A beta, Customer-Supplied Encryption Keys for Google Compute Engine, has recently been added to the Google Cloud Platform and is available in some countries. It allows users the opportunity to bring-your-own-keys to lock data as an alternative to using the industry standard AES 256-bit encryption keys in case they have concerns about the company snooping on their corporate information.
Customers are able to create and hold the keys, determining when data is active or on downtime, but Google does not retain them. The keys can be used for the entire duration the customer data is stored on the platform.
“Absolutely no one inside or outside Google can access your at rest data without possession of the keys,” says Leonard Law, product manager at Google.
Google says that the beta provides control over encryption in the public cloud by being secure, comprehensive, quick and free. It also allows organisations to streamline their encryption infrastructure, allowing them to use one set of keys for Google Cloud and in-house operations.
Jacob Ginsberg, senior director of Echoworx, criticises the new development by stating it, “Will only affect businesses that use Google to host custom applications. Google still has access to customer email data via Google Apps or Gmail. This move won't keep the majority of business' email or data secure.”
Kevin Turner, chief operating office of Microsoft (Google's cloud rival) stated last week, “We don't read your email. We're not listening to conversations in your house, driving cars up and down the street to do so.” This shot at Google heavily implies that the company could snoop on its customers.
As Turner may have suggested, Google does not monitor customer data on the platform on a routine basis. However, the option of using your own keys to secure data may provide the extra confidence needed for highly data-sensitive industries.
Law cautioned potential users that if their keys are lost, Google cannot help to recover them or the data.