Read Time: 07 min.
How Data Encryption on the Cloud works
Data-in-transit encryption refers to using SSL or TLS to create a security “wrapper” around the data being moved. This ensures that it is more challenging to steal data-in-transit, but even if it were successfully stolen, it would be a confusing block of characters that would not make sense to the attacker. Most data-in-transit encryption is done through web browsers or FTP clients, so it does not need to be as managed as data-at-rest. Data-at-rest encryption is done when data is on a disk or another storage method. Similar to data-in-transit encryption, the data is jumbled into a random series of characters to stop attackers from stealing the plaintext.
GCP Provided Tools for Data Encryption
GCP uses AES-256 encryption by default when data is at-rest in Google Cloud Storage, and data-in-transit is encrypted with TLS by default. When encrypting data on the Cloud, GCP utilizes DEKs and KEKs, which are used and stored with Google’s Key Management Service (KMS) API. A DEK is a data encryption key, which is used to encrypt the data itself. A KEK, or key-encryption key, is then used to encrypt the data encryption key to ensure an extra security layer. The KMS API works closely with other Google Cloud services, such as Cloud security services, Google Cloud Functions, etc, to store keys used for encryption and decryption on the Cloud. When other APIs attempt to access DEKs and KEKs, the user must first have the necessary permissions to access the keys. Services like IAM provide roles for users to be able to access KMS.
Another example of a GCP API that assists in encrypting data is the Data Loss Prevention (DLP) API. This API can be used within or outside of Google Cloud and helps the user identify potentially sensitive data, such as Personally Identifiable Information, and mask that data from attackers. Google Cloud Platform users can integrate the KMS and DLP APIs to do encryption methods like Format Preserving Encryption, which encrypts data not to be understood while keeping the same formatting as the plaintext, allowing the PII data to be used with false values.
Riley Dickens is a consultant at Encryption Consulting, working with PKIs, creating Google Cloud applications, and working as a consultant with high-profile clients. He recently graduated from the University of Central Florida in Orlando, Florida.