Google Cloud Platform’s Data Encryption Tools – KMS, HSMs, and PKIs

Read Time: 07 min.

Data encryption, especially on the Cloud, is an extremely important part of any cybersecurity plan in today’s world. More companies migrate their data to the Cloud for its ease of use, reduced cost, and better security. The most prominent Cloud Service Providers (CSPs), like Google, Azure, and Amazon, all have different data encryption methods, but they are all secure and user-friendly.

How Data Encryption on the Cloud works

Cloud data resides in two places: in-transit and at-rest.

Data-in-transit encryption refers to using SSL or TLS to create a security “wrapper” around the data being moved. This ensures that it is more challenging to steal data-in-transit, but even if it were successfully stolen, it would be a confusing block of characters that would not make sense to the attacker. Most data-in-transit encryption is done through web browsers or FTP clients, so it does not need to be as managed as data-at-rest. Data-at-rest encryption is done when data is on a disk or another storage method. Similar to data-in-transit encryption, the data is jumbled into a random series of characters to stop attackers from stealing the plaintext.

GCP Provided Tools for Data Encryption

GCP uses AES-256 encryption by default when data is at-rest in Google Cloud Storage, and data-in-transit is encrypted with TLS by default. When encrypting data on the Cloud, GCP utilizes DEKs and KEKs, which are used and stored with Google’s Key Management Service (KMS) API. A DEK is a data encryption key, which is used to encrypt the data itself. A KEK, or key-encryption key, is then used to encrypt the data encryption key to ensure an extra security layer. The KMS API works closely with other Google Cloud services, such as Cloud security services, Google Cloud Functions, etc, to store keys used for encryption and decryption on the Cloud. When other APIs attempt to access DEKs and KEKs, the user must first have the necessary permissions to access the keys. Services like IAM provide roles for users to be able to access KMS.

IAM, or Identity and Access Management, creates essential roles for services that they will need to work with different APIs within GCP. IAM offers another layer on top of KMS when protecting encrypted data. Administrators may create their roles for services and users, giving them more control in what they want access to certain users or services. IAM can also connect other GSuite applications, such as Gmail or Google Drive, to applications and services within a user’s Google Cloud account, further authenticating users.

Another example of a GCP API that assists in encrypting data is the Data Loss Prevention (DLP) API. This API can be used within or outside of Google Cloud and helps the user identify potentially sensitive data, such as Personally Identifiable Information, and mask that data from attackers. Google Cloud Platform users can integrate the KMS and DLP APIs to do encryption methods like Format Preserving Encryption, which encrypts data to be misunderstood while keeping the same formatting as the plaintext, allowing the PII data to be used with false values.

Conclusion

These methods and more allow users the freedom to manage their data encryption methods on the Google Cloud Platform. KMS, IAM, and DLP can also be integrated with Google Cloud Functions to encrypt data when uploaded to Google Cloud Storage automatically. Google Cloud Dataflow can use DLP and KMS to encrypt data automatically from several different storage locations. This shows how users can create their own, potentially more robust data encryption methods to assist in the storage of sensitive data on the Cloud.