This topic provides information about supporting compliance with key management using encryption for Assured Workloads.
Encryption key management is fundamental to supporting regulatory compliance of Google Cloud resources. Assured Workloads supports compliance through encryption in the following ways:
IL4 and CJIS: Mandated customer-managed keys and separation of duties.
- CMEK: Assured Workloads mandates the use of customer-managed encryption keys (CMEK) to support these compliance regimes.
- Key management project: Assured Workloads creates a key management project to align with NIST 800-53 security controls, the key management project is separated from resource projects to establish separation of duties between security administrators and developers.
Key ring: Assured Workloads also creates a key ring to store your keys. The CMEK project restricts key ring creation to compliant locations that you select. After you create the key ring, you manage creating or importing encryption keys. Strong encryption, key management, and separation of duties all support positive security and compliance outcomes on Google Cloud.
Other compliance regimes: Google-managed keys and other encryption options.
- Google-managed keys provides on-by-default, FIPS 140-2 validated encryption in transit and at rest to all Google Cloud services.
- Cloud KMS: Assured Workloads supports Cloud KMS. Cloud KMS covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption-in-transit and encryption-at-rest.
- Customer-managed encryption keys (CMEK): Assured Workloads supports CMEK.
- Cloud External Key Manager (Cloud EKM) Assured Workloads supports Cloud EKM.
- Key import
This section describes Assured Workloads encryption strategies.
Assured Workloads CMEK Creation
CMEK allows you to have advanced controls over your data and key management by enabling you to manage your complete key lifecycle, from creation to deletion. This capability is critical to supporting cryptographic erase requirements in the Cloud Computing SRG.
CMEK covers the following services, which store customer data for IL4, and CJIS.
Other services: Custom Key Management
For services that aren't integrated with CMEK, or for customers whose compliance regimes do not require CMEK, Assured Workloads customers have the option to use Google-managed Cloud Key Management Service keys. This option is offered in order to provide customers with additional options for key management to fit your organizational needs. Today, CMEK integration is limited to the in-scope services which support CMEK capabilities. Google-managed KMS is an acceptable encryption method as it covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption in transit and at rest.
For other products supported by Assured Workloads, see Supported products by compliance regime.
Key management roles
Administrators and developers typically support compliance and security best practices through key management and separation of duties. For example, while developers might have access to the Assured Workloads resources project, administrators have access to the CMEK key management project.
Administrators typically control access to the encryption project and the key resources within it. The administrators are responsible for allocating key resource IDs to developers to encrypt resources. This practice separates the management of keys from the development process and provides the security administrators with the ability to manage encryption keys centrally in the CMEK project.
Security administrators can use the following encryption key strategies with Assured Workloads:
During development, when you provision and configure in-scope Google Cloud resources that require a CMEK encryption key, you request the resource ID of the key from your administrator. If you do not use CMEK, we recommend that you use Google-managed keys to ensure data is encrypted.
The request method is determined by your organization as part of your documented security processes and procedures.
Create a project in the Assured Workloads environment that supports your compliance regime, as follows:
Learn how to create a new workload environment
Learn how to encrypt Cloud Storage using CMEK
Learn how to encrypt Persistent Disk using CMEK
Learn how to encrypt BigQuery using CMEK