Most organizations are looking to move their data and workloads into the public cloud. But they are held back because of compliance reasons or regulatory reasons and they are not comfortable with the cloud holding onto their keys. Organizations need greater control and security over their cloud keys. Fortanix integrates with Google Cloud Platform’s External Key Manager service to enable organizations to move the data to the cloud and get the same level of security for keys that they’re used to in their own on-prem environments. Protect your BigQuery and other cloud native services data by doing server-side encryption. Keys for the encryption are never stored at GCP. They are always under your control, away from the cloud. At a click of a button, in real time, enable and disable access to your data from specific instances and locations.
COMPLETE CONTROL OF KEYS
MEET COMPLIANCE REQUIREMENTS
SIMPLIFIED AND CENTRALIZED ENCRYPTION
UNIFIED DATA PROTECTION PLATFORM
EXTERNAL KEY MANAGEMENTEncrypt data in the google cloud using encryption keys stored outside the cloud. Enforce access to data at rest for BigQuery and Compute Engine.
CONTROL FULL KEY LIFECYCLEMaintain full control and visibility into key creation, location, and distribution of cloud keys.
SECURE DATA IN USERuntime Encryption® Technology plugin uses Intel® SGX Secure Enclave technology to protect data always.
FIPS 140-2 LEVEL 3 CERTIFIEDStore and protect encryption keys on-premises with FIPS 140-2 Level 3 certified HSMs
DISTRIBUTED AND SCALABLE ARCHITECTUREDistributed architecture allows for key replication and scales depending on changing requirements of the organization.
How does Google Cloud’s External Key Manager work?
Services running on GCP, such as Big Query and GCE, currently can use an encryption key hosted by Google Cloud KMS or Cloud HSM to secure their data at rest. An envelope encryption scheme is followed where the data is encrypted using a local data encryption key (DEK), which in turn is encrypted using a key encryption key (KEK) in Cloud KMS or Cloud HSM. Google allays the concerns of customers who don’t want to trust the public cloud by extending the envelope encryption scheme to allow the KEK to be encrypted using an externally managed key encryption key (EKEK).