CMEK for Google Security Operations

This document outlines how to configure customer-managed encryption keys (CMEK) for Google Security Operations. Google SecOps encrypts customer data at rest by default using Google default encryption without any additional actions from you. However, for more control over encryption keys or when mandated by an organization, CMEK is available for Google SecOps instances.

CMEKs are encryption keys that you own, manage, and store in Cloud Key Management Service. Using CMEKs provides full control over encryption keys, including managing their lifecycle, rotation, and access policies. When you configure CMEK, the service automatically encrypts all data using the specified key. Learn more about CMEK.

Use CMEKs in Cloud KMS

To control your encryption keys, you can use CMEKs in Cloud KMS with CMEK-integrated services, including Google SecOps, as follows:

• You manage and store these keys in Cloud KMS.
• Data in the Google SecOps Data Lake is encrypted at rest.
• When you configure your Google SecOps instance with a CMEK, it uses the selected Cloud KMS key to encrypt data at rest within the Data Lake.
• Using CMEK with Cloud KMS may incur additional costs, depending on your usage patterns.

To control your encryption keys, you can use CMEKs in Cloud KMS with CMEK-integrated services including Google SecOps. You manage and store these keys in Cloud KMS. Data in the SecOps Data Lake is encrypted at rest. When you configure your Google SecOps instance with a CMEK, Google SecOps uses the selected Cloud KMS key to encrypt your data at rest within the Data Lake. Using CMEK with Cloud KMS may incur additional costs, depending on your usage patterns. Learn more about Cloud KMS pricing.

CMEK Support by region

The following regions support CMEKs:

• europe-west3 (Frankfurt, Germany)
• europe-west12 (Turin, Italy)

Enable CMEK

The following steps outline the high-level process to onboard CMEK with Google SecOps:

1. Provision the configuration of a Google SecOps instance: Accept the provisioning invitation to begin. Our expert Google SecOps team will handle the specialized configuration and integration.
2. Create a Cloud KMS key in the region where you plan to host your instance.
3. Create a new Google SecOps instance and select the CMEK key you created in Step 2. You'll be prompted to grant Google SecOps access to this key during instance creation.
4. Optional: Schedule a key rotation for each key. We recommended this security practice to minimize the impact of potential key compromise.

Once you've completed onboarding, you no longer need to provide a key using API or UI for that instance.

Key management

You manage your keys using Cloud KMS. Google SecOps can't detect or act on any key changes until they're propagated by Cloud KMS. While permission changes are typically quick, significant changes, such as disabling or deleting a key, can take up to four hours to take effect in Google SecOps. Learn more about Cloud KMS and Cloud KMS Service Level Objectives.

When you disable your CMEK key, Google SecOps loses access to your data and can no longer process it. This means that Google SecOps can't read, write, or update existing data, and it can't ingest any new data. If you don't re-enable the key, the data will be deleted after 30 days. When you re-enable the KMS key access, Google SecOps automatically starts ingesting and processing any new data since the key was disabled.

Google SecOps supports two types of key management:

• Create a Cloud KMS Key (recommended)
• Use the Cloud External Key Manager (Cloud EKM) (Cloud EKM)—Using Cloud EKM keys may affect availability due to reliance on external systems.

Need more help? Get answers from Community members and Google SecOps professionals.