This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Client-side Encryption: Enhancing Data Protection with Google Workspace

Posted on 12-13-2023 08:33 AM
and filed in workspace-comm-blog
abhishekmehta
Staff

client-side-encryption-workspace.png
Hi everyone, 

I am back again with yet another blog. This time it’s on data security.

Imagine you're the Project Manager at a prominent global defense company, spearheading a highly sensitive project. Your organization utilizes Google Workspace, and you need to safeguard project files stored in Google Drive, ensuring only authorized individuals can access them. Even if hackers breach the system, they must not be able to decrypt these files.

The most secure solution lies in holding the encryption and decryption keys yourself, effectively barring anyone, including Google servers, from accessing your data.

Just like you, other organizations also want granular control over the privacy and security of their sensitive data. As businesses rely more heavily on cloud-based services to store and manage data, the need for robust security measures has become paramount.

Google Workspace, a suite of cloud-based productivity and collaboration tools, offers a comprehensive set of security features, including Client-side encryption (CSE).

Before we jump into the details, let’s understand different terminologies.

CSE – Client-Side Encryption
With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it is stored in cloud storage. That way, Google servers cannot access your encryption keys and, therefore, cannot decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service

Key Access Control List Service (KACLS)
Your external key service that uses this API to control access to encryption keys stored in an external system.

Identity Provider (IdP)
The service that authenticates users before they can encrypt files or access encrypted files.

Data Encryption Key (DEK)
The key used by Google Workspace in the browser client to encrypt the data itself.

Key Encryption Key (KEK)
A key from your service used to encrypt a Data Encryption Key (DEK).

Access Control List (ACL)
A list of users or groups that can open or read a file.

What is Client-side Encryption?

1634060293793.gif

In very simple words, Client-side encryption (CSE) is a data security technique that encrypts data on the user's device before it is transmitted and stored into the cloud server.

In CSE, as the name suggests, the encryption and decryption process are handled entirely on the user's device/browser (Client side). The encryption keys, which are used to encrypt and decrypt the data, are also stored on the customer managed environment outside Google boundaries. This ensures that the Google server never has access to the unencrypted data or the encryption keys.

This means that the data remains encrypted throughout the entire transmission process, ensuring that it is protected from unauthorized access even if the server is compromised.

How does encryption in CSE work?

Let's try to understand how CSE works in Google Workspace using the diagram below.

 

abhishekmehta_0-1702435434159.png

 

 

Step 1: File is encrypted with DEK by Google.

Step 2: Once data is encrypted using DEK, the user is redirected to Identity Provider for authentication.

Step 3: After user authenticates successfully, User can use the KEK to encrypt the DEK. Here, KEK is managed by the customer, which means Google does not have access to KEK and it can’t access the encrypted data and it requires users authentication for each file in order to decrypt.

Step 4: Once KEK Encrypts the DEK, Encrypted files are stored in Google drive.

So as you can see, Step 2 and Step 3 are outside Google boundaries and hence, your data can’t be decrypted by Google.

How does decryption in CSE work?

Let's try to understand how decryption works in CSE using the diagram below.

abhishekmehta.png

 

Step 1: To access the file, the user will make a request to KACL to decrypt the DEK which was encrypted using KEK in an earlier step. 

Step 2: To ensure only the right user can make a request to KACL, the user will first have to authenticate using Idp.

Step 3: Once authentication is completed, Idp provides authentication token and a request to KACL is made to decrypt the DEK along with authentication token.

Step 4: Once KACL receives the user request, it checks if this user is allowed to decrypt the data or not and once authentication token is verified, KACL decrypts the file so that user can access the file.

As we can see in the above diagram, Google does not have any access to Idp, as well as external key service, which is used to store encryption keys, hence Google server can not access the user files.

Also, since all operations are done at client side (user’s browser), if an attacker tries to intercept data running over the internet and across Google data centers - they get nothing but scrambled data that can only be deciphered by the users in possession of the secret key.

Tell me more

Google CSE takes a momentous leap towards helping customers meet data sovereignty and compliance needs with zero impact on end-user experience. The product is built around the following principles:

  • Complete control over encryption keys: For leveraging Google CSE, users need to set up their encryption key access service with an external key manager that abides to CSE requirements.
  • No access to plain-text content: Your Google Workspace data gets encrypted in the browser before taking off to the Google servers. If Google needs access to this data, it will need explicit customer authorization on a per-file basis.
  • Minimized impact on user experience: This feature in no way intrudes or alters the end-user experience. It’s important to note that CSE targets file content for this additional layer of encryption. Most of the metadata, including file names, labels, and the access control list, continue to be available to Google for running the service.

Client-side encryption is available for eligible Google Workspace customers (Enterprise Plus, Education Standard, and Education Plus), who can deploy CSE for their entire organization or for a set of users within their organization.

Currently Google Workspace supports CSE for the below suite of services for the customer which have Google Enterprise Plus, Education Standard, and Education Plus subscription.

  • Gmail
  • Google Drive
  • Google Meet
  • Google Calendar

Hope this has given you a quick understanding of how CSE works in Google Workspace. If you have any questions, please leave a comment below.

Thanks for reading!

References

8 0 4,048
Article Labels