Overview
Compliance regulations like Schrems II ruling and GDPR require organizations to have the ability to revoke access to data at any time and store the encryption keys outside the cloud as additional data protection measures. To comply, an External Key Management system or Bring-Your-Own-Key-Management-System (BYOKMS) approach is critical. And that is precisely why Google has introduced the External Key Manager (EKM) service. With this mechanism, you can protect the data at rest by using encryption keys stored and managed by a third-party key management system (KMS) outside the cloud, meet privacy requirements and ensure enhanced security for your cloud data.

Fortanix Solution
Fortanix integrates with Google Cloud Platform (GCP) External Key Manager service to enable organizations to move the data to the cloud and get the same level of security for keys that they're used to in their own on-prem environments. Encryption keys are always under customer control and stored inside a FIPS 140-2 level 3 certified HSM, away from the cloud. At a click of a button, in real time, enable and disable access to your data from specific instances and locations.

Why Fortanix?
- The solution can be consumed as a service most suited for cloud migration.
- Hold the master keys in a FIPS 140-2 level 3 certified HSM, keys are never cached or stored in Google Cloud.
- Supports all GCP services like BigQuery, Compute Engine, Artifact Registry and more.
- Disable the keys and prevent data access with Kill switch.
- Maintain full control and visibility into key creation, location, and distribution of cloud keys.
- Integrated service supports multiple enterprise key management use cases (database TDE, storage encryption, PKI, etc.)
- Clustered cloud-native architecture ensures high-availability and disaster recovery.
Fortanix also secures Google Workspace Data

Client-level encryption of user data for apps like Google drive, docs and slides.

Ensure no user-generated data goes unencrypted over the wire

Just toggle a switch and set up in minutes

Improve data sovereignty and compliance by keeping keys separate from the data
Benefits

Enhanced security for your data
The impact of risk from cloud provider insider threats, misconfiguration errors or infrastructure outage can be avoided. Cloud providers are also compelled by institutional agencies to respond to lawful discovery orders and this is often done without notifying the customers. With greater control over the data this is preventable.

Complete Control of Keys
Fortanix solution offers a kill switch, which allows administrators to stop decryption of data-at-rest in certain GCP services by simply disabling their key in Fortanix. At a click of a button, in real time, enable and disable access to your data from specific instances and locations.

Achieve Compliance
Compliance mandates require organizations to separate keys from the data it protects. Fortanix helps meet compliance by allowing them to manage own keys and secure them by storing them in FIPS 140-2 Level 3 certified hardware security modules (HSMs). Keys can also be held within regional or national boundaries as per the customer’s compliance mandates.

Centralized tamper-proof audit trail
Fortanix provides a single, simple, and centralized encryption platform that accelerates moving applications to public cloud, while providing a single set of cryptographic services for on-premises, hybrid, and cloud workloads. Organizations can centrally implement encryption and security capabilities like quorum approvals, key rotation, auditing, and logging etc.


So the Fortanix solution brings an ability to control the keys externally. You can turn the keys off, turn them on– they are totally under your control. The other advantage is with PayPal’s requirements is it actually enables new business use cases to go to the cloud.
