Organizations looking for an alternative to managing data encryption keys in-house now have a new option to consider.
Google this week rolled out a new cloud hosted key management service for enterprise customers of its cloud platform. The service is available starting this week in beta form in about 50 countries, including the U.S., Australia, Canada, Germany, Netherlands and Denmark.
Google cloud KMS is designed to help organizations create, use, rotate and destroy AES-256 standard symmetric encryption keys for protecting data in cloud environments. The service eliminates the need for enterprises, especially those in regulated sectors such as health care and finance, to maintain custom-built or ad-hoc systems for managing the keys used to encrypt their data, according to the company.
“With Cloud KMS, you can manage symmetric encryption keys in a cloud-hosted solution, whether they’re used to protect data stored in [Google Cloud Platform] or another environment,” Google product manager Maya Kaczorowski, announced on the Google Cloud Platform blog this week.
For instance, organizations can use the service to manage the keys used for encrypting user credentials and API tokens associated with applications stored outside the Google cloud.
The Cloud KMS service is directly integrated with Google’s Cloud Identity Access Management and Cloud Audit Logging services so organizations they have greater control over their keys, Kaczorowski added.
Google’s new key management service allows enterprises to store and manage literally millions of encryption keys in a cloud environment. They can set the service to automatically rotate keys at regular intervals and limit the amount or scope of data that can be accessed via a single key version in order to minimize exposure in the event of a security compromise.
Google Cloud KMS fills a gap in the company’s encryption and key management service offerings. Google, which is a big proponent of end-to-end encryption on the Internet, currently encrypts all customer data at rest on its cloud servers, by default.
It also offers a service that enables enterprises to encrypt data in Google’s cloud using keys that are owned and managed by the enterprises rather than by Google. Google says its customer supplier encryption keys (CSEK) option is designed for enterprises with stringent data privacy and security requirements.
This week’s newly introduced key management service falls between the default encryption and the CSEK options and broadens the available choices for enterprises, Kaczorowski said.
Pricing for Google’s Cloud Key Management Service is based on the number of active keys an enterprises stores and how often the keys are used to encrypt and decrypt data. The price for active key versions is $0.06 per key per month, while the rate for using the key starts at $0.03 per 10,000 operations.
So an organization that stores 500 encryption keys in Google cloud KMS and use them for a total of 100,000 operations can expect to pay $30.30, according to a Google price sheet.