Google Cloud has announced the launch of a managed cloud-hosted hardware security module (HSM) service – joining Amazon Web Services and Microsoft Azure in this security benchmark.
The Cloud HSM will enable customers to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs, according to a company blog post.
To put this in perspective, the highest level for the FIPS 140-2 standard is Level 4, which aims to “provide a complete envelope of protection around the cryptographic module with the internet of detecting and responding to all unauthorised attempts at physical access.” Level 3, instead, requires “a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module.”
Cloud HSM is tightly integrated with Google’s Cloud Key Management Service (KMS), which enables data protection in services such as BigQuery, Google Compute Engine, Google Cloud Storage and DataProc with a hardware-protected key.
The move came about, according to product manager Il-Sung Lee, because customers wanted more options to protect sensitive information and meet compliance mandates. This is despite Google claiming to be the only cloud provider that encrypts all customer data at rest.
“For those of you managing compliance requirements, Cloud HSM can help you meet regulatory mandates that require keys and crypto operations be performed within a hardware environment,” wrote Lee. “In addition to using FIPS 140-2 certified devices, Cloud HSM will allow you to verifiably attest that your cryptographic keys were created within the hardware boundary.”
Some may consider that this has been a long time coming for Google; Microsoft announced Azure Key Vault, a cloud-hosted HSM-backed service for managing cryptographic keys, as far back as the start of 2015. AWS’ CloudHSM tool is also widely documented.
Yet Google’s cloud operations have certainly been innovative elsewhere of late. Earlier this month the company announced the launch of pre-packaged AI services, around contact centres and talent acquisition, as well as supporting NVIDIA’s Tesla P4 GPUs, for graphics-intensive and machine learning applications.