Google Cloud wants to make it easier for customers to move more sensitive data to its cloud. To give companies more control over that encrypted data, it's announcing External Key Manager, a service that allows them to keep encryption keys outside Google's control.
The new service offers Google Cloud customers an alternative to its existing cloud-hosted key-management services, Cloud KMS, for managing encryption keys in Google Cloud.
Instead of trusting Google with encryption keys for sensitive data stored in its cloud, customers using Google Compute Engine virtual machines and its BigQuery managed data warehouse can store encryption keys externally, either on-premise or with external hosting partners.
SEE: 60 ways to get the most value from your big data initiatives (free PDF)
"All data at rest that comes into the Google Cloud Platform is encrypted by default without the customer having to do anything," Google Cloud's Rob Sadowski, Trust & Security marketing lead told ZDNet.
"But then we still get customers who say, 'That gives me confidence but I would like to manage some aspects of that encryption'."
As the name suggests, External Key Manager allows Google Cloud customers to store encryption keys completely outside Google's infrastructure.
It also fleshes out new options Google has built to give customers more confidence when storing sensitive data in its cloud, including last year's launch of Cloud Hardware Security Module (HSM), which uses hardware to generate and store keys when storing cryptographic material.
External partners with which customers can use External Key Manager include Equinix, Fortanix, Ionic, Thales, and Unbound.
The second part to the new controls is a feature called Key Access Justifications. Working with External Key Manager, Key Access Justifications means Google has to provide a detailed justification each time it requests a customer's keys to decrypt data. Customers can also approve or deny providing the key using an automated policy.
The combined features allow customers to deny Google the ability to decrypt their data. Key Access Justifications is designed for controlling data as it moves from an at-rest state to an in-use state in BigQuery and Compute Engine.
External Key Manager is launching in beta soon, while Key Access Justification is launching in alpha.
Google Cloud announced the new controls at its Next UK conference in London.
The new controls are part of Google Cloud's effort under CEO Thomas Kurian to become more enterprise friendly. The group yesterday launched BigQuery Reservations, a new pricing model that gives enterprises predictable analytics spending and the ability to share idle capacity.