As you move data to the cloud, you face the important question of how to verifiably protect data from unauthorized access without limiting your options for storage and processing. Using public cloud services requires you to place inherent trust in your cloud provider, which can be uncomfortable for your most sensitive data and workloads. On Google Cloud Platform, you can use solutions such as Cloud External Key Manager (EKM) when encrypting data-at-rest to store and manage keys outside of Google’s infrastructure and Confidential Computing to encrypt data-in-use with keys that remain resident in the processor and unavailable to Google. However, while these solutions can reduce the level of implicit trust surrounding data at-rest or in-use, you still need to trust the cloud provider when data transitions from one state to another, or when the data is in-transit. So how do you deal with these challenges?
At Cloud Next 2021, we announced a first of its kind solution that provides customers with ubiquitous data encryption which delivers unified control over data at-rest, in-use, and in-transit, all with keys that are under your control. With ubiquitous data encryption:
You control the access to your data regardless of whether it’s on storage, in memory, or in flight
You can take full advantage of compute and storage power of GCP
You can reduce your level of implicit trust in Google
To build this solution, we leveraged Google Cloud’s confidential computing and Google Cloud EKM, working with partners, including Thales, to ensure that you can continue to use your existing EKM setup. In doing so, we made it possible to seamlessly encrypt your data as they are sent to the cloud, using your external key management solution, in a way that only a confidential VM can decrypt and compute on it. In order to make sure the key can only be used in a confidential environment, we leverage Confidential VM’s attestation feature.
The workflow to set up and use this capability is designed to be simple:
Start by creating an encryption key outside GCP using your current external key management solution (for this solution, we currently support Thales Ciphertrust, with more EKM partner integrations to come)
Grant access to your EKM encryption keys to the Confidential VM service
In your application running in a confidential VM, use gsutil to download the GCS data using our lib. This will seamlessly decrypt your data without revealing the key outside the confidential VM.
If the application tries to access the GCS data on a non-confidential VM, it will fail when attempting to decrypt the data.