Announcing general availability of Google Cloud CA Service
Anoosh Saboori
Group Product Management Lead
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
We are happy to announce the general availability of Certificate Authority Service offered by Google Cloud (Google Cloud CAS). Google Cloud CAS provides a highly scalable and available private CA to address the unprecedented growth in certificates in the digital world. This exponential growth is due to a perfect storm of conditions over the past few years, achieving almost a flywheel effect - the rise of cloud computing, moving to containers, the emergence of pervasive high speed connectivity, the proliferation of Internet-of-things (IoT) and smart devices (see our whitepaper on this topic).
See how easy it is to set up a CA with Google Cloud CAS:
Since our public preview announcement in October, we have seen tremendous reception from the market and innovative use cases for the service from our customers. Here are some notable examples straight from our CAS customers:
"At Credit Karma, security is a top priority, and we always seek ways to improve our security posture. One area where we have been working with Google for more than a year now is the identity of our workloads and how we can leverage platform features to offload to cloud some of the time consuming tasks that our security and devops team need to run today. We are very happy with progress that GCP has made in addressing our feedback and we believe CA Service is a fundamental piece of building a strong identity story in cloud, by cloud." - Jason Roberts, Security Engineer, Credit Karma
“Commerzbank AG takes security of our data very seriously. While Google Cloud Platform comes with a high level of in-build security controls, we had to further enhance those by enabling the highest security standards for data transport. This requires to bring trust into GCP based on Commerzbank owned certificates. Google understood our needs and invested into capabilities with Certificate Authority Service, empowering us to rely on our trusted certificates and security standards while providing fully automated and scalable certificate handling. This enables us to use GCE, GKE, and other authorized services to deliver products and value”, Christian Gorke, Head of Cyber Center of Excellence, Commerzbank AG
“Building a secure and compliant PKI system is known to be a complex and costly endeavor making it cost prohibitive for many regulated government transactions. With the help of GCP's Certificate Authority Service (CAS), Vitu Authority Trust’s digital signature service became the first authorized government digital signature service provider to deliver a fully digital car buying experience in the United States. GCP's Certificate Authority Service provided Vitu Authority Trust the highest level of compliance at an affordable rate, allowing Vitu Authority Trust to outsource the burden of digital certificate management to the cloud”, Arash Nikoo VP, Technical Operations, Vitu
The top three desirable features of CAS were as follows:
The first and most desired feature in Google Cloud CAS by our customers is scale and availability. Scale in this case is measured as a) number of issued certificates per second and b) total number of certificates/CAs allowed per project. Availability is the SLA backed up time for certificate issuance, per region.
When planning to build this product, we found that the most common problem from customers was around how to address machine and service identity within their cloud transformation. This was specifically problematic due to the more ephemeral nature of most cloud workloads relative to what customers do on premise with manual deployments (good examples are containers and microservices that are short lived).
The scale required for certificate issuance creates huge demand and unpredictability to customers' existing CAs which they often cannot support. Last thing they want is their identity infrastructure to be their scalability bottleneck as they dynamically scale out to support special events: in retail space, this could be Black Friday sales where thousands of nodes/VMs are spun to accommodate spike in sales and then rapidly torn down post the spikes, rendering all investments made to just support Black Friday useless.
Another reason for renewed interest in scale was the move to a zero trust access model, which was expedited by COVID-19 and work from home requirements. The core need to open up device management across the internet created a new scale requirement for certificate enrollment to allow for securing the device over the internet.In addition to scale and availability, the second Google Cloud CAS key benefit for our customers was savings compared to the cost of building an alternative solution. Such an endeavour requires purchasing Hardware Security Modules (HSM), licensing the software, purchasing server devices, securing multiple redundant root key material locations, then hiring a specialized PKI/DevOps team to operate the system at scale (high CapEX and OpEX).
Customers told us they only have so many projects they can take on, so they have to choose carefully. CAs and certificates are an enabler for their business and make a great candidate to free up resources that might have been used internally to solve the scale problem and reassign them to more business-critical tasks, while accelerating velocity of the projects that use the service. Google Cloud CAS is backed with hardware security (HSM) without any direct customer involvement with HSM purchasing, provisioning and management. We saw customers cancelling their HSM orders in response to cost savings provided by Google Cloud CAS.Security was the third commonly quoted reason for considering Google Cloud CAS. Cloud CA that seamlessly integrates with other cloud services provides the most secure solution for their cloud workload, while freeing customers from having to keep software, hardware and firmware up to date.
Outside the usual suspects scenarios for CAS (i.e., DevOps), we saw a great reception of our strategy on relying on Certificate Lifecycle Management partners (Venafi and AppViewx as launch partners for public preview) to help modernize traditional IT and on-premise CA story. Customers really see the value of moving their CA to cloud to save on OpEX and CapEX, and see this as an opportunity to converge their CA story across both devops and traditional IT and achieve the perfect single pane controllability and manageability story. We heard many times that PKI teams were worried that they lost control of the modern DevOps team as they did not have visibility to their certificate operation. CAS can be the ideal way to fix that problem. Customers migrating to zero trust access models also found value in CAS.
Since our public preview, customers have asked us to expand our partner ecosystem so that their desired partners can also work with CAS. We are happy to introduce three new members of our partner program: Keyfactor, Jetstack and Smallstep (which brings in ACME support for CAS) who join our existing partners Venafi and AppViewx.
We also had some interesting and rather surprising scenarios brought to us by customers which we initially did not think of as potential targets. Interestingly, most examples are from the IoT space. We saw small to midsize companies who are building IoT peripherals, like wireless chargers, USB devices, or cables reaching out with a need for certificates. They do not want to invest in PKI and CAs as it is not their core business and the economy of it does not make sense given their market size. CAS provides a perfect model to address those with a pay-as-you-go CAS is easy to implement, operate, administer and grow for their scenarios.
These stories were really reassuring for us as we had made the right bets and features, though we acknowledged that there were areas of improvements. We are lucky enough to have a very vested and engaged set of customers providing us with great feedback and helping us identify product gaps. We truly appreciate it as their feedback made our product much better at GA resulting in a few nice feature additions.
Before we enumerate all new features, it is worth to call out two new industry leading features of CAS in GA:
CA rotation (when CA certificate is close to expiry) is hard and normally requires a disruptive flow to replace the close to expiry CA with the new one. Customers asked us to make the process completely seamless for them. In response to those, we are adding a new feature to GA called CA pool that allows for a group of CAs serving the same incoming requests queue. CA rotation can simply be achieved by adding a new CA to the pool and taking the old one out of it, without any changes to workloads or client code. Also, the serving CA in the pool is chosen in a uniform fashion allowing for increased throughput.
More control over the certificate issuance policy was another commonly asked feature. With GA, we are enhancing our policies to allow per user group policies to be defined. Also, admins can define certificate templates that get applied to all issued certificates overriding (some or all) the parameters in the issued certificate.
Below is a summary of the rest of the new features and integration that we make available as part of our GA:
We heard about configuration as code and the importance of Terraform support for configuring and managing Google Cloud CAS. We listened and created a Terraform provider for Google Cloud CAS.
We also heard of the huge demand for making sure cert-manager works with Google Cloud CAS. cert-manager with more than 1.6 M downloads per day is one of the most commonly used open source tools for automating certificate lifecycle management within Kubernetes environments. In response to this ask, we worked with Jetstack and created integration with cert-manager.io.
We heard from customers that they love their Hashicorp Vault as a policy engine and would like to continue using it for this new service. As such, we built a Hashicorp Vault plugin that allows it to be the source of policies and Google Cloud CAS being the certificate issuer.
Customers also requested a guided way to set up the product, as such, we are announcing availability of CAS Qwiklab
In addition to above features/integrations, we are also announcing the following updates as part of GA release:
Pricing: Our pricing model offers a simple pay-as-you-go model. For large volume customers, we also provide subscription models to remove the ambiguity of billing when demand is non-predictable.
SLA: Our SLA is now publicly available and offers 99.9% availability per region for certificate creation.
More regions: We are happy to announce that CAS is available in many new regions, including São Paulo, Montréal, Frankfurt, London, Sydney, Mumbai, Tokyo, and many more.
Compliance: CAS has been included as part of ISO 27001, 27017, 27018, SOC1, SOC2, SOC3, BSI C5, and PCI audits. We are also working to include CAS in our FedRAMP audits. Additionally CAS by default uses Google cloud HSM for private key protection which is FIPS 140-2 Level 3 validated.
Google Cloud CAS offers a virtually unbounded quota for the total number of issued certificates at a rate that can meet any of modern scales backed by an enterprise grade SLA, making customer managed deployments very hard to justify. Start planning your transition to a cloud-ready CA platform that CAS enables.
Read more about CAS in our whitepapers (1) (2) and activate it here.