Google: Lock up your Compute Engine data with your own encryption keys
- 29 July, 2015 02:42
Google will now let enterprise customers of one of its Cloud Platform services lock up their data with their own encryption keys, in case they're concerned about the company snooping on their corporate information.
On Tuesday, Google started offering users of its Compute Engine service the option, in beta, to deploy their own encryption keys, instead of the industry standard AES 256-bit encryption keys Google itself provides. Encryption keys are used to lock data so it can not be read by other parties.
"Absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request," wrote Leonard Law, Google product manager, in a blog post describing the new feature.
The keys can be used for the entire time the customer data is stored on Google's platform, including data stored on data volumes, boot disks, and solid state drives. Google doesn't retain the keys and can not access any data that is encrypted with them.
Google didn't mention whether it plans to extend this feature to any of its other Cloud Platform services.
Last week, cloud rival Microsoft took a shot at Google, heavily implying that the company could snoop on its customers.
"We don't read your email. We're not listening to conversations in your house, driving cars up and down the street to do so," Chief Operating Officer Kevin Turner said last week.
While Google does not routinely monitor customer data on the Google Cloud, as Turner may have insinuated, the option of using your own keys to secure data may provide the extra assurance needed for highly data sensitive industries.
The option will also allow organizations to streamline their encryption infrastructure, allowing them to use one set of keys for both Google Cloud and in-house operations.
One customer looking forward to testing this option is Sungard Consulting Services, which uses GCE to run a customer service processing high-volume financial market transactions.
The new feature will allow Sungard to control client data without the paying for third-party encryption providers, according to the Google blog post.
Law cautioned potential users that, should they lose their keys, Google can not help them recover the keys or the data itself.