Protecting the keys to your kingdom with Fortanix Google External Key Management

Many organisations have adopted the Google Cloud Platform (GCP) as their public cloud provider. Many did so as they are already using Google Workspace business and productivity solutions like Gmail and Google Docs, and it makes sense to use GCP for other cloud-based solutions.

Securing Data in the Cloud

Figures show that 92% of organisations use the cloud and that approximately 50% of all corporate data is in cloud services. The need to protect this data has never been greater. Indeed there are regulations that are part of the General Data Protection Regulation (GDPR) in the EU (and the California Consumer Protection Act (CCPA) in the USA) that have stringent penalties if organisations do not protect the data they control, irrespective of its storage location.

Storing data in cloud services like GCP does not remove the responsibility for data security from the organisations that create and control it. Much of the data stored in GCP and other Google cloud services used by businesses is sensitive and needs to be protected. This protection gets delivered via strong encryption of data that is at rest on cloud storage (and in transit over the network - but that's a topic for another time).

Strong data encryption requires cryptographic keys that get used to encrypt and decrypt the data as it is accessed and saved. Keeping these cryptographic keys secret and secure from adversaries looking to breach data defences is essential. When using GCP, there are various ways to protect these keys ranging from less secure to highly secure. Given the risks at stake if data leaks, most organisations using GCP should be looking to provide the maximum security for the keys and the data they protect.

The maximally secure way to protect the keys is for the organisation that owns them, or their designated managed service security provider (MSSP), to hold and secure them. There are a few ways to do this ranging from owning them but storing them in GCP or owning them and storing them outside of GCP in another cloud service or on a dedicated hardware security module (HSM). This is known as external key management or Bring Your Own Key Management System (BYOKMS). Google has enabled this via their External Key Manager (EKM) service. With this service, organisations can protect their data at rest by using encryption keys stored and managed by a third-party key management system (KMS) outside the cloud and still deliver on data security and privacy requirements.

Fortanix Data Security Manager (DSM)

Fortanix Data Security Manager (DSM) integrates with GCP's External Key Manager service to enable organisations to get the same level of security for keys that they're used to with on-premise infrastructure. When using DSM, encryption keys are always under the control of the organisation (or their MSSP), and the keys are securely stored inside a FIPS 140-2 level 3 certified HSM that is not located on GCP. The diagram below shows a simplified overview of a DSM and GCP deployment.

Fortanix DSM provides the following features and benefits:

• Maintain full control and visibility into key creation, location, and distribution of cloud keys.
• Hold the master keys in a FIPS 140-2 level 3 certified HSM with no caching of keys in Google Cloud.
• Supports all GCP services like BigQuery, Compute Engine, Artifact Registry, and more.
• Integrated service supports multiple enterprise key management use cases (database TDE, storage encryption, PKI, etc.)
• Clustered cloud-native architecture ensures high availability and disaster recovery.
• Ability to disable the keys and prevent data access with a simple kill switch.
• Centralised tamper-proof audit trail.

There is a SaaS deployment model for DSM that delivers DSM via a secure and expert hosting platform that organisations and MSPs can use to secure keys for GCP without having to manage the HSM devices themselves. Management access to the SaaS platform can be via a private Equinix Cloud Exchange Fabric connection if access via the web isn't secure enough for an organisation.

Further Reading

Fortanix has created a comprehensive PDF eBook called?Data Privacy in Google Cloud: Protect the Keys to Your Kingdom?that dives into protecting data in the cloud, the GCP security model, how Google EKM works, why BYOKMS is the way to go, and why Fortanix DSM is the best choice to protect your data stored in GCP services, plus an overview of the Fortanix SaaS HSM service.

You can download the eBook for free from?https://resources.fortanix.com/protect-private-data-in-google-cloud-ebook.

Their website also has a comprehensive page on the topic of Google EKM at?https://www.fortanix.com/solutions/use-case/ekm-for-gcp.

Next Steps

Fortanix and Renaissance partner to make DSM and other Fortanix solutions available to MSPs and organisations in the Irish market.?Contact us?to arrange to speak to an expert in Fortanix solutions or book a demo?here.?