
ASK: Is Google cloud “private”, can it store PII, does it mine data like gmail? - thinkloop
Can products like Cloud Spanner be used to store private information (PII) without additional apparatuses?
======
zues
This may be useful: [https://cloud.google.com/security/encryption-at-
rest/default...](https://cloud.google.com/security/encryption-at-rest/default-
encryption/)

~~~
thinkloop
Important piece of the puzzle (as of April 2017):

Google Cloud Platform encrypts customer content stored at rest, without any
action from the customer, using one or more encryption mechanisms, with the
following exceptions.

\- Serial console logs from virtual machines in Google Compute Engine; this is
currently being remediated

\- Core dumps written to local drives, when a process fails unexpectedly; this
is currently being remediated

\- Debugging logs written to local disk; this is currently being remediated

\- Temporary files used by storage systems; this is currently being remediated

\- Some logs that may include customer content as well as customer metadata;
this is planned for remediation

This data is still protected extensively by the rest of Google’s security
infrastructure, and in almost all cases still protected by storage-level
encryption.

~~~
thinkloop
Google of course has the decryption keys, another important piece is their
policy on looking at data themselves.

~~~
dkoston
Not true if you bring your own disk encryption keys. AWS also allows you to
bring your own keys.

------
crazypyro
Side tangent, but dynamodb encrypts at rest but only with AWS key management
(KMS), so they own the decryption keys.

~~~
krageon
I don't understand this. Why even mention it in that case? Is it just for
marketing reasons?

~~~
thinkloop
Wouldn't that be for exterior hacking purposes? The KMS likely has a stricter
security profile, and would be a second system that needs to be compromised to
gain access to the data.

