Thales background banner

Google Cloud Platform Security

Bring Your Own Encryption, Bring or Hold Your Own Key, Secure Identity Verification

Google Cloud Security

Secure Workloads Across Hybrid Clouds Including Google Cloud

Information technology workloads in Google Cloud can deliver both convenience and cost savings. However, you still need to follow security, privacy and compliance rules, as well as best practices, for protecting data. Further, you need rapid data mobility across all clouds you currently use and those in your future, a need which can be compromised with cloud-vendor-specific encryption solutions. And, as one of the few hyperscaler cloud service providers, Google Apps qualify Google as both an IaaS/PaaS and SaaS provider. And the best way to protect SaaS is with comprehensive identity verification.

While Google Cloud encrypts all customer data at rest, Thales and Google have forged a relationship to help Google Cloud customers further protect their sensitive information. The solutions discussed here are part of the Thales and Google Cloud relationship.

Google Cloud Partner Logo

How can you secure your data in Google Cloud?

To fulfill the shared responsibility model for cloud security, choose Bring Your Own Key (BYOK), Hold Your Own Key (HYOK), or mechanisms to discover sensitive data and Bring Your Own Encryption (BYOE). In addition, you need external policy-based access management with smart single sign on (SSO) and multifactor authentication (MFA).

Bring or Hold Your Own Key – Cloud Key Management

Google Cloud Platform offers 2 mechanisms that allow you to own encryption key material

Thales supports both Customer-Managed Encryption Keys (CMEK) and External Key Management Services (EKMS): 

Discover and Protect Sensitive Data and Control Encryption Keys

Choose solutions that give you data discovery and protection with encryption key control in Google Cloud and beyond

Use technology that  enables you to find and classify sensitive data subject to data privacy or protection mandates worldwide and then protect and control the data with advanced encryption and policy-based access management. Or you can architect applications to be cloud-native and protect data using vaultless tokenization with dynamic data masking.

Locate regulated data with streamlined workflows that help eliminate security blind spots. Built-in discovery and classification templates offer a quick start with the flexibility needed to create new policies. Detailed reports can demonstrate compliance with rules, regulations and laws. Discover CipherTrust Data Discovery and Classification.

Protect Data with Advanced Encryption if you’re either

  • 100% Google Cloud-based with stringent data security controls, OR
  • Running hybrid clouds with data distributed across your on-premises private cloud, multiple cloud providers, and in Google Cloud

What are the benefits of advanced encryption?

  • Protecting data either transparently at the OS level or at the application layer strengthens data security against more threats, from ransomware and APT’s to insider risks and even protecting data from Google’s access
  • You gain data portability between clouds, even potentially without egress fees

Realize a fast return on investment with CipherTrust Transparent Encryption. Protect data without changes to applications, databases, infrastructure, or business practices. Google Storage solutions encrypt all data at rest but deliver data in the clear to operating systems. Most data thefts are due to compromises in the operating system, applications, or distracted users. OS-level controls combined with granular access policies give you the protection your sensitive data requires.

Cloud native applications might not have operating systems on which to run Transparent Encryption. Secure your data in cloud native applications with:

High Assurance Root of Trust with Thales Luna HSMs

Secure and protect your data in Google Cloud with high assurance FIPS 140-2 Level 3-validated Hardware Security Modules (HSMs)

Luna HSMs support Google Customer-Supplied Encryption Keys (CSEK) and the Google Cloud EKM service. For encryption key quality, ownership and convenience, Thales Data Protection on Demand (DPoD) provides a wide range of Cloud HSM and key management services through a simple online marketplace.

Google Recommends Policy-based Access Management for Google Cloud

Use an external Identity Provider (IDP) to protect your access security -- keep control even if the Google Cloud back end is breached

It is important to not be locked into a single cloud vendor. We recommend you choose an IDP that supports multiple clouds, so when your business needs change -- you aren’t locked in to a single cloud vendor.

SafeNet Trusted Access (STA)

STA is a cloud-based service that acts as the trusted identity provider for on-premises and cloud apps in Google Cloud, other public clouds, and private clouds.

STA provides the ability to securely deploy an access management solution across an organization’s entire environment, across all operating systems and clouds.

STA protects cloud resources at the log in point by using authentication and conditional access, and enforcing policy-based access controls every time a user logs into an app. Read more about SafeNet Trusted Access.

2FA Compliance

Various compliance regulations require two-factor authentication (2FA) for managing cloud resources

STA supports 2FA and can be configured to support multi-factor authentication (MFA) in Google Cloud.

Cloud SSO and MFA for Administrators and Customers

In addition to supporting compliance regulations

STA improves productivity for IT administrators and customers without decreasing security by providing support for Cloud Single Sign On (SSO) and MFA in Google Cloud.

Google Workspace Security

Pass Audits, Stay in Compliance

Compliance mandates such as GDPR and PCI DSS, require logs of who has access, to which apps, and how their identity is verified

SafeNet Trusted Access (STA) is a cloud-based service that acts as the trusted identity provider (IDP) for Google Workspace and other third-party cloud and web-based apps. As an IDP, STA provides IT administrators with the ability to easily deploy an access management solution across their entire environment, including multiple clouds.

STA secures access to Google Workspace and authenticates user identities across:

  • All operating systems
  • On-premise and cloud apps
  • Multi-cloud environments

In minutes, STA enables you to set policy-based access for SSO and 2FA/MFA for all your cloud and web apps.

Google Workspace Client-side encryption

Google Workspace now provides enhanced privacy and confidentiality options with Client-side encryption

Enterprise customers can have full control over their encryption keys by combining SafeNet Trusted Access and CipherTrust Cloud Key Manager.

Adhering to the concept of “shared responsibility for cloud security”, Google recommends that customers use both an external key manager (EKM) and Identity Provider (IDP) to ensure that only authorized and authenticated individuals can access protected documents. Only Thales develops both an independent IDP and key management solution.

Thales Security Solutions for Google Workspace - Solution Brief

Thales Security Solutions for Google Workspace - Solution Brief

Google recommends that Google Workspace customers adopt the industry-standard and increasingly well-known shared responsibility model by using an external Identity Provider (IDP) and key manager (EKM) to ensure that only authorized and authenticated individuals can access...

Creating Trusted Collaboration with Google Workspace and Thales - Webinar

Creating Trusted Collaboration with Google Workspace and Thales - Webinar

The transition of moving workloads and applications to the cloud is frequently spearheaded by leveraging cloud-based collaboration suites such as Google Workspace. While offering immense benefits in terms of easy, anywhere access from any device, recent lateral attacks within...