Google LLC’s Cloud Spanner managed relational database now allows companies to encrypt their information using their own encryption keys, the search giant announced today.

It’s a narrow but significant update because organizations in regulated industries such as finance and healthcare are often legally required to manage encryption keys internally. By providing that option, Google can now target an expanded range of database use cases with Cloud Spanner, which could translate new sales opportunities.

Cloud Spanner is the commercial version of the internal relational database that Google relies on to power its consumer services. The system uses standard SQL syntax for queries and comes with service level agreements that provide uptime of up to 99.999%. That translates into less than an hour of downtime per year.

By default, Cloud Spanner encrypts data in transit and at rest using encryption keys managed by Google. Companies now have the option to swap those keys for their own, which they can store in another Google Cloud service called Cloud KMS.

Cloud KSM supports more than a half-dozen popular cryptographic protocols. It provides controls that allow cybersecurity teams to create new keys, delete existing ones and have the encryption keys of particularly sensitive applications automatically refreshed at predetermined intervals to reduce the risk of a breach. The service can be used to encrypt not only the production data in a Cloud Spanner environment but also the associated backups.

For an added level of security, organizations can opt to have Google store their encryption keys in hardware encryption modules, tamper-proof devices that effectively function as data vaults. The hardware encryption modules in Google’s data centers are compliant with the U.S. government’s FIPS PUB 140-3 cybersecurity standard.

Google announced the expanded encryption features alongside another new security capability called Access Approval. It too can assist enterprises with meeting regulatory compliance requirements. When the feature is enabled by a company, Google’s support and engineering staff must receive explicit approval before they can access its Cloud Spanner environment for troubleshooting purposes.

Finance, healthcare and the other regulated sectors that Google is targeting with the latest Cloud Spanner enhancements constitute a massive market. Moreover, the new features might help the search giant compete for deals with companies in other areas as well. An organization looking to move its on-premises relational database to the cloud but still retain control over the encryption keys protecting that database can now migrate more easily to Google’s cloud.

Because of those considerations, it’s possible that Google could bring support for customer-provided keys to more database services in the future. Google Cloud offers more than a half-dozen different database products to customers.

Today’s update comes about a month after the company rolled out a new backup feature to Cloud Spanner for protecting against accidental data deletions and erroneous changes.

Image: Google