Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Mendukung kepatuhan terhadap pengelolaan kunci
Halaman ini memberikan informasi tentang mendukung kepatuhan terhadap pengelolaan kunci
menggunakan enkripsi untuk Assured Workloads.
Ringkasan
Pengelolaan kunci enkripsi
sangat penting untuk mendukung kepatuhan terhadap peraturan terkait resource Google Cloud .
Assured Workloads mendukung kepatuhan melalui enkripsi dengan cara berikut.
CJIS, ITAR, dan IL5: Kunci yang dikelola pelanggan dan pemisahan tugas yang diwajibkan:
CMEK: Assured Workloads mewajibkan penggunaan kunci enkripsi yang dikelola pelanggan (CMEK) untuk mendukung paket kontrol ini.
Project pengelolaan kunci: Assured Workloads membuat project
pengelolaan kunci untuk menyesuaikan dengan kontrol keamanan NIST 800-53, project pengelolaan kunci
dipisahkan dari folder resource untuk menetapkan
pemisahan tugas antara administrator
keamanan dan developer.
Key ring: Assured Workloads juga membuat
key ring untuk menyimpan
kunci Anda. Project CMEK membatasi pembuatan key ring ke lokasi yang mematuhi kebijakan yang Anda pilih. Setelah membuat ring kunci,
Anda dapat mengelola pembuatan atau impor kunci enkripsi. Enkripsi yang kuat, pengelolaan kunci, dan pemisahan tugas semuanya mendukung hasil keamanan dan kepatuhan yang positif di Google Cloud.
Paket kontrol lainnya (termasuk IL4): Google-owned and Google-managed encryption keys dan opsi
enkripsi lainnya:
Cloud Key Management Service (Cloud KMS):
Assured Workloads mendukung Cloud KMS.
Cloud KMS mencakup semua Google Cloud produk dan layanan secara default yang menyediakan enkripsi dalam pengiriman dan enkripsi dalam penyimpanan yang divalidasi FIPS 140-2.
Bagian ini menjelaskan strategi enkripsi Assured Workloads.
Pembuatan CMEK Assured Workloads
CMEK memungkinkan Anda memiliki kontrol lanjutan atas data dan pengelolaan kunci dengan
memungkinkan Anda mengelola siklus proses kunci lengkap, mulai dari pembuatan hingga
penghapusan. Kemampuan ini sangat penting untuk mendukung persyaratan penghapusan kriptografis di SRG Cloud Computing.
Layanan
Layanan terintegrasi CMEK
CMEK mencakup layanan berikut, yang menyimpan data pelanggan untuk CJIS.
Untuk layanan yang tidak terintegrasi dengan CMEK, atau untuk pelanggan yang paket kontrolnya tidak memerlukan CMEK, pelanggan Assured Workloads memiliki opsi untuk menggunakan kunci Cloud Key Management Service yang dikelola Google. Opsi ini ditawarkan
untuk memberi pelanggan opsi tambahan pengelolaan kunci agar sesuai dengan
kebutuhan organisasi Anda. Saat ini, integrasi CMEK terbatas pada layanan dalam cakupan yang mendukung kemampuan CMEK. KMS yang dikelola Google adalah metode enkripsi yang dapat diterima karena mencakup semua Google Cloud produk dan layanan secara default yang menyediakan enkripsi yang divalidasi FIPS 140-2 dalam pengiriman dan dalam penyimpanan.
Administrator dan developer biasanya mendukung kepatuhan dan praktik terbaik
keamanan melalui pengelolaan kunci dan
pemisahan tugas. Misalnya, meskipun
developer mungkin memiliki akses ke folder resource Assured Workloads,
administrator memiliki akses ke project pengelolaan kunci CMEK.
Administrator
Administrator biasanya mengontrol akses ke project enkripsi dan
resource utama di dalamnya. Administrator bertanggung jawab untuk mengalokasikan
ID resource utama kepada developer untuk mengenkripsi resource. Praktik ini memisahkan pengelolaan kunci dari proses pengembangan dan memberi administrator keamanan kemampuan untuk mengelola kunci enkripsi secara terpusat dalam project CMEK.
Administrator keamanan dapat menggunakan strategi kunci enkripsi berikut dengan
Assured Workloads:
Selama pengembangan, saat menyediakan dan mengonfigurasi resource Google Clouddalam cakupan yang memerlukan kunci enkripsi CMEK, Anda meminta ID resource kunci dari administrator. Jika tidak menggunakan CMEK, sebaiknya gunakan
Google-owned and Google-managed encryption keys untuk memastikan data dienkripsi.
Metode permintaan ditentukan oleh organisasi Anda sebagai bagian dari proses dan prosedur keamanan yang didokumentasikan.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[[["\u003cp\u003eAssured Workloads mandates the use of customer-managed encryption keys (CMEK) for CJIS, ITAR, and IL5 compliance, creating a dedicated key management project and key ring to align with NIST 800-53 security controls and separation of duties.\u003c/p\u003e\n"],["\u003cp\u003eFor other control packages, including IL4, Assured Workloads supports Google-owned and Google-managed encryption keys, Cloud Key Management Service (Cloud KMS), Customer-managed encryption keys (CMEK), and Cloud External Key Manager (Cloud EKM).\u003c/p\u003e\n"],["\u003cp\u003eCMEK allows advanced control over data and key management, enabling management of the entire key lifecycle, which is critical for supporting cryptographic erase requirements, and covers services such as Cloud Storage, Persistent Disk, and BigQuery.\u003c/p\u003e\n"],["\u003cp\u003eSecurity administrators are responsible for managing encryption keys within the CMEK project, allocating resource IDs to developers, while developers use these keys to encrypt resources, ensuring a clear separation of duties.\u003c/p\u003e\n"],["\u003cp\u003eFor services not integrated with CMEK, or for customers whose control packages don't require it, Assured Workloads offers Google-managed Cloud Key Management Service (KMS) keys, which provide FIPS 140-2 validated encryption and cover all Google Cloud products and services.\u003c/p\u003e\n"]]],[],null,["# Supporting compliance with key management\n=========================================\n\nThis page provides information about supporting compliance with key management\nusing encryption for Assured Workloads.\n\nOverview\n--------\n\n[Encryption key management](/assured-workloads/docs/encryption-keys) is\nfundamental to supporting regulatory compliance of Google Cloud resources.\nAssured Workloads supports compliance through encryption in the\nfollowing ways.\n\n**CJIS, ITAR, and IL5:** Mandated customer-managed keys and separation of duties:\n\n- **CMEK**: Assured Workloads mandates the use of customer-managed encryption keys (CMEK) to support these control packages.\n- **Key management project** : Assured Workloads creates a key management project to align with NIST 800-53 security controls, the [key management project](/assured-workloads/docs/key-concepts#key_management) is separated from resource folders to establish [separation of duties](/kms/docs/separation-of-duties) between security administrators and developers.\n- **Key ring** : Assured Workloads also creates a\n [key ring](/kms/docs/resource-hierarchy#key_rings) to store\n your keys. The CMEK project restricts key ring creation to\n compliant locations that you select. After you create the key ring,\n you manage creating or importing encryption keys. Strong\n encryption, key management, and separation of duties all support positive\n security and compliance outcomes on Google Cloud.\n\n | **Note:** After Assured Workloads creates the key ring, you must [create your CMEK key](/assured-workloads/docs/create-and-obtain-cmek). Unless your control package mandates a certain encryption key strategy, you can use any Google key management service, including Cloud Key Management Service, Cloud External Key Manager, or CMEK. You can also use default [Google-owned and Google-managed encryption keys](/assured-workloads/docs/storage/docs/encryption/default-keys), which are FIPS validated.\n\n**Other control packages (including IL4):** Google-owned and Google-managed encryption keys and other\nencryption options:\n\n- [Google-owned and Google-managed encryption keys](/storage/docs/encryption/default-keys) provides on-by-default, FIPS 140-2 validated encryption in transit and at rest to all Google Cloud services.\n- [Cloud Key Management Service (Cloud KMS)](/kms/docs): Assured Workloads supports Cloud KMS. Cloud KMS covers all Google Cloud products and services by default providing FIPS 140-2 validated encryption-in-transit and encryption-at-rest.\n- [Customer-managed encryption keys (CMEK)](/kms/docs/cmek): Assured Workloads supports CMEK for control packages such as IL4, for which CMEK is optional.\n- [Cloud External Key Manager (Cloud EKM)](/kms/docs/ekm) Assured Workloads supports Cloud EKM.\n- [Key import](/kms/docs/importing-a-key)\n\nEncryption strategies\n---------------------\n\nThis section describes Assured Workloads encryption strategies.\n\n### Assured Workloads CMEK Creation\n\n| **Note:** Assured Workloads only provides configuration guidance for CMEK when you select the CJIS control package.\n\nCMEK lets you have advanced controls over your data and key management by\nenabling you to manage your complete key lifecycle, from creation to\ndeletion. This capability is critical to supporting cryptographic erase\nrequirements in the [Cloud Computing SRG](https://rmf.org/wp-content/uploads/2018/05/Cloud_Computing_SRG_v1r3.pdf).\n\nServices\n--------\n\n### CMEK-integrated services\n\nCMEK covers the following services, which store customer data for CJIS.\n\n- [Cloud Storage](/storage)\n- [Persistent Disk](/persistent-disk)\n- [BigQuery](/bigquery)\n\n| **Note:** After you setup CMEK, the resource ID of the key(s) you create in the CMEK project will need to be shared with developers working in the Assured Workloads resource folder(s). Today CMEK integration is limited to the in-scope services which support CMEK capabilities.\n\n#### Other services: Custom Key Management\n\nFor services that aren't integrated with CMEK, or for customers whose control\npackages don't require CMEK, Assured Workloads customers have the\noption to use Google-managed [Cloud Key Management Service](/kms) keys. This option is offered\nin order to provide customers with additional options for key management to fit\nyour organizational needs. Today, CMEK integration is limited to the\n[in-scope services](/kms/docs/using-other-products#cmek_integrations) which\nsupport CMEK capabilities. Google-managed KMS is an acceptable encryption method\nas it covers all Google Cloud products and services by default providing\n[FIPS 140-2 validated](/security/compliance/fips-140-2-validated) encryption in\ntransit and at rest.\n\nFor other products supported by Assured Workloads, see\n[Supported products by control package](/assured-workloads/docs/supported-products).\n\nKey management roles\n--------------------\n\nAdministrators and developers typically support compliance and security best\npractices through key management and\n[separation of duties](/kms/docs/separation-of-duties). For example, while\ndevelopers might have access to the Assured Workloads resources folder,\nadministrators have access to the CMEK key management project.\n\n### Administrators\n\nAdministrators typically control access to the encryption project and\nthe key resources within it. The administrators are responsible for allocating\nkey resource IDs to developers to encrypt resources. This practice separates\nthe management of keys from the development process and provides the security\nadministrators with the ability to manage encryption keys centrally in the CMEK\nproject.\n\nSecurity administrators can use the following encryption key strategies with\nAssured Workloads:\n\n- [Cloud KMS](/kms/docs)\n- [Customer-managed encryption keys (CMEK)](/kms/docs/cmek)\n- [Cloud External Key Manager (Cloud EKM)](/kms/docs/ekm)\n- [Key import](/kms/docs/importing-a-key)\n\n| **Note:** It is recommended that you create resources in the Assured Workloads resource project and not in the key management project.\n\n### Developers\n\nDuring development, when you provision and configure in-scope Google Cloud\nresources that require a CMEK encryption key, you request the resource ID of the\nkey from your administrator. If you don't use CMEK, we recommend that you use\nGoogle-owned and Google-managed encryption keys to ensure data is encrypted.\n\nThe request method is determined by your organization as part of your documented\nsecurity processes and procedures.\n\nWhat's next\n-----------\n\n- Learn how to [create an Assured Workloads folder](/assured-workloads/docs/create-folder).\n- Learn which [products are supported](/assured-workloads/docs/supported-products) for each control package."]]
