Supporting compliance with key management
This page provides information about supporting compliance with key management using encryption for Assured Workloads.
Overview
Encryption key management is fundamental to supporting regulatory compliance of Google Cloud resources. Assured Workloads supports compliance through encryption in the following ways:
CJIS or ITAR: Mandated customer-managed keys and separation of duties, and optional for Impact Level 4 (IL4) and Impact Level 5 (IL5).
- CMEK: Assured Workloads mandates the use of customer-managed encryption keys (CMEK) to support these control packages.
- Key management project: Assured Workloads creates a key management project to align with NIST 800-53 security controls, the key management project is separated from resource folders to establish separation of duties between security administrators and developers.
Key ring: Assured Workloads also creates a key ring to store your keys. The CMEK project restricts key ring creation to compliant locations that you select. After you create the key ring, you manage creating or importing encryption keys. Strong encryption, key management, and separation of duties all support positive security and compliance outcomes on Google Cloud.
Other control packages (including IL4 and IL5): Google-owned and Google-managed keys and other encryption options.
- Google-owned and Google-managed keys provides on-by-default, FIPS 140-2 validated encryption in transit and at rest to all Google Cloud services.
- Cloud Key Management Service (Cloud KMS): Assured Workloads supports Cloud KMS. Cloud KMS covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption-in-transit and encryption-at-rest.
- Customer-managed encryption keys (CMEK): Assured Workloads supports CMEK.
- Cloud External Key Manager (Cloud EKM) Assured Workloads supports Cloud EKM.
- Key import
Encryption strategies
This section describes Assured Workloads encryption strategies.
Assured Workloads CMEK Creation
CMEK lets you have advanced controls over your data and key management by enabling you to manage your complete key lifecycle, from creation to deletion. This capability is critical to supporting cryptographic erase requirements in the Cloud Computing SRG.
Services
CMEK-integrated services
CMEK covers the following services, which store customer data for CJIS.
Other services: Custom Key Management
For services that aren't integrated with CMEK, or for customers whose control packages don't require CMEK, Assured Workloads customers have the option to use Google-managed Cloud Key Management Service keys. This option is offered in order to provide customers with additional options for key management to fit your organizational needs. Today, CMEK integration is limited to the in-scope services which support CMEK capabilities. Google-managed KMS is an acceptable encryption method as it covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption in transit and at rest.
For other products supported by Assured Workloads, see Supported products by control package.
Key management roles
Administrators and developers typically support compliance and security best practices through key management and separation of duties. For example, while developers might have access to the Assured Workloads resources folder, administrators have access to the CMEK key management project.
Administrators
Administrators typically control access to the encryption project and the key resources within it. The administrators are responsible for allocating key resource IDs to developers to encrypt resources. This practice separates the management of keys from the development process and provides the security administrators with the ability to manage encryption keys centrally in the CMEK project.
Security administrators can use the following encryption key strategies with Assured Workloads:
Developers
During development, when you provision and configure in-scope Google Cloud resources that require a CMEK encryption key, you request the resource ID of the key from your administrator. If you don't use CMEK, we recommend that you use Google-owned and Google-managed keys to ensure data is encrypted.
The request method is determined by your organization as part of your documented security processes and procedures.
What's next
- Learn how to create an Assured Workloads folder.
- Learn which products are supported for each control package.