How do I ensure the cloud provider does not access my data?

How do I ensure the cloud provider does not access my data?

Organizations can achieve enhanced control, security, and authority over data and cryptographic keys for Cloud Platform with External Key Management and Client-Side Encryption (CSE).

Bring Your Own KMS (BYOKMS) offers one of the most secure ways to protect keys and cloud data while providing strong integration with cloud-native services. Unlike BYOK, the cloud provider never has access to the master key.  CSE, defined broadly, is encryption applied to data before it is transmitted from a system to a server.

External Key Management/BYOKMS and Client-side encryption can be owned and controlled by organizations, with cloud providers having no access or visibility into the keys. In this approach, the Master key stays outside the customer owned KMS, and all DEKs must be decrypted in the external KMS before they can decrypt the customer data.

Organizations get a single, simple, centralized encryption platform that accelerates moving applications to the public cloud while providing a single set of cryptographic services to on-premises, hybrid, and cloud workloads. The Cloud Workspace data gets encrypted in the browser before taking off to the servers. Organizations can collaborate and scale globally over Cloud Workspace without worrying about keys storage location and management, as keys are never cached on the cloud, and access can be revoked anytime.

Organizations can opt for Confidential Computing technology that can separate and encrypt data, especially data in use, in a hardware-based Trusted Execution Environment (TEE) so that it's not exposed to the infrastructure processing it.