Google Cloud KMS simplifies the key management service, but lacks features

Experts are impressed with the simplicity of Google's Cloud KMS even if it doesn't separate itself from the key management service competition.

A quality key management service is judged on its ability to simplify the task of keeping encryption keys safe and although experts are impressed with the ease of use for Google's Cloud KMS, the product may not offer anything new. 

Google announced its Cloud Key Management Service (KMS) as an extension of the Google Cloud Platform (GCP) as a beta service in various regions including North America, Europe and Southeast Asia.

Google is targeting "regulated industries, such as financial services and healthcare" with Cloud KMS because traditional "custom-built or ad hoc key management systems ... are difficult to scale and maintain."

"Cloud KMS offers a cloud-based root of trust that you can monitor and audit," Maya Kaczorowski, product manager at Google wrote in a blog post. "With Cloud KMS, you can manage symmetric encryption keys in a cloud-hosted solution, whether they're used to protect data stored in GCP or another environment. You can create, use, rotate and destroy keys via our Cloud KMS API, including as part of a secret management or envelope encryption solution. It's directly integrated with Cloud Identity Access Management and Cloud Audit Logging for greater control over your keys."

John Morello, CTO of Twistlock, the San Francisco-based container security company, and former program manager for Microsoft's public key infrastructure, said Google's Cloud KMS is a "great example of what everyone in the security and cloud space should be focused on: making security best practices that used to be hard, easy." 

"By abstracting the complexity of key management from developers, every developer can more easily protect data throughout its lifecycle. Critically, Google's approach also provides customer choice, so you're not limited to a single trust anchor," Morello told SearchSecurity. "Instead, you can use the support they provide for customer managed keys to maintain full control over keys that are used for highly sensitive scenarios, while also using the built-in platform support for less critical needs. This makes it easier to just encrypt everything, everywhere while maintaining control over exactly how those keys are managed."

However, David Berman, senior director of product marketing at CipherCloud, a San Jose, Calif., cloud security company, said there was nothing in the announcement that could be considered "unique" compared to other options like Amazon's AWS key management service.

"Google KMS supports only [the] data at rest encryption use case for Google Cloud Platform customers," Berman told SearchSecurity. "The announcement highlights Google's late entry with a KMS option long after Amazon and other cloud storage providers have added such options."

Rod Schultz, vice president at Rubicon Labs, the cybersecurity company based in San Francisco, said Google's Cloud KMS should help enterprises build better security.

"In order for security to move forward and improve, the details and complexity of it must be abstracted, and this is precisely what Google is offering with KMS. Securely managing keys for data in transit and data at rest protection is the first step in better cloud security," Schultz told SearchSecurity. "Many of the vulnerabilities and hacks in the cloud today are symptoms of bad or a total lack of key management, and KMS should enable CISOs all over the world to get a bit more sleep each night."

Tom Grave, vice president of marketing at CTERA Networks, the New York-based data protection company, said Google's Cloud KMS should "provide value in terms of ease of use and scalability for customers that are comfortable sharing the trust of key management with their cloud vendor."

"For many companies, entrusting a third party with key management is a nonstarter, which is why Google is smart to reinforce that [on-premises] key management remains an option," Grave told Search Security. "Overall, we see Google's announcement as indicative of what we expect to see more of this year -- as the market for cloud services continues to mature, enterprise class features and functionality become prerequisites for any cloud offering for the majority of enterprise buyers."

Berman said Google's key management service may be insufficient for its target market of regulated organizations.

"There are minor benefits to having cloud-based key management including emphasizing that media encryption is a minimum table stake for data security," Berman said. "Regulated industries, like financial service and healthcare, will not find the shared key management approach of Cloud KMS adequate to address audit and compliance requirements including separation of duties, zero knowledge encryption and exclusive customer control of encryption keys."

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said Google is "missing out on solving the real challenge related to key and certificate management in the cloud."

"The Cloud Key Management does not automate the use of keys and digital certificates for HTTPS at all. This is [the] most basic, fundamental need for cloud compute and networking security: keys and certificates establish what systems are trusted or not, and establish privacy with encryption," Bocek told SearchSecurity. "This is a huge gap the serious enterprise cloud, DevOps, and security teams will [have] to have filled if they'll consider Google seriously for cloud services."

Dmitry Chastukhin, lead ERP security specialist at ERPScan, said Google's Cloud KMS may be simpler and reliable, but could also create more problems for IT teams.

"It is more convenient for enterprises to use a turnkey cloud solution instead of maintaining custom-built or ad hoc systems for managing encryption keys. However, no need to say that protecting cloud products is one of the biggest headaches for security teams," Chastukhin told SearchSecurity. "In a nutshell, Google's KMS looks secure, but for my part, I don't recommend to use it for keys related to critical infrastructure just to be on the safe side."

Next Steps

Learn more about devising a hybrid cloud implementation plan.

Find out how Amazon's AWS Key Management Service can help bolster cloud security.

Get three perspectives on cloud identity and access management.

Dig Deeper on Data security and privacy