Use third-party keys in the cloud with Cloud External Key Manager, now beta

At Google Cloud Next UK last month, we announced the alpha version of Google Cloud’s External Key Manager (Cloud EKM). Today, Cloud EKM is available in beta, so we wanted to provide a deeper look at what Cloud EKM is and how it can be valuable for your organization. 

In a first for any public cloud, Cloud EKM will let you achieve full separation between your data and your encryption keys. At its heart, Cloud EKM lets you protect data at rest in BigQuery and Compute Engine using encryption keys that are stored and managed in a third-party key management system that’s deployed outside Google’s infrastructure.

Cloud EKM.png
Cloud EKM provides the bridge between Cloud KMS and an external key manager.

This approach offers several unique security benefits: 

  • Maintain key provenance over your third-party keys. You have strict control over the creation, location, and distribution of your keys.  

  • Full control over who accesses your keys. Because keys are always stored outside Google Cloud, you can enforce that access to data at rest for BigQuery and Compute Engine requires an external key. 

  • Centralized key management. Use one key manager for both on-premises and cloud-based keys, ensuring a single policy point and allowing enterprises to easily take advantage of hybrid deployments. 

To make Cloud EKM easy to implement, we are working with five industry-leading key management vendors: Equinix, Fortanix, Ionic, Thales, and Unbound. (The Ionic and Fortanix integrations are ready today; Equinix, Thales, and Unbound are coming soon.) Check out the videos below to learn more.

Equinix and Cloud EKM

In collaboration with Equinix, Google Cloud brings customers the next level of control for their cloud environments with External Key Manager. Check out the video to learn more.

Fortanix and Cloud EKM

In collaboration with Fortanix, Google Cloud brings customers the next level of control for their cloud environments with External Key Manager. Check out the video to learn more.

Ionic and Cloud EKM

In collaboration with Ionic, Google Cloud brings customers the next level of control for their cloud environments with External Key Manager. Check out the video to learn more.

Thales and Cloud EKM

In collaboration with Thales, Google Cloud brings customers the next level of control for their cloud environments with External Key Manager. Watch the video to learn more.

Unbound and Cloud EKM

In collaboration with Unbound, Google Cloud brings customers the next level of control for their cloud environments with External Key Manager. Check out the video to learn more.

For more information on Cloud EKM, including how to get started, check out the documentation.

Compute Engine or Kubernetes Engine? New trainings teach you the basics of architecting on Google Cloud

Google Cloud wants you to be able to use the cloud on your terms, and we provide a range of computing architectures to meet you where you are. In practice, this often means choosing between Compute Engine and Google Kubernetes Engine (GKE). But, which one will best serve your needs?

If you’re used to managing virtual machines (VMs) in your on-premises environment or other clouds, and want a similar experience in Google Cloud, then Compute Engine is for you. It offers scale, performance, and value so you can easily launch large compute clusters on Google’s infrastructure. Compute Engine also lets you build predefined VMs or tailor custom machine types to your specific needs.

If you’re working with containers, and need to coordinate more than one in your solution, then GKE—our managed, production-ready environment for deploying containerized applications—is your best choice. It uses our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to help you accelerate your time-to-production.

Of course, your cloud architecture will look very different depending on whether you build it with VMs (Compute Engine) or containers (GKE). That’s why we now offer two architecting training paths, available on-demand or in a classroom setting:

Architecting with Google Compute Engine takes you from introductory to advanced concepts in five courses. You’ll learn all the basics of the Google Cloud Platform (GCP) console and how to create virtual machines using Compute Engine. Then, you’ll dive into core services, such as Identity and Access Management (IAM), database services, billing resources, and Stackdriver services. Next, you’ll gain an understanding of how to configure load balancers and autoscaling for VM instances. The course will teach you to automate the deployment of GCP services and leverage managed services for data processing, as well as how to design highly reliable and secure GCP deployments.

Over four courses, Architecting with Google Kubernetes Engine teaches you the basics of the GCP console, and then goes deeper into deploying and managing containerized applications using GKE. You’ll learn all the tools of GKE networking, and how to give your Kubernetes workloads persistent storage, while gaining an understanding of security, logging, monitoring, GCP managed storage, and database services.

Ready to learn more about architecting with GCP? Join us on Friday, October 25 at 9:00 AM PST for a special webinar, Architecting with Google Compute Engine: Building your cloud infrastructure. In this webinar, we’ll give you an overview of the different Compute Engine services and demonstrate some of those services in GCP. By attending the webinar, you’ll also get one month of access to this training on Coursera at no charge. Click here to register today.