Fortanix for Google Workspace

Fortanix unveils Client-side encryption for user data in Google Workspace apps such as Google Drive, Docs, Sheets, and Slides.

Download Solution Brief

hero image

Challenge

Google Workspace has been the productivity suite of choice for small businesses and Fortune 500 corporations alike. Needless to say, it safely harbours petabytes of sensitive or regulated data belonging to these organizations.

While Google runs atop the latest cryptographic standards, many organizations seek greater security and control over their cloud encryption keys. Especially the ones which operate in highly regulated industries — like defence, aerospace, or government. Housing the authentication keys separate from the storage system makes the data indecipherable to the CSP. At the same time, users can continue to leverage their collaborative services, access content on numerous devices, and share encrypted files externally.

Solution Overview

With Fortanix Data Security Manager SaaS (DSM SaaS), customers can bring a FIPS 140-2 Level 3 certified External Key Management Service for Google Workspace. Fortanix DSM SaaS integrates directly into Google Workspace Client-Side Encryption (CSE) capability for external key management. CSE allows customers to protect their data in Google Cloud — separating data from the key. The database encryption keys are managed outside of Goggle Workspace in the customer’s Fortanix DSM SaaS account.

Complete control over encryption keys:
For leveraging Google CSE users need to need to set up their encryption key access service with an external key manager that abides to CSE requirement.

No access to plaintext content:
For leveraging Google CSE users need to need to set up their encryption key access service with an external key manager that abides to CSE requirement.

Minimized impact on user experience:
For leveraging Google CSE users need to need to set up their encryption key access service with an external key manager that abides to CSE requirement.

Top Benefits

centralized

Centralized Management

A SaaS modeled key management service that lets you manage, store, use, rotate and destroy all the symmetric and asymmetric cryptographic keys for your Google Workplace projects.
speedy setup

Speedy Setup

Get integrated, up and running in minutes.
icon

Key provenance

Control the location and distribution of your Google Workspace keys.
icon

Unmatched Scalability

Collaborate and scale globally over Google Workspace with zero worries of keys storage location and management. Keys are never cached on Google cloud and access can be revoked anytime.
icon

Superior Control

Eliminate risks of key compromise in shared infrastructure with complete key confidentiality even from governments.

Joint Value Proposition

Google Workspace Client-side encryption aims at bolstering data confidentiality while touching upon a varied range of data sovereignty and compliance requirements. This is in addition to the industry-leading cryptographic standard that Google uses to encrypt all data at rest and in transit between facilities.

Fortanix Data Security Manager integrates with Google Workspace External CSE to replicate the same level of security for the keys as in an on-premises environment while moving their data to the cloud. Not only is the data undecipherable to Google, but the encryption keys are also never stored in GCP. The user has complete control over the authorization of Google Workplace data and keys.

Users also get to define and control policies for Google Workspace Key Encryption Key (KEK) from Fortanix DSM SaaS account. Upon receiving the file, the corresponding data encryption key is decrypted using customer-provided keys only after authenticating the user with customer-controlled authentication.

Fortanix DSM SaaS provides FIPS 140-2 Level 3 hardware-based protection, with complete separation between users and regions as needed. It also offers centralized management with audit logging, enterprise-level access controls, multisite and hybrid cloud support, built-in encryption, key management, tokenization, and support for various interfaces, including REST APIs, PKCS11, CNG JCE, and KMIP.

Core Integration Features

picture 2

How Does Google Client-Side Encryption Work?

Google Workspace CSE works for browsers and mobile apps by encrypting and decrypting content on the end user’s devices. The Google Workspace client calls into Fortanix DSM SaaS that the customer has configured and deployed, and the client performs cryptographic operations to seal and unseal Google Workspace content.

client side

Google Workspace CSE uses envelope encryption to protect data and it relies on web browsers for performing client-side operations. First, a data encryption key (DEK) is generated in a Google Workspace client, and it’s used to encrypt the data symmetrically. Then the DEK is handed over to Fortanix DSM SaaS to be encrypted symmetrically using a Key Encryption Key (KEK). The encrypted content and the encrypted DEK are then sent to Google infrastructure for storage.



Ready to test Fortanix Runtime Encryption?

request a demo
thumbnail