Jump to Content
Developers & Practitioners

Data protection in transit, in storage, and in use

July 28, 2021
Max Saltonstall

Senior Developer Relations Engineer, Google Cloud

In our first episode of the Cloud Security Podcast, we had the pleasure to talk to Nelly Porter, Group Product Manager for the Cloud Security team.

In this interview Anton, Tim, and Nelly examine a critical question about data security: how can we process extremely sensitive data in the cloud while also keeping it protected against insider access? Turns out it's easier than it sounds on Google Cloud.

Some customers using public cloud worry about their data in many different ways. And they have all sorts of sensitive data, from healthcare records, to credit card numbers, to corporate secrets, and more. For some organizations, it is seen as a risk to entrust that data to a public cloud provider. Or, some organizations may have the data that is extremely sensitive, or highly damaging, if lost or stolen.

In the past most companies would collect data, process it themselves, and do any transformation or aggregation on-premise. They knew who was using the data, how, and when. That made roles and responsibilities really clear.

With the cloud everything has changed. The storage and usage capabilities are much better, but it also moves some of the data management out of the company's hands. Cloud security is a shared responsibility model: some handled by the customer, some handled by the provider.

For example, let's say you have gathered a bunch of customer behavior data, buying patterns and purchase history. You've got it all uploaded to Cloud Storage - it's encrypted, and you can hold on to the keys (such as via Google Cloud EKM); you are safe. This will work for many types of sensitive and regulated data. Right?

Next up you start doing data analysis, maybe even training an AI model on your data. Now that you're using the data, it's no longer protected by the same encryption. You still get the advantage of reserved memory, but the data is not scrambled, as desired by some clients for some use cases.

We solve this tricky problem with confidential computing, which lets you complete the cycle and keep the data protected in transit, in storage and in use. While it starts with CPUs, we're also extending the service to include GPUs and Accelerators, so your data enjoys protection wherever it goes.

Confidential computing becomes possible with the right CPU hardware, allowing encryption of data while it's loaded and used. And because this is a hardware upgrade, there's nothing that needs to change with your code to take advantage of it.

The alternative for most companies would be to handle and process such ultra-sensitive data on-premise only, which means missing out on the scale, functionality and reliability of public cloud infrastructure. With this improved cryptographic isolation, companies of all types can now use sensitive data across services and tools. The only downside is a slight latency gain and cost increase.

Whether you're handling highly regulated financial services data, or sensitive pictures from your customers, or need to protect high-value intellectual property, check out confidential computing and hear more about how it works on this episode of Cloud Security Podcast.

Posted in