Thales Solutions for Google Cloud
Bring Your Own Encryption, Bring or Hold Your Own Key, Secure Identity Verification
Information technology workloads in Google Cloud can deliver both convenience and cost savings. However, you still need to follow security, privacy and compliance rules, as well as best practices, for protecting data. Further, you need rapid data mobility across all clouds you currently use and those in your future, a need which can be compromised with cloud-vendor-specific encryption solutions. And, as one of the few hyperscaler cloud service providers, Google Apps qualify Google as both an IaaS/PaaS and SaaS provider. And the best way to protect SaaS is with comprehensive identity verification.
While Google Cloud encrypts all customer data at rest, Thales and Google have forged a relationship to help Google Cloud customers further protect their sensitive information. The solutions discussed here are part of the Thales and Google Cloud relationship.
Effective, secure use of cloud services involves an increasing number of decisive moments, such as when you consider beginning or expanding your cloud migration. Thales data discovery and classification, advanced encryption, centralized key management, and identity verification solutions give you protection and control of data stored on your premises, Google Cloud, and other clouds. Thales technology enables you to:
Find and classify sensitive data in Google Cloud and beyond
Compatible with Google Cloud direct-attached and network storage resources accessible to Windows and Linux servers in Google IaaS environments, CipherTrust Data Discovery and Classification locates regulated data across unstructured and structured data stores, with a streamlined workflow that helps eliminate security blind spots. The product offers a quick start with built-in discovery and classification templates with the flexibility you need to create new policies. Detailed reports can demonstrate compliance with internal rules as well as external regulations and laws. The solution enables smart decisions on what data to protect with advanced encryption.
Advanced encryption for Google Cloud and beyond
If you’re 100% Google Cloud based with stringent data security controls, or if you’re running hybrid clouds with data distributed across your on-premises private cloud, multiple cloud providers, and in Google Cloud, you need an advanced data encryption solution.
CipherTrust Transparent Encryption protects your files, databases or applications like SAP HANA deployed anywhere, including Google Cloud, without any changes to applications, databases, infrastructure or business practices. Bring your own encryption (BYOE) to Google Cloud and other infrastructure as a service providers! While Google Cloud encrypts data by default, the vast majority of threats to data occur due to compromises in the operating system, applications, or users. Google Cloud serves disk-encrypted data to operating systems in the clear. BYOE operates higher in the stack – in the operating system or at the application layer, protecting data from server or user-based threats.
CipherTrust Transparent Encryption:
If you are architecting your applications as cloud native, you might not have servers on which to run Transparent Encryption. Thales can help secure your data in cloud native applications:
CipherTrust Tokenization with Dynamic Data Masking integrates with cloud-native apps using RESTful calls. Tokenization secures and anonymize sensitive assets in the data center, big data environments or the cloud for simplified PCI-DSS compliance. Format-preserving or random tokenization protects sensitive fields while maintaining database structure, for a non-disruptive implementation. Then, it’s easy to add policy-based dynamic data masking to applications. The Tokenization Server is available to run in Google Cloud; contact us for that. And you can cluster an on-premises Tokenization Server with one in Google Cloud for the highest performance.
CipherTrust Application Data Protection offers simple-to-use, powerful software tools for application-level key management and encryption of sensitive data. The solution is flexible enough to encrypt nearly any type of data passing through an application. Application-layer data protection can provide the highest level of security, as it can take place immediately upon data creation or first processing and can remain encrypted regardless of its data life cycle state – during transfer, use, backup or copy.
Enhance encryption key control and data security for Google Cloud with CipherTrust Key Broker service on Data Protection on Demand. The CipherTrust Key Broker service is integrated with Google Cloud External Key Manager (EKM) to make it easy for you to follow security and key management best practices, while leveraging the power of Google Cloud for compute and analytics. The solution enables you to:
The key broker service is available in the Google Cloud Marketplace North America and European Union instances.
Google Cloud Customer-Supplied Encryption Keys
In support of the Google Cloud Customer-Supplied Encryption Key (CSEK) service, a “Bring Your Own Key” (BYOK) application is available for CipherTrust Application Data Protection and integrates with Google Cloud CSEK to enable customers to supply their own keys for certain Google Cloud Storage products and Google Compute Engine encryption. The CSEK service enables customers to protect the actual encryption keys that are used to encrypt and decrypt their data.
Centralized encryption key management for Transparent Data Encryption database
Customers leveraging various database vendors Transparent Data Encryption solutions such as Microsoft SQL Server, a standard offering for Google Compute Engine or Oracle Database, available for Google Cloud Platform through marketplace partners, can utilize CipherTrust TDE key management to separate database encryption keys from database administrators. Read the white paper "A Common Platform for Database Encryption: Lower Cost, Reduce Risk" describing the benefits of centralizing database encryption key management.
Thales solutions based upon high assurance Luna HSMs and Luna Cloud HSMs (Data Protection on Demand) can help secure and protect your data in Google Cloud. Luna HSMs are FIPS 140-2 Level 3-validated, offering high assurance encryption key and digital identity protection -- ultimately helping you to meet compliance and audit needs and following the security best practice of keeping your keys separate from your data. With Luna HSMs you have the flexibility to leverage Google Cloud services, the ability to both own and control your encryption keys and reduce the risk of unauthorized data access. Luna HSMs support Google Customer-Supplied Encryption Keys (CSEK) and the new Google Cloud EKM service.
For both encryption key quality, ownership and convenience, Thales Data Protection on Demand (DPoD) provides a wide range of Cloud HSM and key management services through a simple online marketplace.
SafeNet Trusted Access is a cloud-based service, ensuring a speedy deployment and easy maintenance - with no additional administrative overhead or changes to existing infrastructures. SafeNet Trusted Access secures access to Google Workspace by leveraging existing infrastructure investments and simplifies the process of implementing access controls to validate user identities. Through a simple, template-based, SAML 2.0 integration, SafeNet Trusted Access acts as the trusted identity provider for Google Workspace and other third-party cloud and web-based apps, providing IT administrators with the ability to easily deploy an access management solution across their entire environment.
Thales Group understands that security is only as strong as your weakest link, so we natively protect all of your employees / customers with policy-based access and multi-factor authentication across:
By protecting each of your access points, we protect your entire business. All it takes for your business to be compromised is one machine, application, or cloud connection to be unprotected. We don’t leave you exposed.