Recently, Sidechain Security Founder and CEO Andrew Lance published his third in a line of joint whitepapers with Google Cloud and its Head of Security Solutions Strategy, Anton Chuvakin. The latest whitepaper focuses on Google Cloud External Key Manager (EKM). Read on for a summary of the paper to learn more about how Cloud EKM works and its primary benefits.
Cloud Considerations and Concerns
Despite the numerous benefits that come with transitioning to the cloud, including “access to worldwide scalability, resilience, and an incredible array of integrated services and security capabilities,” there remains significant resistance to cloud adoption. Concerns over data security, regulatory compliance, and geopolitics often top the list of reasons. These concerns are well justified; after all, the key to developing trust in your cloud provider is to trust it less.
Protecting Highly Sensitive Data
When organizations manage their data within on-premises infrastructure, they manage all their risk. However, once a company transitions to the cloud, it surrenders absolute control of its data to its cloud service provider. That puts the most valuable asset any company owns–its data–under threat from forces that its security architecture cannot directly mitigate. That may partially explain why, despite the exponential growth and adoption of cloud platforms, wholesale cloud adoption has not yet occurred.
Geopolitical and Regional Tension
Due to the highly sensitive nature of the data many companies accrue, geopolitical tension has arisen as national governments seek sovereignty over their citizens’ data.
As noted in the whitepaper, “since US cloud providers, which most EU organizations use, are governed under regulations that enable US authorities to access data stored within their infrastructure (such as the CLOUD Act), there remains a concern putting highly sensitive data in such cloud platforms.”
These developments have compelled cloud providers, like Google, to create solutions and infrastructures based on regional law. This includes addressing data privacy and protection statutes that require data created in a country to remain stored there. The General Data Protection Regulation (GDPR), instituted by the European Union, is one such case. The legislation imposes rules for the processing of personal data, including its movement between and beyond the borders of EU nations.
To adequately support their customers, global cloud providers must provide resolutions to manage customer data based on the region in which it is produced.
To confront these issues, Google developed its Cloud External Key Manager (Cloud EKM) to give companies complete control of their most critical asset—their data.
What is Cloud EKM?
In a public cloud first, Google introduced Cloud External Key Manager (EKM) to provide customers explicit control over their keys and encrypted data-at-rest within Google Cloud. In short, “Google EKM enables customers to use keys managed in a supported external key management system to protect data within Google Cloud.”
Google’s secession of data control to its customers supports increased data protection by giving these customers sole discretion on access to encrypted data-at-rest. More specifically, for Google Cloud to decrypt data, it must earn clear and direct authorization from the customer. Without explicit permission, Google will lack the encryption key necessary to make use of customer data.
To learn how companies can allow cloud services to access their encrypted data, head over to the joint whitepaper with Google.
Benefits of Cloud EKM
While the benefits of external key management are undoubtedly numerous, the benefits of adopting Cloud EKM most primarily include:
“Key provenance is evidence that details the origin, changes to, and supporting confidence or validity of encryption keys such that customers can reason about the origin, location, backup history, and other characteristics of the key.” Key provenance occurs continuously throughout the lifecycle of a key to record, for example, its storage, access, use, and destruction.
Key provenance provides evidence of the effectiveness of encryption, which is especially useful, notably for companies that must answer government bodies, federal legislation, compliance audits, and more. Maintaining absolute management of keys with Cloud EKM ensures organizations can meet their provenance thresholds.
Enterprises already manage encryption keys, usually in a sophisticated platform that has been hardened over time. Centralizing cloud keys in an existing key management system (KMS) decreases the risk of managing separate keys in the cloud. Further, it also simplifies the superintendence and operations of security procedures and architecture. Finally, centralized key management supports the flexibility of a multi-cloud infrastructure by limiting overhead because “primary key management functions are maintained on a centralized system.”
As mentioned in the introduction of this article, geopolitical concerns regarding data security and key management are extensive. With Cloud EKM, many of the fears governments and private citizens hold over foreign corporations controlling their data are alleviated because, as the whitepaper details, customers can:
- Protect the key – it’s encrypted by a customer-managed key that is in customer possession, likely in their physical location and under their administrative control
- Authorize the use of the key – through a request to invoke the customer-managed key
- Revoke access to the key – by shutting off access to the customer-managed key
- Validate the use of the key – through Key Access Justification metadata
- Maintain complete provenance of a root key that protects the entire data access model
Developing Trust in a Data-Driven Environment
It is worth reiterating that the key to developing greater trust in your cloud provider is to trust it less. Cloud EKM is a significant step in allowing customers to take back control of their sensitive data.
To learn more about Google Cloud EKM, including details on use cases and service integrations, check out Sidechain CEO Andrew Lance’s joint whitepaper with Google.