Thales announces support for Google Cloud Platform’s Customer-Supplied Encryption Key (CSEK) functionality. Google Cloud Platform customers can now generate, protect, and supply their encryption keys to the cloud using an on-premise, FIPS-certified nShield hardware security module (HSM) from Thales. The new CSEK support empowers enterprise customers who want to move workloads and data to the Google Cloud Platform, but need to retain control of their key material on-premise.
Jon Geater, CTO at Thales e-Security says:
“While most enterprises want to take advantage of public clouds, some have requirements to generate and manage encryption key material on-premise. In introducing Customer-Supplied Encryption Keys, Google is allowing customers to implement a separation of duties as required. Customers using nShield HSMs and leveraging Google Cloud Platform can manage their keys from their own environments for use in the cloud, giving them greater control over how key material is generated.”
Protected by FIPS 140-2 Level 3 certified hardware, nShield uses strong methods to generate keys based on nShield’s high-entropy random number generator. Following generation, nShield exports customer keys into the cloud for one-time use via Google’s Customer-Supplied Encryption Key functionality. Using this feature, keys are only stored in memory, and discarded by Google after use. Customers can also leverage nShield HSMs on-premise for key storage protection and resilient disaster recovery mechanisms, giving them greater control over their key lifecycle.
Many enterprises must meet strict security standards due to internal or regulatory compliance rules, which sometimes presents a barrier to cloud usage. Thales nShield support for Google’s Customer-Supplied Encryption Key allows them to adopt key management practices that strengthen their cloud security and subsequently helps them implement their compliance controls.
Thales nShield HSMs are FIPS 140-2 Level 3 certified, tamper-resistant devices. nShield HSMs are also Common Criteria certified and are recognized as Qualified Signature Creation Devices (QSCDs) under the European eIDAS requirements. Thales is technology member of the Google Cloud Platform partner program.
