Governments do ask cloud providers to hand over their customers’ data. Last week there was another reminder when a Federal Court said Google must turn over data in foreign servers. This reminder underlies one of the reasons it is important to not only encrypt your data in the cloud, but to assure that you are the custodian of the encryption keys. Thales is making two announcements about new cloud key management capabilities at the RSA Conference this week that will address this concern, as well as deliver other security advantages to security conscious organizations.
The first announcement is that Thales now offers support for Google Cloud Platform’s Customer-Supplied Encryption Key (CSEK) functionality. This means Google Cloud Platform customers can now generate, protect, and supply their encryption keys to the cloud using an on-premises Thales hardware security module (HSM). This within itself is strategic for many of Google’s customers because it means they can securely move more workloads to the cloud. More importantly, this means that nShield HSM customers win the trifecta; the HSM they invested in can support all three major public cloud providers: AWS, Azure and Google.
So, how does this all work? Let me explain…
Google Cloud Platform’s CSEK
While most enterprises want to take advantage of the public cloud, many meet resistance in migrating workloads using sensitive data because of strict security standards that support internal policies or regulatory compliance. However, these barriers are often overcome when encryption and customer controlled keys can prove to auditors that the enterprise is the custodian of the encryption keys and subsequently has control of their data. In support of this goal, Google has allowed their customers to provide their own encryption keys; this is Google Cloud Platform’s Customer-Supplied Encryption Key (CSEK) functionality.
The Google Compute Engine uses the customer provided key to protect the Google-generated keys. The Google-generated keys are used to encrypt and decrypt data. Only users with authorization to the CSEK can gain access to the google keys that can decrypt the data in the Google cloud. The result: customers can control and manage the encryption that is protecting their data!
Now, Thales nShield supports Google’s CSEK and allows customers to adopt high-assurance key management best practices that strengthen their cloud security and meet compliance requirements. Protected by FIPS 140-2 Level 3 certified hardware, nShield uses strong methods to generate keys based on nShield’s high-entropy random number generator. Following generation, nShield exports customer keys into the cloud for one-time use via Google’s CSEK functionality. Using this feature, keys are only stored in memory and discarded by Google after use. Customers can also leverage nShield HSMs on-premises for key storage protection and resilient disaster recovery mechanisms, which provides greater control over their key lifecycle.
Are you attending RSA? Stop by our booth!
Catch up with members of the Thales team at booth #1007 to learn about the latest data security trends – and about how we can help you protect and control your cloud data in light of policy and legal developments. Additionally, Thales will be previewing a prototype for KMaaS for Microsoft Azure – you don’t want to miss it!