My name is nikhil and im a product manager at google cloud im joined here today with my colleague, luke camry and together. Well be walking you through one of the top questions we get from our customers. How can i keep my data private by using client side encryption for google drive before we dive into the details? Let us give you a quick overview of what client side. Encryption is client side. Encryption is a privacy focused feature available in beta to our enterprise plus customers. The product is built on three key principles. The first and foremost is to ensure that customers can manage and control their own encryption keys. In addition, they also manage their own identity service and the combination of key service and identity services are external to google boundaries. Second, customer data is encrypted before being uploaded to google workspace servers, which means that google has no visibility into plain text content at any point. In time, lastly, and most importantly, client side, encryption preserves the native user experience for drive, docs sheets and slides. This is important to maintain the collaboration using a web interface that workspace users have become accustomed to note that while we have announced the beta for google drive, we do plan to extend the client side. Encryption capabilities to other workspace applications as well lets talk about the high level admin setup steps that you would need to do in order to configure client side encryption for your environment step, one would be to choose your key service provider.
This is required to maintain the segregation of encryption keys and the data being encrypted. You can choose from a wide variety of vendors over here, like talus, flowcrypt, futurex or vertru, which gives you the choice and the flexibility for the deployment of your key service provider. Once your key service has been set up, you would have to configure an oidc compliant idp in order to facilitate the segregation of responsibilities. Well talk more about this as a part of the demo, as we get to that section. The third part is to make sure that you have defined or enabled client side encryption for a given ou or a given group. It allows flexibility so that, as an admin, you can control the deployment of this feature. Lastly, you can go in and look at the consumption of client side encryption through reports in your environment. You can also be assured that any surrounding use cases like vault or alerts are covered with client encryption as well. Lets switch over to the demo using the workspace admin console setup as an example, as you might recollect, the first step is to make sure that you can set up the external key service. You can navigate to the client side. Encryption section through security client set encryption portion of the workspace admin console and then head right into the first step, which is configuring your external key service. Now, in this case, i already have a key service configured in your scenario.
Once you have a key service configured, you would have to provide the url of the external key service and you can test the connection between the two entities. If you choose to once, the key service is set up. The next step is to make sure that you have your idp configuration pulled in appropriately. Here you get two options. You can either use a dot, well known for configuration or you can use the idp fallback settings. The pros and cons of each of the approach are documented in our help center articles, and i would encourage you to take a brief look now. In my scenario, i have a fallback idp configured by providing the client id the discovery, ui uri and defining the grant type that is applicable for my environment. Once you have set up the key service and the identity provider configurations, the last piece is generally making it available for your users. Now you can choose through the set of ous or groups depending on your preferences. This is a standard capability that comes along with most enterprise features that leverage the admin console. Once you have completed the configurations, you can now proceed and enable the end user experience for your users. Before i conclude the admin section, i wanted to walk you through the reports that are available that you can find under security, dashboard client side. Encryption here is an example of the files that were encrypted and uploaded over time.
In this scenario, you would also get a level of detailed telemetry with document id titles and the owners of the file, and you can export the file for your consumption or circulation. If you choose to do so. Similarly, you get a report for the file that were downloaded or decrypted by the end users over time, as well, with similar levels of telemetry for uh, for the files that have been downloaded now theres an extra piece of information here in case that is applicable for Your environment, which allows you to understand whether these downloads are happening from users within your domain or users outside your domain, which is an important vector to consider, as you share client side encrypted files externally. With that im going to hand it over to luke camry, who would now walk you through all the end user experience that comes along with client side encryption over to you, luke thanks. So much nikhil now lets talk about the end user experience for client side encryption now, while theres some future impact for dachshund drive cse, we focused on the three main principles of the user experience maintaining our cloud native editors that were famous for ensuring that external collaboration Is unhindered making sure that theres still mobile access that availability everywhere, that googles famous for all, while protecting your content, giving no visibility to google storing it end to end encrypted with keys that are stored in your hsm on prem or in another cloud provider? Now there is going to be some future impact working in such a confidential mode.
Real time, collaboration on the editors will show you. The alternative that weve put together for cse search is limited but thats still largely fine due to title owner and other search operations offline and then your admin scans are, of course, unavailable because google has no visibility into the content. But youll see now, when we switch over to the demo that these experience limitations are quite minimal relative to how normal this experience feels for any user whos familiar with doc sheets and slides, even though you can only work online and you dont have malware scans the Day to day, end user experience, which youll see here for one thing to note, these files coexist with all your other content in drive, but theyre all very clearly annotated as encrypted heres. One of our search examples where i just did an is encrypted search to find an example, cse document that some of my colleagues and i were working on, so you can see just like with normal google docs. We have some people in the document who are idle. Some who are active its the exact same sharing model that youre used to with google drive, and then, of course i can. You know, because i didnt see any notifications telling me to wait to edit. I know i can just go ahead and make changes to the document without interfering with anyone else. Our model here is unlimited, simultaneous read but with a singular write user at a given time.
But we have these helpful notifications in place to let you know when its your turn to write, theres, no locking and unlocking no checking in and checking out its meant to feel as similar to the regular google docs experience as possible. So i went in here and made some changes confirmed the sharing settings, which again, are exactly the same as with regular google drive, though, of course you will also need the key at the key in order to access, which is why we have that helpful warning there To let you know that anyone you share with will also need key access granted by your admin. I can still go into version history and see the changes that were made to the dock over time. And, of course, i can see my other collaborators jump in and out, and you know, the new collaborators that are joining will be told to wait to edit, because i was already here until i closed the document and then its their turn. And now this is supported for all file formats and drive in addition to doc sheets and slides. So your pdf any of your arbitrary binary files like this one here this har file, i i uploaded and then, since preview isnt enabled i have to download and decrypt to see it but thats very similar to the experience. Youd have working with normal binary files in drive, and then i can go through. We could open a dock a sheet or a slide lets go into a sheet here to give another flavor of the experience again with google sheets, just like with what you saw with google docs, its very similar to what users are used to working with, including some Of our basic intelligence features, you know whether thats uh suggested columns or a suggested filter for your data were really the long term goal with drive and editor cse is that we enable all of the functionality in doc sheets and slides that you need to get your Job done, while giving you the opportunity to exist in this mode that has the same level of confidentiality, same level of control that you had working with on prem software.
So really the target is unprecedented collaboration, given the limitations of this extremely compliant mode of working. So once again you know sharing out the file and then coming back here to see all my content again. So thanks so much for joining us today, um and if you want to learn more always visit cloud.google.com security and give the doc sheets and slides and drive encryption a shot.