Using Fortanix Data Security Manager with Google Cloud EKM Interface

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Google Cloud Platform (GCP) services.

It also contains the information that a user needs to:

• Enable the Cloud Key Management Service (KMS) API in your GCP project.

• Obtain the GCP service account email address.

• Import the Google Advanced Encryption Standard (AES) Key in Fortanix DSM.

• Complete the GCP setup.

Fortanix DSM supports the following customer-managed encryption keys (CMEK) integration services on the Google Cloud:

• Artifact Registry

• BigQuery

• Compute Engine

• Cloud Logging: Log Router

• Cloud Spanner

• Cloud SQL

• Cloud Storage

• Dataflow Appliance and Dataflow shuffle

• Dataproc

• Google Kubernetes Engine: Data on VM disks or Application-layer Secrets

• Pub/Sub

• Secret Manager

For the complete list, refer to the Cloud EKM documentation.

2.0 Why Use Fortanix DSM With Google Cloud EKM?

Google Cloud’s External Key Manager allows services running in the Google Cloud Platform (GCP), namely BigQuery and Google Compute Engine (GCE), to use an encryption key managed in an external key management service and controlled entirely by the customer.

To read more about the announcement of Google Cloud External Key Manager (EKM) and the Fortanix DSM integration, read the Google and Fortanix announcement blogs.

Fortanix DSM protects all your data on-premises as well as in the cloud. It provides end-to-end security for keys and data (at rest, in transit, and in use) protected with layers of defense, including Fortanix Runtime Encryption®, Intel® SGX, and FIPS-validated hardware. Only authorized users can access keys.

3.0 Terminology References

• Fortanix Data Security Manager (DSM)

  Fortanix DSM is a cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.

• GCP - Google Cloud Platform

  Google Cloud Platform is a suite of public cloud computing services offered by Google. The platform includes a range of hosted services for compute, storage, and application development that run on Google hardware. Google Cloud Platform services can be accessed by software developers, cloud administrators, and other enterprise IT professionals over the public internet or through a dedicated network connection.

• Google KMS - Google Key Management Service

  Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys for other Google Cloud services that enterprises can use to implement cryptographic functions. For more information, see Google Cloud Key Management Service.

• AES - Advanced Encryption Standard

  Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:

  • Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).

  • AES is often included as part of customer compliance requirements. For more information, refer to the Advanced Encryption Standard.

• SGX - Software Guard Extensions

  Intel’s Software Guard Extensions (SGX) is a set of extensions to the Intel architecture that aim to provide integrity and confidentiality guarantees to security-sensitive computation performed on a computer where all the privileged software (kernel, hypervisor, and so on) is potentially malicious.

• FIPS - Federal Information Processing Standards

  FIPS are a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

4.0 Prerequisites

Ensure the following:

• Fortanix DSM

• GCP Services

• Google Cloud Project

• AES key

• The GCP Project Owner must enable the Cloud Key Management Service (KMS) API in your GCP Project. For more information on how to enable Google EKM API in your GCP project, refer to the Google documentation.

• The user trying to add the EKM key in the GCP keyring must have a Cloud KMS admin role.

• The GCP project owner must enable BigQuery API access in your GCP Project.

• The user using BigQuery must have permission to use BigQuery and permission to access the EKM key that Fortanix creates.

5.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

5.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

5.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

6.0 Using Fortanix DSM with GCP Service

With Google Cloud Platform (GCP) External Key Manager, administrators use Fortanix DSM to store cryptographic keys for encrypting and decrypting GCP workloads, including BigQuery and Google Compute Engine (GCE).

6.1 Enable KMS API in Your GCP project

For more information on how to enable Google EKM API in your GCP project, refer to the Google documentation.

6.2 Obtain Your Google Service Account Email Address

Fortanix DSM requires the identity of the GCP service account in your Google Cloud project. This service account is automatically created by GCP once the KMS API is enabled. This service account exists by default and has the appropriate permissions, which cannot be modified. This service account will also not be viewable from your IAM; it is a backend service account controlled by GCP. This is in the format of the following email address, using your project number, where specified:

service-[PROJECT-NUMBER]@gcp-sa-ekms.iam.gserviceaccount.com

In the example above, PROJECT-NUMBER is the project number of your Google Cloud Platform project. For more information on your project number, refer to the Creating and managing projects  |  Resource Manager Documentation  |  Google Cloud.

6.3 Adding GCP EKM Instance in Fortanix DSM

Perform the following steps to create a GCP EKM app using the Google Cloud EKM wizard in Fortanix DSM SaaS:

1. In the DSM left navigation panel, click the Instances menu item, and then click the select the Cloud Key Management/BYOK check box. Click ADD INSTANCE on the Google Cloud EKM tile.

   

2. On the Add Instance page, do the following:

   1. Title: Enter a name for your instance.

   2. Google service account email: Enter the name of the service account email you acquired before.

      NOTE

      The Google service account email must match the email address of an existing Google Service Account.

   3. In the Allow access to wrap/unwrap keys for the following types of access justifications section, select the key access justification reason for wrapping or unwrapping the key.

      NOTE

      Selecting the allowed key justification reasons defines an access policy for the app. 

      The user can allow access to wrap or unwrap keys for the following types of key access justification options:

      • Accept All: Select Accept All to allow access for all the justification reasons provided below. You can also customize your selection and select specific justification criteria for access.

        • Customer-initiated support – Support initiated by the customer, for example, Case Number: ####.

        • Customer-initiated access – Customer or a third party authorized by the customer's IAM policy performs any access to the customer's data.

        • Google-initiated service – Google-initiated access, for example, to perform system management and troubleshooting, which includes:

          • Backup and recovery from outages and system failures.

          • An investigation will be conducted to confirm that the customer is not affected by suspected service issues.

          • Remediation of technical issues, such as storage failure or data corruption.

        • Google-initiated review – Google-initiated access for security, fraud, abuse, or compliance purposes including:

          • Ensuring the safety and security of customer accounts and content.

          • Confirming if an event, such as malware infections, has affected the content and may impact account security.

          • Confirming whether the customer is using Google services in compliance with the Google Terms of Service.

          • Investigating complaints by other users and customers or other signals of abusive activity.

          • Ensuring consistent use of Google services under relevant compliance regimes, such as anti-money laundering regulations.

        • Google-initiated system operation – Google-initiated access for security, fraud, abuse, or compliance purposes.

        • Third-party data request – Customer-initiated access by Google to respond to a legal request or legal process, including when responding to a legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs, in this case, may not be available if Google cannot legally inform the customer of such a request or process.

        • No justification reason provided – Indicates the actor accessing the data provided no access reason for the request. This may have been due to a transient error, a bug, or some other unexpected circumstance.

        • No justification reason expected – Indicates no reason is expected for this key request as the service in question has never integrated with Key Access Justification or is still in the pre-GA state and therefore may still have residual methods that call the External Key Manager but does not provide a justification.

        • Modified customer-initiated access – A customer uses their account to perform any access, which is authorized by their own IAM policy; however, a Google administrator has reset the superuser account associated with the user’s organization within the last 7 days.

        • Modified Google-initiated system operation – Google initiated access to customer data to perform indexing, structuring, pre-computation, hashing, sharding, and caching to optimize the structure and quality of data for future uses by the customer.

        • Google responses to production alert – Google-initiated access to main system reliability.

      • Allow missing justification: Select this option to allow access even if a justification reason is not provided.

   4. Click SAVE INSTANCE.

      

With saving an instance a new Google Service Account Email group, an app, and keys are created within Fortanix DSM.

• Google Service Account Email app

  

• Google Service Account Email security object (AES key) with Encrypt and Decrypt permissions.

  

6.4 Google EKM Instance Detailed View

Navigate to the Integrations menu item → Google EKM wizard → Google EKM instances table. In the instance detailed view page, the following information is represented:

• KEY URI: Click GET KEY URI to view the details of the Key URI, such as username and password. This is applicable only if the app authentication method is API Key.

• MANAGE KEYS: Click MANAGE to oversee the keys created.

• DELETE: To delete the instance, click the overflow menu and select the DELETE option. Note that deleting an instance will result in the removal of the app, group, and all security objects associated with the instance, rendering all key material inaccessible.

6.5 Enable GCP Service to Access AES Key

To allow a GCP service to access an AES key stored in Fortanix DSM, configure the external_key_uri with the appropriate URL.

Use the following format for the Google EKM URI:

https://<DSM_URL>/v0/gcp/key/<key_id>

Where,

• Replace <DSM_URL> with your Fortanix DSM domain, such as us.smartkey.io or eu.smartkey.io.

• Replace <key_id> with the URI of the AES key you want the GCP service to use, as copied in Section 6.4: Google EKM Instance Detailed View.

7.0 Application Configuration Management

7.1 Editing Authentication Method for an Existing App

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 6.3: Adding GCP EKM Instance in Fortanix DSM and click Change authentication method and select the Google Service Account option to change the authentication method to Google Service Account.

2. Click SAVE.

3. In the Configure authentication method window, select the key justification reasons. To learn about the justification policies, refer to Section 6.3: Adding GCP EKM Instance in Fortanix DSM.

   NOTE

   The app name must match the email address of an existing Google Service Account.

   

4. Click UPDATE.

The application is updated with the new authentication method.

7.2 Editing Key Access Justification Reason for an Existing App

You also have the option to edit the key access justification reason for an existing app.

1. In the detailed view of a GCP app, click the INFO tab, and in the Google Service Account section, click VIEW INSTRUCTIONS.

   

2. In the Google Service Account window, click EDIT.

   

3. Edit the allowed justification reason and click SAVE AND CLOSE to save the new updates.

   

8.0 Key Access Justification Policy Management

8.1 Adding Key Access Justification Policy for an Existing Key (Optional) 

You can also change the authentication method for an existing key from the Security Objects page.

NOTE

• Fortanix DSM first checks the provided access reason against the app-level policy.

• If the provided access reason passes at the app level, then Fortanix DSM checks it against the key-level policy.

• If the provided access reason passes at both the app level and key level, Fortanix DSM executes the operation.

• If the provided access reason passes at the app level but fails at the key level, Fortanix DSM throws an error: “Request violates Security-object's access reason policy.”

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the key for which you want to change the key justification policy.

   

2. In the detailed view of the key, click the KEY ACCESS JUSTIFICATION tab, and then click ADD POLICY to add a new key access justification policy.  

   

3. By default, the Accept All option is selected.

   

4. To change the applicable policies, clear the Accept All option, select the access justification policies that you want to apply to the key. To learn about the justification policies, refer to Section 6.3: Adding GCP EKM Instance in Fortanix DSM.

5. Click SAVE to apply the defined access justification policies to the key.

The key is updated with the new justification policy. 

8.2 Editing Key Level Justification Policy for an Existing Key

You can also edit and change the authentication method for an existing key from the detailed view of a security object. After you have applied the policies to a key, you will see EDIT POLICY.

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the key for which you want to edit the key access justification reason.

   

2. In the detailed view of the key, click the KEY ACCESS JUSTIFICATION tab, and then click EDIT POLICY.

   

3. Clear the default policies you want to remove, select the policies you want to add, and then click SAVE.

The key is updated with the new access justification policy.

9.0 References

1. Google Cloud Key Management Service: https://cloud.google.com/kms/ekm/docs/

2. GCP Key Manager Service API: https://cloud.google.com/kms/docs/reference/rest/

3. Fortanix DSM Getting started: users-guide-getting-started-with-fortanix-data-security-manager-ui 

4. Advanced Encryption Standard: https://www.researchgate.net/publication/317615794_Advanced_Encryption_Standard_AES_Algorithm_to_Encrypt_and_Decrypt_Data

5. Enable Billing in GCP: https://cloud.google.com/billing/docs/how-to/modify-project