Google Cloud luring European customers into a false sense of security
In their latest attempt to woo European customers, Google Cloud hit the headlines last week with its announcement of new partnerships, features and encryption tools aiming to give companies more control over their data.
The tech giant – which doesn’t have the cleanest track record when it comes to securing user data – claims that its new encryption solution will put the sole control of where the data sits, how it is encrypted and who has access to it, back into their customers’ hands, supposedly at “a level of control not available from any other cloud provider”.
A pretty ambitious claim, coming from a company which enjoys the trust of only 23% of its users to handle their data according to privacy regulations.
So is Google Cloud really offering an unprecedented level of control now?
Google Cloud provides encryption at rest by default for your data, with 3 different key management options. Let’s take a closer look at these options and the level of security they guarantee.
1. Encryption by default
What Google says
With this type of encryption, your data is automatically encrypted prior to being written to disk, and the encryption key itself is encrypted as well, managed by Google. It adds a layer of security and is convenient as it requires no action from the customer.
What Google doesn’t tell you
While this default encryption indeed adds a layer of defense in protecting your data, it is only good as long as the encryption keys don’t fall into an intruder’s or attacker’s hands. The problem is that given Google holds the encryption keys, its employees, and anyone else who manages to get access to their servers, can decrypt your data. It’s like having your valuables locked up in a vault but keeping the key right next to it.
2. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
What Google says
Google suggests protecting your sensitive data with this type of key management as it allows for the separation of your data at-rest and your encryption keys. That is, to keep the encryption keys with a third party – an External Key Manager – outside of Google’s control. Together with its Key Access Justifications feature, you can deny Google the ability to decrypt your data for any reason and have detailed justification each time Google requests your key to decrypt it. “As a result, you are the ultimate arbiter of access to your data.”
What Google doesn’t tell you
This option indeed goes one step further; the encryption key is not stored on the same server as your data. In other words, you don’t keep your key next to your vault anymore, but instead, have given it to a trusted neighbor. However, this only applies to your data when at rest; when you start working on a document, you need to provide your key to Google to decrypt your data. From this moment on, Google has access to your files. Hence, you are the arbiter of access to your data in theory, but in practice, once you provide your key to Google, they can do whatever they want with it.
3. Customer-supplied encryption keys (CSEK)
What Google says
Similarly to option 2, this feature also lets you keep the encryption keys out of Google’s control. In this case, you use your own cryptographic keys and store them either on premise or with an independent third party. This is recommended for sensitive data.
What Google doesn’t tell you
Being the master of your encryption keys does not give you full control over your data. The decryption is still done by Google with the key that you provide to them. While Google Cloud promises to forget your key after the decryption is done, what’s the guarantee they actually do?
So what does this all mean?
These options do not give you full control over the confidentiality of your data. They only give a certain level of control over your encryption keys. The ultimate problem with them is that in each case, decryption of your data happens on Google’s servers, and the moment you hand over your key, Google can access your data.
Furthermore, these options only apply to data at rest – that’s when Google cannot access your files if you keep your key on premise or with a third party. However, this is only a very tiny part of your data’s lifecycle with Google. The moment you actively start working on your document, search, share or collaborate, Google needs to index and read your files. At this point, your data is not encrypted anymore, and Google, or anyone who breaks into their system, can have access to it.
Only end-to-end encryption can give you full control over your data
According to the state of technology, “end-to-end-encryption” and “zero-knowledge” are considered as the highest measures of data security. In the case of end-to-end encryption, it is mathematically impossible for the provider to access the content of your data as the encryption and decryption happens locally, on your device, not in the cloud. Encryption keys remain solely in your hands, you never have to send them to your provider.
However, the majority of providers, like Google, encrypt user data only in transit and at rest. This does not cover the entire data transmission route and leaves room for the provider, a government agency, or a hacker to access it. Companies handling sensitive data therefore should take Google’s security promise with a pinch of salt.
To keep full control over your data, you should opt for solutions like Tresorit which offer end-to-end encryption. This makes unauthorized file access technically impossible and therefore puts you in control over your data not only in theory, but in practice.