Welcome to the Google Cloud Security Community!

Google Cloud and KSA's NCA Standards: Building a Secure, Encrypted Future for Your Data

Blog Authors:Akshay Dalal, Head of Regional Risk & Compliance, Middle East, Turkey & AfricaMohammed Fawzi, Security & Compliance LeadQuentin Gaumer, Security & Compliance LeadSultan Altukhaim, Head of Security and Compliance, Cloud CISO - Riyadh In today's dynamic digital landscape, robust data protection is a critical imperative. For organizations operating in the Kingdom of Saudi Arabia (KSA), adhering to the National Cybersecurity Authority's (NCA) National Cryptographic Standards (NCS-1:2020) is essential for safeguarding national data, systems, and networks. This post highlights how Google Cloud's comprehensive encryption capabilities and security offerings empower you to meet and exceed these vital standards.Google Cloud enables you to navigate the complexities of regulatory compliance. Our platform is engineered with security and privacy at its core, providing a powerful foundation to help you achieve compliance with stringent requirements like the NCS-1:2020. Google Cloud's Foundational Commitment to Encryption and Security At Google Cloud, security isn't just a feature; it's fundamental to everything we do. Our global infrastructure is built with multiple layers of defense, and encryption is a cornerstone of this approach. We continuously invest in cutting-edge encryption technologies to protect your data, both at rest and in transit.Our commitment to the KSA market is further solidified by our alignment with local regulatory benchmarks. Google Cloud's Class C license in the Kingdom signifies our adherence to the NCA's rigorous security standards, providing a strong foundation for your compliance journey, particularly concerning the MODERATE (128-bit) and ADVANCED (256-bit) security levels defined in NCS-1:2020. Learn more about our KSA Class C Compliance.How Google Cloud Helps Customers Meet National Cryptographic StandardsThe NCS-1:2020 sets minimum acceptable cryptographic requirements for civilian and commercial purposes. Google Cloud offers a suite of services designed to help you meet these mandates effectively. You can find the official document here: NCA National Cryptographic Standards (NCS-1:2020).Let's explore how our solutions align with the key encryption-focused areas of NCS-1:2020: 1. Cryptographic Primitives and Schemes NCS-1:2020 Requirement: Prescribes accepted symmetric and asymmetric primitives, and various cryptographic schemes including block cipher modes of operation, Message Authentication Codes (MAC), Authenticated Encryption with Associated Data (AEAD), Key Wrap Functions, and Key Derivation Functions (KDF). The standard specifies acceptable algorithms and key lengths for MODERATE and ADVANCED security levels.How Google Cloud Helps:Google Cloud services align directly with NCS-1:2020 by leveraging industry-standard, robust cryptographic primitives and schemes.Symmetric Algorithms: We support widely accepted algorithms like AES (Advanced Encryption Standards), with key lengths of 128-bit and 256-bit, covering both MODERATE and ADVANCED levels as specified by the standard. Services like Cloud Storage and Compute Engine utilize AES-256 by default for data-at-rest encryption. While NCS-1:2020 also lists Camellia and Serpent as accepted block ciphers, Google Cloud HSM and Cloud KMS are standardized on AES. Explore CloudKMS our default encryption at rest solutions. Asymmetric Algorithms: We support industry-standard asymmetric algorithms, including RSA with key lengths of at least 3072 bits for MODERATE, and Elliptic Curve Cryptography (ECC) with NIST P-256, P-384, and P-521 curves for both MODERATE and ADVANCED. These are crucial for secure key exchange and digital signatures, aligning with the standard's specified key lengths and curves. Learn more about our supported cryptographic algorithms. Hash Functions: We adhere to the use of SHA-2 and SHA-3 families for hashing, ensuring data integrity as required by the standard. Block Cipher Modes of Operation: Our encryption services, particularly within Cloud KMS, utilize secure modes such as Galois/Counter Mode (GCM), which is an AEAD scheme built on Counter Mode (CTR). This aligns with the standard's preference for secure modes. Message Authentication Codes (MAC): Cloud KMS and Cloud HSM support HMAC signing including algorithms like HMAC-SHA256 and HMAC-SHA512. Authenticated Encryption with Associated Data (AEAD): Our services primarily use AES-256-GCM for symmetric encryption, a recommended AEAD scheme under NCS-1:2020. Key Wrap Functions: We support secure key wrapping mechanisms, essential for protecting cryptographic keys during transit and storage, aligning with NIST SP 800-38F and the standard's requirements. Key Derivation Functions (KDF): Cloud KMS supports the core cryptographic primitives required to implement the Key Derivation Functions (KDFs) mandated by the standard. These are built on foundational operations like HMAC. Customers can implement the KDF logic within their application and call the Cloud KMS MacSign API to perform the underlying HMAC operations using a hardware-protected key. This approach provides the flexibility for implementation while ensuring the entire key derivation process is anchored to the FIPS 140-2 Level 3 security of Cloud HSM.2. Cryptographic Key Lifecycle Management (KLM) NCS-1:2020 Requirement: Mandates secure handling of cryptographic keys throughout their lifecycle – generation, storage, establishment, use, and destruction. This includes requirements for key protection, lifetime, and processes to ensure keys are not vulnerable to prediction or bias.How Google Cloud Helps:Google Cloud provides robust solutions for managing the entire key lifecycle securely.Cloud Key Management Service (KMS) & Cloud HSM: These services offer a centralized platform for key management. Keys are generated within a FIPS 140-2 Level 3 certified Hardware Security Module (HSM) boundary with Cloud HSM, ensuring they are protected against physical tampering and side-channel attacks. This directly addresses the NCS requirement for secure key generation and protection. Discover the power of Cloud HSM and  Cloud KMS. Protection Levels: Google Cloud offers different protection levels for your keys, allowing you to choose the best fit for your security and compliance needs. This includes keys protected by software (standard KMS) and keys protected by HSMs (Cloud HSM), providing varying degrees of security and tamper resistance. Learn more about our key protection levels. FIPS 140-2 Level 3 Attestation: Cloud HSM's FIPS 140-2 Level 3 certification is a significant attestation of its security. This certification explicitly includes rigorous testing for resistance to physical tampering and side-channel attacks, directly meeting the NCS-1:2020's emphasis on hardware-based security and protection against such threats. Key Protection and Lifetime: Cloud HSM enables longer key lifetimes for keys protected by hardware, supporting the standard's recommendations. Keys are designed to be non-exportable, which simplifies management and reduces theft risks, aligning with the standard's emphasis on key protection. Key Usage and Control: Through granular IAM permissions, you retain exclusive cryptographic control over your keys. This model, where you dictate and audit all key operations, is recognized by compliance frameworks as providing the essential "sole control" required for sensitive workloads. Learn more about IAM for key management. External Key Manager (EKM): For organizations that require managing their own encryption keys outside of Google Cloud's managed infrastructure, Google Cloud offers External Key Manager (EKM). This allows you to use your on-premises or third-party key management solutions to protect data stored in Google Cloud, providing an additional layer of control and flexibility while still meeting stringent compliance requirements. PQC signing algorithms: Google is actively engaged in the transition to Post-Quantum Cryptography (PQC), contributing to the standardization of algorithms like SPHINCS+ and CRYSTALS-Dilithium (ML-DSA) with NIST. They are implementing these in products like Cloud KMS, which now offers quantum-safe digital signatures in preview. This multi-year effort includes hybrid deployments and open-sourcing implementations through libraries like BoringSSL and Tink, demonstrating a commitment to quantum-readiness and a smooth transition.3. Commonly Used Cryptographic Protocols NCS-1:2020 Requirement: Specifies requirements for prevalent cryptographic protocols such as IP Security (IPsec), Transport Layer Security (TLS), DNS Security (DNSSEC), Secure Shell (SSH), Bluetooth, UMTS/LTE/5G, WPA, and Kerberos. This includes accepted algorithms, versions, and configurations.How Google Cloud Helps:Google Cloud services inherently support and enforce secure protocols essential for data-in-transit protection.TLS/SSL: All data transmitted to and from Google Cloud services is protected by TLS 1.2 or higher by default, ensuring secure communication channels. We actively encourage and support the adoption of TLS 1.3, aligning with the standard's emphasis on strong protocols. Explore our data encryption in transit solutions. IPsec: Google Cloud's Virtual Private Cloud (VPC) network and VPN services utilize strong IPsec configurations that align with NCS-1:2020 requirements for secure network traffic. SSH: Secure Shell access to Google Cloud resources adheres to secure SSH-2 protocols, with support for strong encryption and MAC algorithms as specified by the standard. Other Protocols: While direct management of protocols like Bluetooth or UMTS/LTE/5G falls outside the scope of cloud infrastructure, the data processed and transmitted through Google Cloud services that interact with these technologies benefits from our underlying encryption and security measures, which are designed to meet rigorous cryptographic standards.4. Public Key Infrastructure (PKI) NCS-1:2020 Requirement: Outlines requirements for PKI, including algorithms for certificates (Root CA, Intermediate, End User), their validity, and the use of hash algorithms.How Google Cloud Helps:Google Cloud provides a secure foundation for PKI management.Secure Key Storage for PKI: Cloud HSM is an ideal service for securely storing the private keys for Certificate Authorities (CAs), which is critical for managing certificate validity and revocation. Our Certificate Authority Service is built upon this principle, ensuring that the keys used for issuing and managing certificates meet the standard's requirements. Learn more about securing your PKI with Google Cloud using the Certificate Authority Service. Algorithm Compliance: The cryptographic algorithms supported by Cloud HSM for digital signatures (e.g., ECDSA, RSA-PSS) and hashing (SHA-2, SHA-3) align with the NCS-1:2020 requirements for certificate generation, including the specified key lengths and algorithm strengths.5. Audit and Monitoring NCS-1:2020 Requirement: Emphasizes logging and monitoring of cryptographic operations, key management activities, and access to encrypted data.How Google Cloud Helps:Google Cloud provides comprehensive audit trails and monitoring capabilities.Cloud Logging and Cloud Audit Logs: We capture detailed logs for all actions performed on Google Cloud resources, including critical operations within Cloud KMS and Cloud HSM. This provides the necessary visibility for audit and compliance, ensuring that all cryptographic activities are logged and can be reviewed as per the standard. Explore Cloud Logging for detailed insights. Security Command Center: This platform offers real-time security posture management, threat detection, and compliance monitoring, enabling you to identify and respond to any suspicious activities related to your encryption resources, thereby supporting the standard's monitoring requirements. Learn more about Security Command Center.Partnering on Your Compliance Journey Navigating regulatory compliance can be complex, but you don't have to do it alone. Google Cloud is dedicated to being your partner in achieving your compliance goals in KSA. Our robust encryption capabilities are designed to help you meet the stringent requirements of the National Cryptographic Standards (NCS-1:2020), providing peace of mind and a secure foundation for your digital transformation.Next Steps:Explore Google Cloud's Security Resources: Dive deeper into our comprehensive security and compliance offerings for the Kingdom of Saudi Arabia on our Google Cloud Compliance Resource Center. Review Encryption Documentation: Familiarize yourself with the specific capabilities and best practices for using Cloud KMS and Cloud HSM. Contact Your Google Cloud Account Team: Our Security experts are ready to discuss your specific encryption and compliance requirements and help you leverage Google Cloud effectively to meet the National Cryptographic Standards.By working together, we can ensure your sensitive data is protected and your organization remains compliant with the National Cryptographic Standards for KSA.