Skip to main content

Announcing general availability of Google Cloud CA Service



 

We are happy to announce the general availability of Certificate Authority Service offered by Google Cloud (Google Cloud CAS). Google Cloud CAS provides a highly scalable and available private CA to address the unprecedented growth in certificates in the digital world. This exponential growth is due to a perfect storm of conditions over the past few years, achieving almost a flywheel effect - the rise of cloud computing, moving to containers, the emergence of pervasive high speed connectivity,  the proliferation of Internet-of-things (IoT) and smart devices (see our whitepaper on this topic). 

See how easy it is to set up a CA with Google Cloud CAS:



Since our public preview announcement in October, we have seen tremendous reception from the market and innovative use cases for the service  from our customers. Here are some notable examples straight from our CAS customers:

"At Credit Karma, security is a top priority, and we always seek ways to improve our security posture. One area where we have been working with Google for more than a year now is the identity of our workloads and how we can leverage platform features to offload to cloud some of the time consuming tasks that our security and devops team need to run today. We are very happy with progress that GCP has made in addressing our feedback and we believe CA Service is a fundamental piece of building a strong identity story in cloud, by cloud." - Jason Roberts, Security Engineer, Credit Karma

“Commerzbank AG takes security of our data very seriously. While Google Cloud Platform comes with a high level of in-build security controls, we had to further enhance those by enabling the highest security standards for data transport. This requires to bring trust into GCP based on Commerzbank owned certificates. Google understood our needs and invested into capabilities with Certificate Authority Service, empowering us to rely on our trusted certificates and security standards while providing fully automated and scalable certificate handling. This enables us to use GCE, GKE, and other authorized services to deliver products and value”, Christian Gorke, Head of Cyber Center of Excellence, Commerzbank AG

“Building a secure and compliant PKI system is known to be a complex and costly endeavor making it cost prohibitive for many regulated government transactions. With the help of GCP's Certificate Authority Service (CAS), Vitu Authority Trust’s digital signature service became the first authorized government digital signature service provider to deliver a fully digital car buying experience in the United States. GCP's Certificate Authority Service provided Vitu Authority Trust the highest level of compliance at an affordable rate, allowing Vitu Authority Trust to outsource the burden of digital certificate management to the cloud”, Arash Nikoo VP, Technical Operations, Vitu

The top three desirable features of CAS were as follows:

  1. The first and most desired feature in Google Cloud CAS by our customers is scale and availability. Scale in this case is measured as a) number of issued certificates per second and b) total number of certificates/CAs allowed per project. Availability is the SLA backed up time for certificate issuance, per region.
    When planning to build this product, we found that the most common problem from customers was around how to address machine and service identity within their cloud transformation. This was specifically problematic due to the more ephemeral nature of most cloud workloads relative to what customers do on premise with manual deployments (good examples are containers and microservices that are short lived). The scale required for certificate issuance creates huge demand and unpredictability to customers' existing CAs which they often cannot support. Last thing they want is their identity infrastructure to be their scalability bottleneck as they dynamically scale out to support special events: in retail space, this could be Black Friday sales where thousands of nodes/VMs are spun to accommodate spike in sales and then rapidly torn down post the spikes, rendering all investments made to just support Black Friday useless.
    Another reason for renewed interest in scale was the move to a zero trust access model, which was expedited by COVID-19 and work from home requirements. The core need to open up device management across the internet created a new scale requirement for certificate enrollment to allow for securing the device over the internet. 

  2. In addition to scale and availability, the second Google Cloud CAS key benefit for our customers was savings compared to the cost of building an alternative solution. Such an endeavour requires purchasing Hardware Security Modules (HSM), licensing the software, purchasing server devices, securing multiple redundant root key material locations, then hiring a specialized PKI/DevOps team to operate the system at scale (high CapEX and OpEX).
    Customers told us they only have so many projects they can take on, so they have to choose carefully. CAs and certificates are an enabler for their business and make a great candidate to free up resources that might have been used internally to solve the scale problem and reassign them to more business-critical tasks, while accelerating velocity of the projects that use the service. Google Cloud CAS is backed with hardware security (HSM) without any direct customer involvement with HSM purchasing, provisioning and management. We saw customers cancelling their HSM orders in response to cost savings provided by Google Cloud CAS.

  3. Security was the third commonly quoted reason for considering Google Cloud CAS. Cloud CA that seamlessly integrates with other cloud services provides the most secure solution for their cloud workload, while freeing customers from having to keep software, hardware and firmware up to date.
Outside the usual suspects scenarios for CAS (i.e., DevOps), we saw a great reception of our strategy on relying on Certificate Lifecycle Management partners (Venafi and AppViewx as launch partners for public preview) to help modernize traditional IT and on-premise CA story. Customers really see the value of moving their CA to cloud to save on OpEX and CapEX, and see this as an opportunity to converge their CA story across both devops and traditional IT and achieve the perfect single pane controllability and manageability story. We heard many times that PKI teams were worried that they lost control of the modern DevOps team as they did not have visibility to their certificate operation. CAS can be the ideal way to fix that problem. Customers migrating to zero trust access models also found value in CAS.

Since our public preview, customers have asked us to expand our partner ecosystem so that their desired partners can also work with CAS. We are happy to introduce three new members of our partner program: Keyfactor, Jetstack and Smallstep (which brings in ACME support for CAS) who join our existing partners Venafi and AppViewx.

We also had some interesting and rather surprising scenarios brought to us by customers which we initially did not think of as potential targets. Interestingly, most examples are from the IoT space. We saw small to midsize companies who are building IoT peripherals, like wireless chargers, USB devices, or cables reaching out with a need for certificates. They do not want to invest in PKI and CAs as it is not their core business and the economy of it does not make sense given their market size. CAS provides a perfect model to address those with a pay-as-you-go CAS is easy to implement, operate, administer and grow for their scenarios.

These stories were really reassuring for us as we had made the right bets and features, though we acknowledged that there were areas of improvements. We are lucky enough to have a very vested and engaged set of customers providing us with great feedback and helping us identify product gaps. We truly appreciate it as their feedback made our product much better at GA resulting in a few nice feature additions. 

Before we enumerate all new features, it is worth to call out two new industry leading features of CAS in GA:

  • CA rotation (when CA certificate is close to expiry) is hard and normally requires a disruptive flow to replace the close to expiry CA with the new one. Customers asked us to make the process completely seamless for them. In response to those, we are adding a new feature to GA called CA pool that allows for a group of CAs serving the same incoming requests queue. CA rotation can simply be achieved by adding a new CA to the pool and taking the old one out of it, without any changes to workloads or client code. Also, the serving CA in the pool is chosen in a uniform fashion allowing for increased throughput.

  • More control over the certificate issuance policy was another commonly asked feature. With GA, we are enhancing our policies to allow per user group policies to be defined. Also, admins can define certificate templates that get applied to all issued certificates overriding (some or all) the parameters in the issued certificate. 

Below is a summary of the rest of the new features and integration that we make available as part of our GA:

  • We heard about configuration as code and the importance of Terraform support for configuring and managing Google Cloud CAS. We listened and created a Terraform provider for Google Cloud CAS.

  • We also heard of the huge demand for making sure cert-manager works with Google Cloud CAS. cert-manager with more than 1.6 M downloads per day is one of the most commonly used open source tools for automating certificate lifecycle management within Kubernetes environments. In response to this ask, we worked with Jetstack and created integration with cert-manager.io. 

  • We heard from customers that they love their Hashicorp Vault as a policy engine and would like to continue using it for this new service. As such, we built a Hashicorp Vault plugin that allows it to be the source of policies and Google Cloud CAS being the certificate issuer. 

  • Customers also requested a guided way to set up the product, as such, we are announcing availability of CAS Qwiklab
In addition to above features/integrations, we are also announcing the following updates as part of GA release:

  • Pricing: Our pricing model offers a simple pay-as-you-go model. For large volume customers, we also provide subscription models to remove the ambiguity of billing when demand is non-predictable.

  • SLA: Our SLA is now publicly available and offers 99.9% availability per region for certificate creation. 

  • More regions: We are happy to announce that CAS is available in many new regions, including São Paulo, Montréal, Frankfurt, London, Sydney, Mumbai, Tokyo, and many more.

  • Compliance: CAS has been included as part of ISO 27001, 27017, 27018, SOC1, SOC2, SOC3, BSI C5, and PCI audits. We are also working to include CAS in our FedRAMP audits. Additionally CAS by default uses Google cloud HSM for private key protection which is FIPS 140-2 Level 3 validated.

Google Cloud CAS offers a virtually unbounded quota  for the total number of issued certificates at a rate that can meet any of modern scales backed by an enterprise grade SLA, making customer managed deployments very hard to justify. Start planning your transition to a cloud-ready CA platform that CAS enables.

Read more about CAS in our whitepapers (1) (2) and activate it here.








Anoosh Saboori
Product Manager

Anton Chuvakin
Head of Solutions Strategy


Comments

What's Popular ?

Use Vault for Gmail Confidential Messages and Jamboard Files

Google vault will be supporting two new formats in the future, Gmail confidential mode emails & Jamboard files stored in Google Drive. Google Vault gives you a chance to retain, hold, search, and export data to support your organization’s retention and eDiscovery needs. This dispatch includes support for new information types with the goal that you can thoroughly oversee your association's information. What happens when individuals in your association sends confidential messages? Vault can hold, retain, search, and export all confidential mode messages sent by users in your association. Messages are constantly accessible to Vault, notwithstanding when the sender sets a termination date or denies access to private messages. Here’s an example of what admin@ink-42.com will see in Vault when they search for sam@ink-42.com and preview this email sent by lisa@ink-42.com . But It’ll not work vise versa. Admins can hold, retain, search and export message headers and s

All you need to know about Cloud Storage

Cloud Storage is a global, secure, and scalable object store for immutable data such as images, text, videos, and other file formats. You can add data to it or retrieve data from it as often as your application needs. The objects stored have an ID, metadata, attributes, and the actual data. The metadata can include all sorts of things,  including the security classification of the file, the applications that can access it, and similar information. The ID, metadata, and attributes make object storage an appealing storage choice for a large variety of applications ranging from web serving to data analytics.    Storage classes You store objects in buckets that are associated with a project, which are, in turn, grouped under an organization. There are four storage classes that are based on budget, availability, and access frequency.  Standard buckets for high-performance, frequent access, and highest availability - Regional or dual-regional locations for data accessed frequently or high-th

Zoom’s Work Transformation Summit on Jan. 19: Fresh Approaches for Moving Forward

These past two years have undoubtedly reshaped work. More specifically, these past two years — shuffling between remote, in-person, and hybrid work scenarios — reshaped what employees expect out of their jobs, how they want to work, and what the office means to them.  Organizations are challenged with making big decisions to meet those expectations, and those decisions will dramatically alter how they hire, manage their facilities, buy technology, and maintain productivity. Simply adjusting policies and retooling previous work models won’t do. It takes a comprehensive reimagining. To help organizations navigate this next phase of work, Zoom is hosting our  Work Transformation Summit  on Jan. 19, a free, half-day virtual event designed to provide you and your organization with meaningful strategies, creative approaches, and innovative solutions for redefining work.  Summit attendees will have the opportunity to hear from peers and industry experts on the importance of embracing technolo

What’s new with Google Cloud

  Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more.  Week of Mar 8-Mar 12 2021 Learn about the value of no-code hackathons —Google Cloud’s no-code application development platform, AppSheet, helps to facilitate hackathons for “non-technical” employees with no coding necessary to compete. Learn about Globe Telecom’s no-code hackathon as well as their winning AppSheet app  here . Introducing Cloud Code Secret Manager Integration — Secret Manager  provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. Integrating  Cloud Code  with Secret Manager brings the powerful capabilities of both these tools together so you can create and manage your secrets right from within your preferred IDE, whether that be VS Code, IntelliJ, or Cloud Shell Editor.  Learn more . Flexible instance configurations in Clou

New intelligent suggestions for formulas and functions in Google Sheets

  You’ll now see in-line, sequential, context-aware suggestions for formulas and functions when working with data in Google Sheets.  Formula suggestions will make it easier to write new formulas accurately and help make data analysis quicker and easier. Simply begin inserting a formula in Sheets—suggestions will be automatically displayed and as you continue to type. You can view additional incremental suggestions in the drop-down menu. We hope these formula suggestions make it easier and faster for you to work with and analyze your data. Admins: There is no admin control for this feature. End users: This feature will be available  by default and can be disabled by going to Tools > Enable formula suggestions or from the three-dot menu of the suggestion dialog box. Rapid Release and Scheduled Release domains: Gradual roll-out (up to 15 days for feature visibility) starting on August 25, 2021 Available to all Google Workspace customers, as well as G Suite Basic and Business customers

Your support partner for Google Workspace / Microsoft 365

Your Support Partner For Google Workspace / Microsoft 365     Remote work is here to stay. Forbes.com mentions the percentage of "remote-capable" professionals who expect to work part of their time in the office and part of their time elsewhere—even if it's just one day a week—has risen to 53%, with even more, 59%, indicating that this is their preference. Today, 42% of respondents indicate they work in a hybrid arrangement, and 53% believe they will continue to do so in the future. With this emerging yet consistent trend, it should always be backed up with responsive & effective system support for your Google Workspace - which also provides you with the top notch collaboration tools to connect, create & collaborate.  1. Support at your ease.  Our Google Workspace Service offering thrives to enable you the full potential to work from anywhere, anytime. We stand by you for any Google Wor
Every sustainable business realizes that cloud migration is essential for long-term success. However, many people are hesitant to begin the migration process because they fear data loss and are hesitant to take such an enormous leap. Nevertheless, the reality is that  data will continue to grow, necessitating additional infrastructure to handle it, both in terms of data storage and processing power for effective use of data. Organizations that are hesitant to transition to the cloud sometimes miss out on the benefits that cloud-native capabilities can deliver, such as faster machine learning timelines and the potential to leverage artificial intelligence to harvest more insights from data. If at all your organization is hesitant to move to the cloud, we got you covered! Finetech offers end to end service in all aspects of Data Migration. This would not only from on-premises to the cloud, but also : Cloud (3rd party Cloud Email providers) to Google Cloud PST (local archives) to Google C
Big announcement!  As a part of our growth, Finetech is pleased to announce the expansion of our business in Bangladesh. With 12 years of excellence in helping organizations to digitize and providing with all aspects to keep up with the relevant, and up-to-date technology required to create an efficient workplace, Finetech Pledges to do so for the years to come throughout South Asia. As an objective to bring about the best Cloud services to South Asia, we have now kick-off our venture in Bangladesh.  We have identified Bangladesh as a fast developing country, and the need for an efficient work environment has been in need ever since. We understand the urgent technology challenges organizations face with incessantly changing tortuous business requirements. We also understand that orthodox ways of seeking solutions for these problems are no longer valid in the present day. We at Finetech believe that Cloud is the next big wave in technology. Our purpose is to bring the best of Cloud solu

Set start times and import reminders in Tasks

Here comes one of the most awaited features. Tasks is one of the goals to follow what you have to do in G Suite. These new updates will help ensure the majority of your to-dos are in Tasks, and guarantee that you can monitor the due dates related with them. Moreover, importing reminders to Tasks can support your users if your association is at present changing from Inbox to Gmail. Set a date and time for your tasks and receive notifications - You’ll find a place to add date & time. Create repeating tasks - Also you can make an event recur. Import reminders into Tasks This import tool will pull your reminders (from Inbox/Gmail, Calendar, or the Assistant) into Tasks.When importing reminders into Tasks, we’ll copy over the title, date, time and recurrence of the reminder. Please note, reminders with locations associated will not be imported. Additionally, this is a one-time import and not a constant sync. - When you open Tasks on the web or your mobile app, you’ll se

Live translated captions in Google Meet are now generally available

What’s changing  In 2021, we announced a beta for live translated captions in Google Meet. We’re now making live translated captions generally available for select Google Workspace editions.  Meeting participants can translate English meetings to:  French  German  Portuguese  Spanish  Translated captions are available on Google Meet on web and mobile devices.  Who’s impacted  End users  Why it’s important  Translated captions help make Google Meet video calls more inclusive and collaborative by removing language proficiency barriers. When meeting participants consume content in their preferred language, this helps equalize information sharing, learning, and collaboration and ensures your meetings are as effective as possible for everyone. This feature can be particularly helpful for all-hands meetings or training meetings with globally distributed teams. Additionally, translated captions can be impactful in education settings, allowing educators to connect and interact with students, p