Google has launched a beta version of a new Cloud Key Management System (KMS) to supplement the existing Google-managed server-side encryption and customer-controlled on-premise key management. It has broadened, it claims, "the continuum of encryption options available on Google Cloud Platform (GCP)." The beta KMS is currently available in 49 countries.
"With Cloud KMS," announced product manager Maya Kaczorowski in a blog post, "you can manage symmetric encryption keys in a cloud-hosted solution, whether they're used to protect data stored in GCP or another environment...
"As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain," she continued, "Cloud KMS makes it easy to keep your keys safe."
Cloud KMS allows customers to manage their encryption keys in the cloud, whether they are used for data held in GCP or elsewhere. It is a REST API that allows AES256 encryption or decryption in Galois/Counter Mode. Customers will be able to create, use, rotate, automatically rotate, and destroy AES256 symmetric encryption keys. It allows a rotation schedule to automatically generate a new key version at a fixed time interval. Multiple versions of a key can be active at any time for decryption, with only one primary key version used for encrypting new data. Key destruction has a built-in 24-hour delay to prevent accidental or malicious loss.
Cloud KMS integrates with Google's IAM and Cloud Audit Logging so that customers can manage permissions on individual keys, and monitor how they are used. "Cloud KMS," says Garrett Bekker, Principal Security Analyst at 451 Research, "fills a gap by providing customers with the ability to manage their encryption keys in a multi-tenant cloud service, without the need to maintain an on-premise key management system or HSM."
Google sees the new service as particularly relevant for compliance within highly regulated industries. "Customers in regulated industries," says the announcement, "such as financial services and healthcare, value hosted key management services for the ease of use and peace of mind that they provide. Cloud KMS offers a cloud-based root of trust that you can monitor and audit. As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain, Cloud KMS makes it easy to keep your keys safe."
But it's not necessarily that simple for all regulations. The European General Data Protection Regulation (GDPR) is being implemented across the European Union -- and this regulation seeks to protect European personal data wherever it is stored in the world. In the past, European best practice guides have promoted encryption as the way to store such data in the cloud compliantly -- but only where the encryption keys are not stored with the same cloud provider. The UK regulator, for example, advises (PDF), "The key is kept in the secure possession of the cloud customer. The cloud provider is therefore unable to view or otherwise further process the data other than to maintain access to, and availability of, the data."
Most American companies that trade with Europe will gather at least some European personal information -- and it is not clear whether storing that in GCP while simultaneously using Cloud KMS will be acceptable to the regulators. The problem is US government access to any and all data held by US companies. When the European Court of Justice declared the Safe Harbor agreement between the US and EU to be unconstitutional in 2015, it made it clear that the assumption that the NSA would have access to European data was key to its decision.
Safe Harbor has now been replaced by Privacy Shield -- but many Europeans do not believe that it will survive a similar legal challenge. At this stage in the evolution of EU/US privacy practices, it is almost certainly safe to user Cloud KMS with European data. But it may not remain so. "Until Privacy Shield is heard in the Court of Justice of the European Union (CJEU)," said privacy consultant Alexander Hanff, "it is unlikely that any regulator will take action (I presume Google is using Privacy Shield as its cover for this). However, with Schrems pushing for CJEU decisions on Privacy Shield and Model Clauses it is unlikely that such practices will stand for much longer." It was Max Schrems' legal action against Facebook that caused the downfall of Safe Harbor; and many expect his new action to do similar to Privacy Shield.
Cloud KMS might well assist enterprises for compliance with a raft of US regulations, but at this stage it is unclear whether it will be compliant with GDPR. It is certainly difficult to see Cloud KMS being acceptable to EU regulators if Privacy Shield is declared illegal under the European constitution. That will then become a concern for any US organization with any physical presence within the EU.