Google LLC is updating the Cloud Key Management Service for its Google Cloud Platform with an easier-to-implement and lower-cost option that allows customers to protect workloads without worrying about the operational overhead.

Available in beta test mode starting today, Cloud HSM (pictured) is a managed and cloud-hosted “hardware security module” service that customers can use to store their encryption keys with Federal Information Processing Standard Publication 140-2 Level 3 security, which is a U.S. government computer security standard used to approve cryptographic modules.

Cloud HSM is a specialized hardware-only service that’s designed to encrypt small blocks of data rather than the larger data sets that are typically managed with the more general Key Management Service or KMS, Google Product Manager Il-Sung Lee wrote in a blog post. It’s being offered as a fully managed service, which means Google takes care of all the server cluster management, scaling and upgrade tasks.

“You control your use of the Cloud HSM service through the regular Cloud KMS APIs, and the Cloud HSM service will take care of the patching, scaling, and clustering automatically with no downtime,” Lee wrote.

One of Cloud HSM’s main advantages is it can be used by customers that are required by regulatory mandates to operate encryption keys within a hardware environment, Lee said. Cloud HSM provides a feature that allows users to attest that their keys were created within a hardware boundary.

Analyst Holger Mueller of Constellation Research Inc. said the update was encouraging because security is always a major concern for executives when they evaluate moving apps to the cloud. “Adding more security capabilities like this hardware security management service, as Google is doing, is a good additional step to alleviate the security concerns in enterprises,” he said.

Cloud HSM and the Cloud KMS service both now also support “asymmetric keys,” or public-key cryptography, which is a system that uses pairs of keys — public keys that may be disseminated widely and private keys known only to the owner.

“In addition to symmetric key encryption using AES-256 keys, you can now create various types of asymmetric keys for decryption or signing operations,” Lee said. Like Cloud KMS, Cloud HMS is available in a range of customer-managed encryption key-enabled services on Google’s cloud, including BigQuery, Compute Engine, Cloud Storage and DataProc.

Securing Kubernetes workloads

In other news, Google announced a new Binary Authorization feature that ensures only trusted workloads are deployed to its Google Kubernetes Engine service, which is a managed, production-ready environment for deploying so-called containerized applications. According to Google’s product manager Jianing Sandra Guo, “Binary Authorization is a container security feature that provides a policy enforcement chokepoint to ensure only signed and authorized images are deployed in your environment.”

Guo reckons that Binary Authorization is needed because software containers, which are used to host applications that can be built once and run anywhere, are vulnerable to attacks from insiders who could bypass continuous integration and continuous deployment security controls to deploy malicious code.

Binary Authorization eliminates this problem, which stems from a reliance on identity-based access, by establishing a preventative security posture that allows only trusted code to run inside containers. It also integrates with Google’s Cloud Audit Logging tool so admins can review any failed attempts to create new pods, which might have been an effort to inject malicious code into the software.

An overview of Google’s Binary Authorization feature

“Binary Authorization formalizes and codifies an organization’s deployment requirements by integrating with the desired CI/CD stages to produce signatures, or “attestations,” as an image passes through,” Guo said. “[It] acts as an admission controller by preventing images that do not meet these criteria from being deployed.”

Binary Authorization is available in beta starting today.

Images: Google