Cloud Spanner launches customer-managed encryption keys and Access Approval

Cloud Spanner is Google Cloud’s fully managed relational database that offers unlimited scale, high performance, strong consistency across regions and high availability (up to 99.999% availability SLA). In addition, enterprises trust Spanner because it provides security, transparency and complete data protection to its customers. To give enterprises greater control of how their data is secured, Spanner recently launched Customer-managed encryption keys (CMEK). CMEK enables customers to manage encryption keys in Cloud Key Management (KMS). 

From a security standpoint, Spanner already offers, by default, encryption for data-in-transit via its client libraries and for data at rest using Google-managed encryption keys. Customers in regulated industries such as financial services, healthcare and life sciences, and telecommunications need control of the encryption keys to meet their compliance requirements. With the launch of CMEK support for Spanner, you now have complete control of the encryption keys and can run workloads that require the highest level of security and compliance. You can also protect database backups with CMEK. Spanner also provides VPC Service Controls support and has compliance certifications and necessary approvals so that it can be used for workloads requiring ISO 27001, 27017, 27018, PCI DSS, SOC1|2|3, HIPAA and FedRamp.

Spanner integrates with Cloud KMS to offer CMEK support, enabling you to generate, use, rotate, and destroy cryptographic keys in Cloud KMS. Customers who need an increased level of security can choose to use hardware-protected encryption keys, and can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs). CMEK capability in Spanner is available in all Spanner regions and select multi-regions that support KMS and HSM.

How to use CMEK with Spanner

To use CMEK for a Spanner database, users should specify the KMS key at the time of database creation. The key must be in the same location as the Spanner instance (regional or multi-regional). 

Spanner is able to access the key on user’s behalf after the user grants the Cloud KMS Encrypter and Decrypter role to a Google-managed Cloud Spanner service account. Once a database with CMEK is created, the access to it via APIs, DDL and DML is the same as for a database using Google-managed encryption keys. You can see the details of the encryption type and encryption key in the database overview page.

Spanner calls KMS in each zone of an instance-configuration about every five minutes to ensure that the key for the Spanner database is still valid. Customers can audit the Spanner requests to KMS on their behalf in the Logs Viewer if they enable logging for Cloud KMS API in their project. 

Access approval support for Spanner

In addition to security controls, customers need complete visibility and control over how their data is used. Customers today use Cloud Spanner audit logs to record the admin and data access activities for members in their Google Cloud organization, whereas they enable Access Transparency logs to record the actions taken by Google personnel. Access Transparency provides near real-time logs to customers where Google support and engineering personnel logs business justification (including reference to support tickets in some scenarios) for any access to customer’s data. Expanding on this, Spanner has launched support for Access Approval in Preview. With Access Approval in Spanner, a customer blocks administrative access to their data from Google personnel and requires explicit approval from them to proceed. Hence, this is an additional layer of control on top of the transparency provided by Access Transparency Logs. Access Approval also provides a historical view of all requests that were approved, dismissed, or expired. 

To use Access Approval, customers have to first enable Access Transparency from the console for their organization; Access Approval can then be enabled from the console as well. With Access Approval, users will receive an email or Pub/Sub message with an access request that they are able to approve. Using the information in the message, they can use the Google Cloud Console or the Access Approval API to approve the access.

Learn more 

Spanner bills a CMEK-enabled database the same as any other Spanner database. Customers are billed for Cloud KMS use (for the cost of the key and for cryptographic operations) whenever Spanner uses the key for encryption/decryption. We expect this cost to be minimal; see KMS pricing for details.

• To learn more about CMEK, see documentation. 

• To get started with Spanner, create an instance or try it out with a Spanner Qwiklab.