Architecting for database encryption on Google Cloud

Encryption and data protection is a major requirement for customers moving their workloads to the cloud. To meet this requirement, organizations often invest a great deal of time in protecting sensitive data in cloud-based databases. This is driven mostly by government regulations, compliance, and organizations’ security requirements to have data protected at rest. As Customer Engineers on the Security and Compliance technology team in Google Cloud, we engage both executive and technical stakeholders to help customers build secure deployments that enable their digital transformation on our Cloud platform.

As Google Cloud continues its efforts to be the industry’s most trusted cloud, we’re taking steps to help customers better understand encryption options available to protect workloads on our platform. In this post, we provide a guide on how to accelerate your design considerations and decision making when securely migrating or building databases with the various encryption options supported on Google Cloud platform. 

Managing data at rest with encryption on Google Cloud

When you move data to Google Cloud, you have options to choose from databases that are simple to use and operate without cumbersome maintenance tasks and operational overhead. Google Cloud keeps the databases highly available and updated, while your IT team can focus on delivering innovations and your end users enjoy reliable services. 

Additionally, you inherit security controls like encryption of data at-rest by default that can help simplify your security implementations. For most organizations, encryption is one piece of a broader security strategy. Encryption adds a layer of defense in depth for protecting data and provides an important mechanism for how Google helps ensure the privacy of data. Encryption ensures that if the data accidentally falls into an attacker's hands, they cannot access the data without also having access to the encryption keys. Our platform offers data-at-rest encryption by default, ensuring that all data stored within the cloud is encrypted by Google-managed keys.

Management options for encryption keys

Google Managed Keys: All data stored within Google Cloud is encrypted at rest using the same hardened key management systems that we use for our own encrypted data. These key-management systems provide strict access controls and auditing, and encrypt user data at rest using AES-256 encryption standards. No setup, configuration, or management is required. Google managed keys is an appropriate choice if you don't have specific requirements related to compliance or locality of cryptographic materials. 

Customer Managed Keys: Customer managed encryption keys (CMEK) offer the ability to protect your databases with encryption keys you control and manage. Using CMEK gives you control over more aspects of the lifecycle and management of your keys, such as key rotation, defining access control policies, auditing and logging, and enforcing data locality or residency requirements. CMEKs are supported on Cloud Key Management Service, Cloud Hardware Security Module, and Cloud External Key Manager.

Encryption options for Google Cloud databases 

In addition to default security controls inherited on Google Cloud, we believe customers should have options to choose the level of protection over data stored in the cloud. We’ve developed database products integrated with our encryption capabilities that enable you to control your data and provide expanded granularity into when and how data is accessed.

Google’s default encryption: Customers' content stored on our platform is encrypted at rest, without any action from customers using multiple encryption mechanisms. Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. The data encrypted keys are protected with key encryption keys (KEK) and stored centrally in Google's KMS, a repository built specifically for storing keys.

Cloud Key Management Service (Cloud KMS) provides you with the capability to manage cryptographic keys in a central cloud service for either direct use or use by other cloud resources such as databases and datastores. Cloud KMS combines secure, highly available infrastructure with capabilities not only to provide the mechanisms to create keys of various types and strengths, but also an option for the keys to remain exclusively within the Google Cloud region with which the data is associated.

Cloud Hardware Security Module (Cloud HSM) enables you to generate encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. The service is fully managed, so you can protect your most sensitive workloads without worrying about the operational overhead of managing an HSM cluster. Google manages the HSM hardware, automatically scales based on your use,  spares you the complexity of managing and using HSM-backed keys in production. For example, you can encrypt data in Cloud SQL tables using a Cloud HSM key that you manage and control the life cycle of.

Cloud External Key Manager (EKM) gives you ultimate control over the keys and encrypted data-at-rest within Google Cloud resources such as CloudSQL, Cloud Spanner, etc. Google EKM enables you to use keys managed in a supported key management system external to Google to protect data within Google Cloud. It’s important to note that for this option, externally managed keys are never cached or stored within Google Cloud. Whenever Google Cloud needs to decrypt data, it communicates directly with the external key manager. In addition to Cloud EKM, customers may leverage Key Access Justifications to understand why their externally-hosted keys are being requested to decrypt data.

Here’s a look at the encryption options for database services that Google Cloud offers

For more information on Key Management on GCP read our KMS Deep Dive Whitepaper.