Attackers are increasingly able to penetrate perimeter defenses, compromise accounts and mine data without targets even being aware of the attack, as the Democratic National Committee breach proved. Encrypting data is the best defense.
Strong encryption of complex data structures requires a Key Management System (KMS). But implementing a KMS can be challenging, especially for enterprises below the security poverty line that don’t have the budget to hire a multidisciplinary security team. Google may have a solution with its Cloud Key Management Service (CKMS) now in beta in select countries.
Google’s Cloud KMS, announced yesterday, addresses the full continuum of encryption and key management to encrypt and manage data for customers of Google’s Cloud. The CKMS application programming interface (API) also works with on-premise data centers and hybrid clouds. Enterprises still have to implement compliance and security policy and process, as well as have knowledgeable staff. Outsourcing the KMS requires fewer, very-hard-to-recruit security engineers.
+ Also on Network World: Enterprise encryption adoption up, but the devil's in the details +
In-house KMSs need more than specialized talent. The on-premise KMS must scale to meet changing needs, and the IT staff has to operate it and maintain patch levels, as well as implement a redundant backup. Google Cloud Management System (GCMS) uses the same Advanced Encryption Standard (AES) library used internally at Google to encrypt data in Google Cloud Storage. Opting into GCMS means buying into Google’s scale, and compared to most enterprises, the scale is significant, as described by Google’s CSO Gerhard Eschelbeck at the last RSA Security conference in San Francisco.
The enterprise customer can store symmetric keys locally or in Google’s cloud, though given the weakness of enterprise perimeter defenses proven by the regular stream of breach notifications, and considering Google’s scale, storing keys in Google’s cloud may be a good option. AES is implemented using Galois/Counter Mode so that low-latency, high-speed communications channels can be used with reasonable processing overhead.
CKMS product manager Maya Kaczorowski said in a blog post:
“Google maintains, and continually checks for weaknesses using several tools, including tools similar to the recently open-sourced cryptographic test tool Project Wycheproof.”
For many enterprises, except for the largest, consistently testing their security infrastructure is a luxury.
Generally, key pairs often have a shelf life dictated by internal compliance, and in some industries, the shelf life expiration is regulated. CKMS features automatic key rotation to frequently rotate keys.
Using the CKMS API, which is integrated with the Cloud Identity Access Management and Cloud Audit Logging for control and audit, enterprises can create, use, rotate and destroy keys. For enterprises opting to store keys on Google’s infrastructure, there is a root of trust that can be monitored and audited.
In some cases, a single key pair is unsuitable for encrypting a whole data set such as medical records or operational data. Granular key management, encrypting subsets of a data set, is supported via the CKMS API.
Benefits of Google Cloud Key Management Service
Google implied in its blog post that CKMS is suitable for financial, personal health, private individual, military, government, confidential or other sensitive data The first hurdle for a customer is trusting Google, which will vary based on opinion and application. For enterprises that do decide to trust Google, there could be significant benefits when CKMS leaves beta:
- Keys stored outside will be secured from the inevitable breach. If both data and keys are exfiltrated during a breach, the perpetrators can decrypt it.
- Hosted key management relieves the burden from the operating staff of running a KMS with the added benefit of Google’s scale.
- Much of the complexity of granularly encrypting data is automated with the API.
Implementing corporate and regulatory compliance, policy and process, as well as identifying all the sensitive data across an organization that should be encrypted, are all still the responsibility of the enterprise. If a hosted KMS like Google’s fits, though, it is another example of a cloud management service that could reduce cost, increase operating efficiency and reduce capital expenditures using the cloud provider’s scale.