Google continues to add to the appeal of its cloud storage capabilities, this time with the announcement that users’ data that is placed in its Cloud Storage system will be encrypted by default.
Google Cloud Storage Encryption
In a Google blog post, Dave Barth, Product Manager with Google Cloud Storage, says that the new encryption abilities need no setup or configuration, require no alterations to the way users access the service and -- even better -- it is offered as a free service once you have subscribed to Cloud Storage.
Cloud Storage is Google’s service for those wishing to store data to the cloud, be they individuals or business users. It also integrates with Google analytics.
If you find the idea of encryption off-putting, this is probably something that you’re really going to like in that Google does all the encryption and securing for you.
According to the post, it manages the encryption keys using the same kind of technology that it uses for its own data -- and you know how cagey Google is about its own data -- including rigorous controls around key access and auditing.
However, Google not only encrypts the data, it also encrypts the files’ metadata using 128-bit Advanced Encryption Standard (AES-128), while the per-object key itself is also encrypted with a key that is unique to the owner of the data. That key is also encrypted with a set of encryption keys that are regularly rotated.
Users can also managed their own keys if they want. The result is a system that encrypts to about five different levels, so it may be difficult for those that don’t manage this kind of technology already.
These encryption abilities have been applied server-side already so that any new data entering Cloud Storage will be encrypted automatically. However, Google said that it will also encrypt the data that is in its cloud already in the coming months.
Google Trust Deficit?
There are two obvious problems with all this, and both relate to issues that have been highlighted in recent weeks with the Edward Snowden controversy.
The first issue is this: Earlier in the week it emerged that Google doesn’t appear to believe that Gmail users should expect their emails to be private and that it was scanning them on a mind-boggling rate for the purposes of placing adverts. Who is to say that it won’t apply the same standards to enterprise data that it is storing?
The second issue is clear from the thread of comments on Dave Barth’s blog post and goes like this: Even if your data is encrypted, what is to stop government agencies from simply requesting the encryption keys? The Snowden data would seem to indicate that some of the major web companies have few qualms about offering data access to these agencies.
This in turn puts the whole cloud versus on premises debate back to where it started originally. If enterprises really want to secure their data, do they ultimately have to keep it on premises? While there is still no definitive answer to this, the scales are weighing firmly on the side of on premises at the moment. Whether any company can offer enough guarantees to counter-balance that remains to be seen.