Google’s Cloud Platform gets a new key management service

Google is launching a new key management service for its Cloud Platform today that will help enterprises — especially in regulated industries like healthcare and banking — create, use, rotate and destroy their encryption keys in the cloud. The aptly named Google Cloud Key Management Service (Cloud KMS) is now available as a beta in select countries.

Enterprises have traditionally managed their keys on-premise, but as they have slowly moved more of their workloads to the cloud, they have also started thinking about how they can manage their keys in the cloud, too. With the AWS Key Management Service and Azure Key Vault, Amazon and Microsoft have long offered a similar tool, for example, and even Google itself already offered a more basic version of Cloud KMS for users who wanted to supply their own encryption keys.

As Google’s Maya Kaczorowski, the product manager for this service, told me, it’s worth remembering that Google itself already encrypts all of the data on its platform by default. But if an enterprise needs more control over its keys to rotate and manage them, the Cloud KMS service is for them.

It’s worth noting that Cloud KMS users can use the service to securely store other secrets like OAuth tokens or configuration credentials on the service, as well. Google tells me that fraud detection provider Ravelin, for example, uses the service to store its users’ configuration and authentication credentials that are needed as part of virtually every transaction on its service in Cloud KMS.

As Kaczorowski stressed, this also means that the company is able to keep the latency of these transactions low. “We want to be able to be in the serving path of our customers,” she said. “We want to enable people to encrypt things they weren’t able to before.”


With the addition of Cloud KMS, Kaczorowski argued, Google now offers its users the full continuum of key management options — ranging from customer-supplied keys that are kept on-premise and used to secure cloud assets on one side and the default Cloud Platform encryption on the other, with the flexibility of the new Cloud KMS service in the middle.

Kaczorowski tells me that the service can easily handle hundreds of millions of keys and secrets, so scaling should not be an issue. “From the get-go, we architected it to allow customers to use as many keys as they want to,” she said.

Google will bill users based on the number of keys they store ($0.06 per active key version per month) and how often they use them ($0.03 per key use per 10,000 operations).

Like most of Google’s latest Cloud Platform updates, today’s launch is also clearly aimed at getting more enterprises to take a serious look at Google’s Cloud Platform. For the longest time, Google didn’t really go after these companies, but the company is now putting a renewed emphasis on competing in the enterprise cloud business.