Hi everyone,
I am back again with yet another blog. This time it’s on data security.
Imagine you're the Project Manager at a prominent global defense company, spearheading a highly sensitive project. Your organization utilizes Google Workspace, and you need to safeguard project files stored in Google Drive, ensuring only authorized individuals can access them. Even if hackers breach the system, they must not be able to decrypt these files.
The most secure solution lies in holding the encryption and decryption keys yourself, effectively barring anyone, including Google servers, from accessing your data.
Just like you, other organizations also want granular control over the privacy and security of their sensitive data. As businesses rely more heavily on cloud-based services to store and manage data, the need for robust security measures has become paramount.
Google Workspace, a suite of cloud-based productivity and collaboration tools, offers a comprehensive set of security features, including Client-side encryption (CSE).
Before we jump into the details, let’s understand different terminologies.
CSE – Client-Side Encryption
With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it is stored in cloud storage. That way, Google servers cannot access your encryption keys and, therefore, cannot decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service
Key Access Control List Service (KACLS)
Your external key service that uses this API to control access to encryption keys stored in an external system.
Identity Provider (IdP)
The service that authenticates users before they can encrypt files or access encrypted files.
Data Encryption Key (DEK)
The key used by Google Workspace in the browser client to encrypt the data itself.
Key Encryption Key (KEK)
A key from your service used to encrypt a Data Encryption Key (DEK).
Access Control List (ACL)
A list of users or groups that can open or read a file.
In very simple words, Client-side encryption (CSE) is a data security technique that encrypts data on the user's device before it is transmitted and stored into the cloud server.
In CSE, as the name suggests, the encryption and decryption process are handled entirely on the user's device/browser (Client side). The encryption keys, which are used to encrypt and decrypt the data, are also stored on the customer managed environment outside Google boundaries. This ensures that the Google server never has access to the unencrypted data or the encryption keys.
This means that the data remains encrypted throughout the entire transmission process, ensuring that it is protected from unauthorized access even if the server is compromised.
Let's try to understand how CSE works in Google Workspace using the diagram below.
Step 1: File is encrypted with DEK by Google.
Step 2: Once data is encrypted using DEK, the user is redirected to Identity Provider for authentication.
Step 3: After user authenticates successfully, User can use the KEK to encrypt the DEK. Here, KEK is managed by the customer, which means Google does not have access to KEK and it can’t access the encrypted data and it requires users authentication for each file in order to decrypt.
Step 4: Once KEK Encrypts the DEK, Encrypted files are stored in Google drive.
So as you can see, Step 2 and Step 3 are outside Google boundaries and hence, your data can’t be decrypted by Google.
Let's try to understand how decryption works in CSE using the diagram below.
Step 1: To access the file, the user will make a request to KACL to decrypt the DEK which was encrypted using KEK in an earlier step.
Step 2: To ensure only the right user can make a request to KACL, the user will first have to authenticate using Idp.
Step 3: Once authentication is completed, Idp provides authentication token and a request to KACL is made to decrypt the DEK along with authentication token.
Step 4: Once KACL receives the user request, it checks if this user is allowed to decrypt the data or not and once authentication token is verified, KACL decrypts the file so that user can access the file.
As we can see in the above diagram, Google does not have any access to Idp, as well as external key service, which is used to store encryption keys, hence Google server can not access the user files.
Also, since all operations are done at client side (user’s browser), if an attacker tries to intercept data running over the internet and across Google data centers - they get nothing but scrambled data that can only be deciphered by the users in possession of the secret key.
Google CSE takes a momentous leap towards helping customers meet data sovereignty and compliance needs with zero impact on end-user experience. The product is built around the following principles:
Client-side encryption is available for eligible Google Workspace customers (Enterprise Plus, Education Standard, and Education Plus), who can deploy CSE for their entire organization or for a set of users within their organization.
Currently Google Workspace supports CSE for the below suite of services for the customer which have Google Enterprise Plus, Education Standard, and Education Plus subscription.
Hope this has given you a quick understanding of how CSE works in Google Workspace. If you have any questions, please leave a comment below.
Thanks for reading!