Google says Encryption Keys are in the Ignition

It has been such a wild few days in the cyber security area with all of the hacks, data breaches, exposures by security folks that all Android (News - Alert) and wearable devices can be compromised, etc., that an announcement by Google of a new security measure almost slipped through the cracks.  Hence, as a bit of a public service, I’d like to draw your attention to the following Google (News - Alert) Cloud Platform Blog, Bring Your Own Encryption Keys to Google Cloud Platform, by Leonard Law, Product Manager. 

Yes, you read correctly.   Now as a free trial and available soon is Customer-Supplied Encryption Keys for Google Compute Engine— accessible in select countries via Google’s API,  Developers Console, and gcloud. As Google points out this literally means your organization will be able to “bring-your-own-keys to encrypt compute resources.” 

As the posting states, this is all about giving people control over how data is encrypted with the Google Compute Engine on their public cloud .The blog enumerates the benefits as:

• Secure: All compute assets are encrypted using the industry-leading AES-256 standard, and Google never retains keys, meaning Google cannot decrypt your data at rest.
• Comprehensive: Unlike many solutions, Customer-Supplied Encryption Keys cover all forms of data at rest for Compute Engine, including data volumes, boot disks, and SSDs.
• Fast: Google Compute Engine is already encrypting all data at rest, and Customer-Supplied Encryption Keys gives users greater control, without additional overhead.
• Included Free: Google fees that encryption should be enabled by default for cloud services; which is why they are not going to charge for the option to bring your own keys.

All of this sounds good on its face. It does seem advantageous to allow users to users create and hold the keys, determine when data is active or "at rest," and prevent anyone accessing their "at rest" data.

While it sounds good, I did want to pass along a few words of warning from Secure Channels CEO and Co-Founder Richard Blech who said:

"This is a marketing ploy by Google who is implying that using their custom encryption engine allows you, the consumer, to control your own encryption key(s) for Google’s Compute Engine. The consumer is given a false sense of security because they are bringing “their own” encryption keys to the cloud. Google’s  platform is not agnostic and uses their engine to create the keys as well as protect the data. Whether this is good or not is not the question, but what is certain, is that it is not BYOE. In order to have true BYOE, the user must be able to define and control the encryption and the keys themselves, and be able to use them agnostically with all environments and applications."

Blech makes an interesting point. However, while it would be nice to reach the ultimate goal he would like to see, as is the want in technology markets staking out the differentiated value of one’s own environment is not a bad place to start. In this regard, Google deserves credit for doing so and making it free. Indeed, it might be worth taking the beta out for a spin.