-encrypted data to operating systems in the clear. BYOE operates higher in the stack – in the operating system or at the application layer, protecting data from server or user-based threats.

CipherTrust Transparent Encryption:

  • Strengthens data security with controls against unauthorized access based on granular access policies, including user identity (including for administrators with root privileges), and process, among many others
  • Accelerates breach detection and meets compliance mandates with detailed file access logs directed to your security information and event management (SIEM) system
  • Delivers a fast return on investment with a non-intrusive, flexible implementation. Encryption agents operate on Google Compute Engine or any other server accessing storage, protect Google Cloud Storage, and are available for many Windows versions and Linux distributions

If you are architecting your applications as cloud native, you might not have servers on which to run Transparent Encryption. Thales can help secure your data in cloud native applications:

CipherTrust Tokenization with Dynamic Data Masking integrates with cloud-native apps using RESTful calls. Tokenization secures and anonymize sensitive assets in the data center, big data environments or the cloud for simplified PCI-DSS compliance. Format-preserving or random tokenization protects sensitive fields while maintaining database structure, for a non-disruptive implementation. Then, it’s easy to add policy-based dynamic data masking to applications. The Tokenization Server is available to run in Google Cloud; contact us for that. And you can cluster an on-premises Tokenization Server with one in Google Cloud for the highest performance.

CipherTrust Application Data Protection offers simple-to-use, powerful software tools for application-level key management and encryption of sensitive data. The solution is flexible enough to encrypt nearly any type of data passing through an application. Application-layer data protection can provide the highest level of security, as it can take place immediately upon data creation or first processing and can remain encrypted regardless of its data life cycle state – during transfer, use, backup or copy.

Google Cloud Key Lifecycle Management

Google Cloud Platform offers three mechanisms that allow you to own encryption key material and use it in Google Cloud Platform: Customer-Managed Encryption Keys (CMEK), External Key Manager (EKM) and Customer-Supplied Encryption Keys (CSEK). Across all these mechanisms, Thales offers solutions to enhance encryption key control and data security in Google Cloud Platform.

CipherTrust Cloud Key Manager, a multicloud encryption key life cycle management offering from Thales, supports CMEK for Google Cloud Platform, in addition to various Hold Your Own Key (HYOK) and Bring Your Own Key (BYOK) mechanisms across Microsoft Azure, Amazon Web Services, IBM Cloud and Salesforce.com

The CipherTrust Key Broker service on Data Protection on Demand integrates with Google Cloud External Key Manager (EKM). The solution enables you to:

  • Securely create and control encryption keys separate from where the sensitive data is being hosted
  • Verify the origin and quality of the keys being brought to the cloud
  • Maintain master keys outside of the Google Cloud environment in a Thales FIPS 140-2 Level 3 certified root-of-trust

The key broker service is available in the Google Cloud Marketplace North America and European Union instances.

Key Broker In Google Cloud Marketplace

In support of the Google Cloud Customer-Supplied Encryption Key (CSEK) service, a “Bring Your Own Key” (BYOK) application is available for CipherTrust Application Data Protection and integrates with Google Cloud CSEK to enable customers to supply their own keys for certain Google Cloud Storage products and Google Compute Engine encryption. The CSEK service enables customers to protect the actual encryption keys that are used to encrypt and decrypt their data.

High Assurance Root of Trust with Thales Luna Hardware Security Modules (HSM)

Thales solutions based upon high assurance Luna HSMs and Luna Cloud HSMs (Data Protection on Demand) can help secure and protect your data in Google Cloud. Luna HSMs are FIPS 140-2 Level 3-validated, offering high assurance encryption key and digital identity protection -- ultimately helping you to meet compliance and audit needs and following the security best practice of keeping your keys separate from your data. With Luna HSMs you have the flexibility to leverage Google Cloud services, the ability to both own and control your encryption keys and reduce the risk of unauthorized data access. Luna HSMs support Google Customer-Supplied Encryption Keys (CSEK) and the new Google Cloud EKM service.

For both encryption key quality, ownership and convenience, Thales Data Protection on Demand (DPoD) provides a wide range of Cloud HSM and key management services through a simple online marketplace.

  • Luna Cloud HSM – With Luna Cloud-based HSM services, you can store and manage cryptographic keys, establish a common root of trust across all applications and services, while retaining complete control of your keys at all times. You can perform cryptographic operations such as encryption/ decryption of data encryption keys, protection of secrets (passwords, SSH keys, etc.), and more, across environments. And enjoy the flexibility to move freely between cloud, hybrid and on-premises environments for cloning, backup and more in a purpose-built hybrid solution while always remaining in control with hybrid Thales Luna HSMs.
  • CipherTrust Key Management Services - Cloud-based key broker services on the DPoD platform provide BYOK capabilities as a cloud-based service. You can ensure simple and secure control of your keys and related security policies for encryption within your cloud service providers like Google, other IaaS and PaaS environments and supported SaaS vendors.
  • payShield Cloud services – Specialized HSM as-a-service capabilities are available for point to point encryption (P2PE), protecting payment card data from the point of capture at the card payment terminal, until it reaches the secure decryption endpoint.
  • Partner services - DPoD extends service capacities from Luna Cloud HSM services to partner-led security services. Available from the DPoD marketplace, partner tiles provide a convenient way for DPoD tenants to extend the value of Thales Luna HSMs’ extensive range of integrations across their security ecosystem.

Google Workspace Security

Pass Audits, Stay in Compliance

Compliance mandates such as GDPR and PCI DSS, require logs of who has access, to which apps, and how their identity is verified

SafeNet Trusted Access (STA) is a cloud-based service that acts as the trusted identity provider (IDP) for Google Workspace and other third-party cloud and web-based apps. As an IDP, STA provides IT administrators with the ability to easily deploy an access management solution across their entire environment, including multiple clouds.

STA secures access to Google Workspace and authenticates user identities across:

  • All operating systems
  • On-premise and cloud apps
  • Multi-cloud environments

In minutes, STA enables you to set policy-based access for SSO and 2FA/MFA for all your cloud and web apps.

Google Workspace Client-side encryption

Google Workspace now provides enhanced privacy and confidentiality options with Client-side encryption

Enterprise customers can have full control over their encryption keys by combining SafeNet Trusted Access and CipherTrust Cloud Key Manager.

Adhering to the concept of “shared responsibility for cloud security”, Google recommends that customers use both an external key manager (EKM) and Identity Provider (IDP) to ensure that only authorized and authenticated individuals can access protected documents. Only Thales develops both an independent IDP and key management solution.

Thales Security Solutions for Google Workspace - Solution Brief

Thales Security Solutions for Google Workspace - Solution Brief

Google recommends that Google Workspace customers adopt the industry-standard and increasingly well-known shared responsibility model by using an external Identity Provider (IDP) and key manager (EKM) to ensure that only authorized and authenticated individuals can access...

Creating Trusted Collaboration with Google Workspace and Thales - Webinar

Creating Trusted Collaboration with Google Workspace and Thales - Webinar

The transition of moving workloads and applications to the cloud is frequently spearheaded by leveraging cloud-based collaboration suites such as Google Workspace. While offering immense benefits in terms of easy, anywhere access from any device, recent lateral attacks within...