After almost a week of Google’s announcement that it will start to encrypt by default its Cloud Storage application, it is now being implemented. It initially encrypted the server-side of its new and active data even before they are stored in the cloud, then it will be followed by processing of old data that are previously stored in the system.
All other company data that uses Google will automatically be encrypted once files are uploaded in the Google Cloud Storage. The data is encrypted with a 128-bit Advanced Encryption Standard algorithm, then the object’s unique key is attached and encrypted again to the object’s owner. These data once stored in the cloud will be automatically and periodically updated in terms of auditing and access controls.
“These keys are additionally encrypted by one of a regularly rotated set of master keys.. Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.” Dave Barth, Google Cloud Storage product manager said.
Barth added that this new protocol will have no additional cost, no required setup configuration, no system modification and no obvious performance changes to its users.
This new development will hopefully remove doubts about the giant’s security platform following the revelation of NSA’s contractor Edward Snowden of the PRISM activities.
“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys. We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing,” Barth added.
Google assured its cloud users that the company does not give any access or encryption keys to any government agency, unless it is in accordance with legal and documented investigations as required by law.
A Google spokeswoman said that the security team sternly reviews all requests for data. The team automatically pushes back any request that appears to be doubtful or likely a fishing expedition for information. All requests that do not strictly follow the process will be denied. She added that no government agency even the NSA or CIA have direct access to their company’s system.
For its part, the Information Commissioner’s Office (ICO) stated that data encryption is a security system method that uses encrypted protocol. It provides user file protection against interception whether the data is in a cloud storage or is in ransit. According to ICO, all encyption algorithms must meet industry standards and should assure users that data protection is available even while files are in transit.
However, the ICO said that cloud users that use SaaS may find it difficult to ensure that their provider can assure encryption protocol if the former uses various cloud services. The agency also added that encryption key management must meet all data protection compliance requirements, so as not to have a Data Protection Act (DPA) breach.
“In an IaaS (infrastructure as a service) or data storage scenario, it is much easier for the cloud customer to insist that all data is encrypted before it leaves his, or the cloud user’s device. However, in a SaaS cloud this is more difficult to achieve because the cloud provider may need access to the data in order to perform the necessary processing,” ICO stated.
All these security requirements need to be legally written in a service agreement contract to ensure that cloud providers are bound by law to perform these tasks without fail. The service agreement must state that providers must meet all organizational and technical requirements under the DPA principles.
Another interesting viewpoint in all these talk about security issue is the fact that although Google is prudent enough to address the issue, it is also a move to advance its marketing and PR strategies.
Truth of the matter is that all cloud-based services have encryption keys, but providers opt not to turn it on by default because it causes major performance slow down in most cases. Good or bad, it’s still an opportunity for cloud providers to find means and ways to develop better security applications. And for users, it means better security for their data.