Profile Applicability

  • Level 2

Description:

BigQuery automatically encrypts data at rest using Envelope Encryption with Google-managed cryptographic keys. However, for enhanced control over encryption, it is recommended to use Customer-Managed Encryption Keys (CMEK) to encrypt data encryption keys instead of the default Google-managed encryption keys.

Rationale:

Using CMEK provides organizations with greater control over encryption by allowing them to manage the keys used for encrypting data. This ensures compliance with stringent security policies and provides an additional layer of control and accountability. When CMEK is enabled, BigQuery handles the table and CMEK association, ensuring seamless encryption and decryption.
Note: Google does not store your keys or have access to data encrypted with CMEK. If you lose your key, data encrypted with it cannot be recovered.

Impact:

Using CMEK requires additional effort to create, protect, and manage encryption keys. This can result in higher operational overhead for key lifecycle management.

Default Value:

By default, BigQuery uses Google-managed keys for encrypting data at rest.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to BigQuery under Analytics.

                   

  1. Select the project under SQL Workspace.

             

  1. Choose a dataset and select a table.

             

  1. Go to the Details tab.

         

  1. Under Table info, confirm the presence of the Customer-managed key field.

       

  1. Repeat this for each table in all datasets across all projects.

Using Google Cloud CLI:

List all datasets:

bq ls

Retrieve table details and verify the presence of kmsKeyName:

bq show <table_object>

Remediation Steps:

Using Google Cloud CLI:

To apply a Customer-Managed Encryption Key (CMEK) to an existing table:
Use the following command to copy the data, applying the CMEK in the process. If you are updating the same table, set the source and destination as identical:

bq cp --destination_kms_key <customer_managed_key> source_dataset.source_table destination_dataset.destination_table

Backout Plan:

Step 1: Revert Encryption to Google-Managed Keys

If CMEK encryption needs to be removed, create a new table without CMEK:

bq  cp source_dataset.source_table destination_dataset.destination_table

  • Drop the CMEK-encrypted table if needed.

Step 2: Notify Stakeholders

  • If rollback is required, inform data security teams about encryption adjustments.

Step 3: Restore from Backup (If Necessary)

  • If encryption issues persist, restore the table from a previous backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that CMEK is no longer enforced (if intentional).

References:

  1. BigQuery Customer-Managed Encryption

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data stored on servers, applications, and databases using server-side or client-side encryption.


14.8 Encrypt Sensitive Information

Encrypt all sensitive information at rest using tools that require secondary authentication mechanisms separate from the operating system to access the data.