alphaspirit - Fotolia

Google key management keeps pace with AWS, Azure

A new Google Cloud Key Management Service attempts to keep pace with AWS and Azure with an important feature for highly regulated industries and enterprises that operate on its cloud.

Google is once again playing catch-up with Amazon Web Services -- this time, with an end-to-end security service that could be critical for highly regulated enterprises.

Google Cloud Key Management Service (Cloud KMS) is available to test in nearly 50 countries. Cloud KMS connects the disparate pieces of Google Cloud Platform (GCP) under one umbrella for a centralized way to handle workloads that reside on Google's cloud.

Google already offers a range of encryption and key capabilities: It encrypts data at rest by default, and last year, it added customer-supplied encryption keys. This new service fills the gap between those capabilities, and it targets customers in industries such as healthcare and the financial sector that want to simplify control over the creation, rotation and destruction of keys across GCP services.

The Google key management service provides a root of trust that can be monitored and audited, and it integrates directly with Google's Cloud Identity & Access Management and audit logging services. It uses the Advanced Encryption Standard in Galois/Counter Mode, which is the same encryption library Google said it uses internally for Google Cloud Storage.

Workiva, a financial reporting software developer in Ames, Iowa, worked with Google on Cloud KMS because it had to build its own version of the service to meet customer requirements.

"It's critical," said Dave Tucker, Workiva's vice president of engineering. "Without us doing this service, there are a number of customers that we wouldn't have [on GCP]."

Key management embedded at the platform level opens Workiva's customers to a broader range of GCP services, and it removes Workiva from the key management loop, he added.

Google previously lacked a generalized, service-wide key management system for its services and applications, so Cloud KMS is a major step forward, said Steve Riley, an analyst at Gartner.

Prior to this, Compute Engine and Cloud Storage customers had to rely on customer-supplied keys, which are limited to 20 countries. For Compute Engine, for example, customers had to use it to encrypt Google-generated keys that, in turn, encrypt only persistent disks.

"That all changes now," Riley said. "It's in line with what we're seeing across the landscape of the name-brand, tier-one cloud service providers -- offering a managed encryption service that integrates across the various services."

Customers may choose to use Cloud KMS and customer-supplied encryption keys separately or together, said Neil MacDonald, a Gartner analyst.

Keeping up with the cloud competition

Just like how everyone requires SSO connections, this will be the evolution where everyone will have the same thing.
Dave Tuckervice president of engineering, Workiva

Once derided for its lack of enterprise know-how, Google brought on Diane Greene, the former VMware founder and chief, to head up its cloud division in late 2015. Since then, the company has made a serious push to fill the gaps in its services for that customer base, including new security features, regional expansion, a broader partner ecosystem and greater outreach.

Google's new Cloud KMS directly compares to offerings from its primary public cloud rivals: AWS Key Management Service and Microsoft Azure Key Vault, which became available in 2014 and 2015, respectively. Cloud KMS is currently in beta, and Google didn't provide a date when it will be generally available.

Not every user will want this level of security right now, but it's requested more frequently these days -- and not just in highly regulated industries, Tucker said.

"Eventually, it will just become best practices," he said. "Just like how everyone requires SSO [single sign-on] connections, this will be the evolution where everyone will have the same thing."

Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at [email protected]

Next Steps

Google adds new cloud security certifications

Why Google cloud deserves a second look in 2017

Google slashes cloud storage prices

Dig Deeper on Open source cloud computing