Read Time: 07 min.

Data encryption, especially on the Cloud, is an extremely important part of any cybersecurity plan in today’s world. More companies migrate their data to the Cloud for its ease of use, reduced cost, and better security. The most prominent Cloud Service Providers (CSPs), like Google, Azure, and Amazon, all have different data encryption methods, but they are all secure and user-friendly.

How Data Encryption on the Cloud works

Cloud data resides in two places: in-transit and at-rest.

Data-in-transit encryption refers to using SSL or TLS to create a security “wrapper” around the data being moved. This ensures that it is more challenging to steal data-in-transit, but even if it were successfully stolen, it would be a confusing block of characters that would not make sense to the attacker. Most data-in-transit encryption is done through web browsers or FTP clients, so it does not need to be as managed as data-at-rest. Data-at-rest encryption is done when data is on a disk or another storage method. Similar to data-in-transit encryption, the data is jumbled into a random series of characters to stop attackers from stealing the plaintext.

CSPs have many different ways of providing data encryption to the user. Data can be encrypted by default if the user implements that option. Each section of a Cloud platform handles the encryption of data differently. Some may encrypt all data that they store and allow the CSP to manage the keys involved in encrypting the data, while others may give the user full control over what happens to the data, encryption-wise. Most services on the Cloud have a middle ground, allowing the user to select if the CSP should manage everything, or if they wish to control it all themselves, or something in between that. Many users create their methods of automatically encrypting data since platforms like Google Cloud Platform (GCP) provide so many tools for the creation of encryption methods.

Move your IT infrastructure to Cloud.

GCP Provided Tools for Data Encryption

GCP uses AES-256 encryption by default when data is at-rest in Google Cloud Storage, and data-in-transit is encrypted with TLS by default. When encrypting data on the Cloud, GCP utilizes DEKs and KEKs, which are used and stored with Google’s Key Management Service (KMS) API. A DEK is a data encryption key, which is used to encrypt the data itself. A KEK, or key-encryption key, is then used to encrypt the data encryption key to ensure an extra security layer. The KMS API works closely with other Google Cloud services, such as Cloud security services, Google Cloud Functions, etc, to store keys used for encryption and decryption on the Cloud. When other APIs attempt to access DEKs and KEKs, the user must first have the necessary permissions to access the keys. Services like IAM provide roles for users to be able to access KMS.

IAM, or Identity and Access Management, creates essential roles for services that they will need to work with different APIs within GCP. IAM offers another layer on top of KMS when protecting encrypted data. Administrators may create their roles for services and users, giving them more control in what they want access to certain users or services. IAM can also connect other GSuite applications, such as Gmail or Google Drive, to applications and services within a user’s Google Cloud account, further authenticating users.

Another example of a GCP API that assists in encrypting data is the Data Loss Prevention (DLP) API. This API can be used within or outside of Google Cloud and helps the user identify potentially sensitive data, such as Personally Identifiable Information, and mask that data from attackers. Google Cloud Platform users can integrate the KMS and DLP APIs to do encryption methods like Format Preserving Encryption, which encrypts data to be misunderstood while keeping the same formatting as the plaintext, allowing the PII data to be used with false values.

Conclusion

These methods and more allow users the freedom to manage their data encryption methods on the Google Cloud Platform. KMS, IAM, and DLP can also be integrated with Google Cloud Functions to encrypt data when uploaded to Google Cloud Storage automatically. Google Cloud Dataflow can use DLP and KMS to encrypt data automatically from several different storage locations. This shows how users can create their own, potentially more robust data encryption methods to assist in the storage of sensitive data on the Cloud.

About the Author

Riley Dickens is a Consultant at Encryption Consulting, working with PKIs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Hybrid KMS is a centralized management of accounts across all leading CSP’s with custom API‘s for integration and the ability to manage all encryption key lifecycle management activities from the central console.

Many organizations simply prefer to own and physically oversee their own HSMs, but they also seek the accessibility and convenience of the cloud. A hybrid model would contain a combination of on-premises HSMs and cloud HSMs to account for:

  • Scalability
  • Backup
  • Failover

This model is often used by organizations that have large on-premises HSM estates, but want to limit further investments in on-premises and want to tap into the scalability of the cloud. With a hybrid infrastructure, if an organization sees an unexpectedly high volume, cloud-based HSMs can seamlessly provide additional capacity, preventing slowdowns or outages. 

A few years ago, on-premises were the only option for key management. That has changed and organizations now have the option to move fully to the cloud or adopt a hybrid model. As organizations are considering these options, they can evaluate based on these parameters: 

  • FIPS 140-2 Level 3 compliance and PCI DSS standards.
  • Scalability
  • Compliance
  • High Availability
  • Integration
  • Resources
  • Cost

If an organization is facing scalability issues, interruptions, access failure, it might be time to extend their critical infrastructure beyond physical premises. Organizations have several options: moving to the cloud, renting rack space, or looking for hybrid options.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Silo Key Management is the process of using the KMS provided by the CSP to manage keys in a single cloud environment.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Microsoft Azure offers 2048, 3072, and 4096 bit RSA asymmetric master keys, but it does not support any symmetric master keys.
  • Encryption Modes: Microsoft Azure does not offer symmetric encryption methods, but does offer two asymmetric encryption methods: RSA OAEP and RSA PKCS#1v1.5.
  • Plaintext Size Limits: Microsoft Azure offers a plaintext size limit of 0.25KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Microsoft Azure takes an RSA key that is wrapped by AES and RSA-OAEP. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. Microsoft Azure offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Microsoft Azure’s regular Vault HSM is FIPS 140-2 level 2 compliant and its Managed HSM is FIPS 140-2 level 3 compliant.
  • Azure Key Vault Features: Azure Key Vault protects keys and secrets with HSMs or software appliances. Both Azure Services and the customer can access the keys and secrets that are stored. Azure Key Vault is FIPS 140-2 Level 2 compliant and only supports asymmetric keys. It also supports RSA keys of sizes 2048, 3072 and 4096and Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1). Azure Key Vault supports customer managed keys and manages tokens, passwords, certificates, API keys, and other secrets.
  • Azure Dedicated HSM Features: Azure Dedicated HSM stores keys on an on-premises Luna HSM. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys. Azure Dedicated HSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined, and Brainpool curves, and KCDSA for asymmetric keys. Symmetric keys created with AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, and CAST are accepted by Azure Dedicated HSM. For Hash/Message Digest/HMAC, SHA-1, SHA-2, and SM3 are accepted, for key derivation SP800-108 Counter Mode is accepted, and for key wrapping SP800-38F is accepted. Azure Dedicated HSM is capable of offline key backup, and single device provisioning, but customer managed keys are not supported.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Amazon Web Services (AWS) offers 2048, 3072, and 4096 bit RSA asymmetric master keys.  It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.
  • Encryption Modes: AWS offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.
  • Plaintext Size Limits: Amazon Web Services offers a plaintext size limit of 4KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Amazon Web Services takes an AES-256 key that is wrapped by RSA 2048. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. AWS offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Amazon Web Services regular KMS HSM is FIPS 140-2 level 2 compliant and the AWS Custom Keystore CloudHSM is FIPS 140-2 level 3 compliant.
  • Amazon KMS Features: AWS KMS has a managed service in AWS cloud for key storage. Both customers and AWS services can access keys stored in this way. AWS KMS is FIPS 140-2 Level 2 compliant and supports symmetric and asymmetric keys. It also supports RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256 encryption algorithms with RSA 2048, RSA 3072, and RSA 4096 key types. Encryption algorithms cannot be used with the elliptic curve key types (ECC NIST P-256, ECC NIST P-384, ECC NIST-521, and ECC SECG P-256k1). When using elliptic curve key types, AWS KMS supports the ECDSA_SHA_256, ECDSA_SHA_384, and ECDSA_SHA_512 signing algorithms. AWS KMS is capable of limited key management, storage and auditing, and encryption.
  • Amazon CloudHSM Features: AWS CloudHSM has a dedicated hardware appliance in AWS cloud for key storage. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys.
    AWS CloudHSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports 2048-bit to 4096-bit RSA keys, in increments of 256 bits, 128, 192, and 256-bit AES keys, 3DES 192-bit keys, and keys with the P-224, P-256, P-384, P-521, and secp256k1 curves. Only the P-256, P-384, and secp256k1 curves are supported for sign and verify.
    AWS CloudHSM is capable of key management, key storage and auditing, and being provided as the root of trust for PKIs.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Google Cloud Platform (GCP) offers 2048, 3072, and 4096 bit RSA asymmetric master keys.  It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.
  • Encryption Modes: GCP offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.
  • Plaintext Size Limits: Google Cloud Platform offers a plaintext size limit of 64KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Google Cloud Platform takes an AES-256 key that is wrapped by RSA 3072. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. GCP offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. All HSM keys on Google Cloud Platform are FIPS 140-2 level 3 compliant.
  • Google Cloud KMS Features: Google Cloud KMS can store keys in either an HSM or a software application. This key storage can be accessed by both the customer and the CSP. Google Cloud KMS is FIPS 140-2 Level 3 compliant if an HSM is used, and FIPS 140-2 Level 1 compliant if software keys are used. Google Cloud KMS supports symmetric and asymmetric keys. It also supports 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with Cloud KMS-internal metadata and RSA keys of sizes 2048, 3072 and 4096.Google Cloud KMS is capable of key management, storage, auditing, encryption, encryption for Kubernetes, and both HSM and software key management.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk