By Maya Kaczorowski, Product Manager

Google has long supported efforts to encrypt customer data on the internet, including using HTTPS everywhere. In the enterprise space, we're pleased to broaden the continuum of encryption options available on Google Cloud Platform (GCP) with Cloud Key Management Service (KMS), now in beta in select countries.

"With the launch of Cloud KMS, Google has addressed the full continuum of encryption and key management use cases for GCP customers. Cloud KMS fills a gap by providing customers with the ability to manage their encryption keys in a multi-tenant cloud service, without the need to maintain an on-premise key management system or HSM.” — Garrett Bekker, Principal Security Analyst at 451 Research

Customers in regulated industries, such as financial services and healthcare, value hosted key management services for the ease of use and peace of mind that they provide. Cloud KMS offers a cloud-based root of trust that you can monitor and audit. As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain, Cloud KMS makes it easy to keep your keys safe.

With Cloud KMS, you can manage symmetric encryption keys in a cloud-hosted solution, whether they’re used to protect data stored in GCP or another environment. You can create, use, rotate and destroy keys via our Cloud KMS API, including as part of a secret management or envelope encryption solution. It’s directly integrated with Cloud Identity Access Management and Cloud Audit Logging for greater control over your keys.

Forward thinking cloud companies must lead by example and follow best practices. For example, Ravelin, a fraud detection provider, encrypts small secrets, such as configurations and authentication credentials, needed as part of customer transactions, and uses separate keys to ensure that each customer's data is cryptographically isolated. Ravelin also encrypts secrets used for internal systems and automated processes.

“Google is transparent about how it does its encryption by default, and Cloud KMS makes it easy to implement best practices. Features like automatic key rotation let us rotate our keys frequently with zero overhead and stay in line with our internal compliance demands. Cloud KMS’ low latency allows us to use it for frequently performed operations. This allows us to expand the scope of the data we choose to encrypt from sensitive data, to operational data that does not need to be indexed.” — Leonard Austin, CTO at Ravelin

At launch, Cloud KMS uses the Advanced Encryption Standard (AES), in Galois/Counter Mode (GCM), the same encryption library used internally at Google to encrypt data in Google Cloud Storage. This AES GCM is implemented in the BoringSSL library that Google maintains, and continually checks for weaknesses using several tools, including tools similar to the recently open-sourced cryptographic test tool Project Wycheproof.

The GCP encryption continuum

With the introduction of Cloud KMS, GCP now offers a full range of encryption key management options, allowing you to choose the right security solution for your use-case based on the nature of your data (e.g., is there financial, personal health, private individual, military, government, confidential or sensitive data?) and whether you want to store keys in the cloud or on-premise.
By default, Cloud Storage manages server-side encryption keys on your behalf. If you prefer to manage your cloud-based keys yourself, select "Cloud Key Management Service," and if you’d like to manage keys on-premise, select "Customer Supplied Encryption Keys" (for Google Cloud Storage and for Google Compute Engine). See the diagram below for a use-case decision tree:

Your data is yours

While we’re on the topic of data protection and data privacy, it might be useful to point out how we think about GCP customer data. Google will not access or use GCP customer data, except as necessary to provide them the GCP services. You can learn more about our encryption policy by reading our whitepaper, “Encryption at Rest in Google Cloud Platform.”

Safe computing!

By Neal Mueller, Product Marketing Lead

If you work in cloud security, you might be planning a trip to San Francisco next month for the RSA Conference. If so, please stop by our San Francisco office for a series of 20 security talks. Our office is a 12-minute walk up Howard Street from Moscone Center where the RSA Conference is held.

Google Cloud takes security seriously, and we’re excited to share more about some of the interesting and difficult problems we’re working on day-to-day. In our security talks, you’ll hear about our efforts in cloud identity, vulnerability trends from Project Zero, DDoS mitigation, container security and more!

See below for the full agenda of exciting security talks we’ll be hosting. To learn more and RSVP, visit https://cloudplatformonline.com/rsa
We’re also excited that Googlers will be giving talks at the RSA conference itself:

• Android Security: Delivering Secure, Client-Side Technology to Billions of Users
  Adrian Ludwig
  Tuesday, February 14, 2017 | 1:15 PM - 2:00 PM and 2:30 PM - 3:15 PM



• What is Needed in The Next Generation Cloud Trusted Platform?
  David Cross
  Tuesday, February 14, 2017 | 2:30 PM - 3:15 PM



• How Google Protects Its Corporate Security Perimeter without Firewalls
  Heather Adkins and Rory Ward
  Tuesday, February 14, 2017, 3:45 PM - 4:30 PM



• Targeted attacks against corporate inboxes–Gmail perspective
  Elie Bursztein and Mark Risher
  Thursday, February 16, 2017 | 2:45 PM - 3:30 PM

Hope to see you at RSA!

Posted by Grace Mollison, Solutions Architect


We here at Google Cloud Platform have been busy working on resources to help you manage identity and security on GCP. Here’s what we’ve been up to.

First off, we’ve been listening to customers and have curated a Google Cloud Identity and Access Management FAQ that answers questions such as ‘What does a Cloud IAM policy look like?’ or "To what identities can I grant IAM roles?" The FAQ already lists almost 40 questions, but if you think there's something missing please let us know.

Google Cloud Resource Manager’s new Organization resource

Several features of Google Cloud Resource Manager are now generally available, including the ability to use the Organization resource. When you use an Organization resource, the projects belong to the business instead of to the employee who created the project. This means that if that employee leaves the company, his or her projects will still belong to the organization. Further, because Organization admins can view and manage all your company's projects, this eliminates shadow projects and rogue admins.

You can grant roles at the Organization level that apply to all projects under the Organization resource. For example, if you grant the Network Admin role to your networking team at the Organization level, they'll be able to manage all the networks in all projects in your company, instead of having to grant them the role for individual projects.

Project provisioning fun with the Cloud Resource Manager API

The Google Cloud Resource Manager API now includes a project.create() feature, which allows you to use scripts and applications to automate project provisioning. Maybe you want to plug into a self-service system to allow developers to request new projects, or perhaps you want to integrate the creation of a new project as part of your CI/CD set-up. Using the project.create() API allows you to standardise the configuration of your projects.

Developers should consider creating different templates for different projects. For example, a data analysis project will have a different composition than a compute project. Using different templates simplifies project creation and management by allowing you to simply run the correct script or template to set up the proper project environment. These scripts can also be treated as code amendments to the standard project creation scripts. You can also version control templates, and revert back to them if need be.

The Cloud Resource Manager project.create() API supports the REST interface, RPC interface, client libraries or gcloud library.

Automating project creation with Python

Let’s look at how to use the project.create() API with Python scripts or templates to automate project creation with a user or service account.

A common scenario for automating project creation is within large organizations that have set up an Organization resource.This example focuses on using a service account to automatically create projects.

1. Create a service account in a designated project under your Organization resource. We recommended a designated project to contain resources that will be used across the projects in your Organization resource. And because service accounts are associated with a project, creating them in a central designated project will help you manage them.
2. At a minimum the service account needs to have the resourcemanager.projectCreator IAM role. If you need to enable APIs beyond the default, this will require granting the service account the billing user role at the Organization resource level, so that it can attach projects to the organization resource’s billing account. The service account can then enable the required APIs against the project. The billing account must be associated to the organization resource.

Now that you have a service account that you can use to automatically create scripts, go ahead and create a script that follows this flow:

Create a client with the correct scopes. Here's a code snippet showing how to create a client:

def create_client(http=None):
    credentials = oauth2client.GoogleCredentials.get_application_default()
    if credentials.create_scoped_required():
        credentials = credentials.create_scoped(CRM_SCOPES)
    if not http:
        http = httplib2.Http()
    credentials.authorize(http)
    return discovery.build(CRM_SERVICE_NAME, CRM_VERSION, http=http)

Pass your organization ID and a uniquely generated project ID to a function that checks if the project exists by listing projects and looping through them:

Organization_id = str(YOUR-ORG_NUMERIC_ID)
proj_prefix = "your-proj-prefix-" # must be lower case!
proj_id = proj_prefix+"-"+str(random_with_N_digits(6))




#************************

Here's a snippet showing how to list the projects in your organization:

def List_projects(org_id):
    crm = create_client()
    project_filter = 'parent.type:organization parent.id:%s' % org_id
    print(project_filter)
    projects = crm.projects().list(filter=project_filter).execute()
    #while projects is not None:
    print(projects)

Create a project with the generated name if it does not already exist, with this code snippet:

def create_project(proj_id):
    crm = create_client()
    print "org id  in function is :\n"
    print(organization_id)
    new_project = crm.projects().create(
          body={
              'project_id': proj_id,
              'name': proj_id,
              'parent': {
                  'type': 'organization',
                  'id': organization_id
              }
    }).execute()

And finally, programmatically launch the resources and assign IAM policies.

Now that you can use a script to automatically create projects, the next thing to do is to expand on these steps to automate setting of IAM policies and creating resources for your automation pipeline. Google Deployment Manager does that using declarative templates and is a good tool for automatically creating project resources. Stay tuned for a blog post on the topic.