Combining Both Methods (Recommended)

Combining Both Methods (Recommended)

For the strongest security posture, combine both methods. When a Google CSE request arrives, it flows through two layers in sequence:

How It Works

  1. Layer 1 — Organization Routing Rules: Determines which Workspace handles the request (based on application, user email, request time).

  2. Layer 2 — CSE Key Selection Rules: Within that Workspace, determines which key (CMK) is used (based on similar conditions, scoped to the workspace).

If no Routing Rule matches → the Workspace Default Rule applies. If no Key Selection Rule matches → the Workspace Default Key is used.

Example: Multi-department with Per-user Key Assignment

Scenario: Acme Corp (@acme.com) wants:

  • Finance and Legal departments to use separate Workspaces.

  • Within Finance, the CFO uses a dedicated high-security key, while other Finance staff use the default key.

Setup:

  • Routing Rules (org level):

    • User email = alice@acme.com OR cfo@acme.com OR charlie@acme.com → route to Finance-Prod Workspace.

    • User email = bob@acme.com OR diana@acme.com → route to Legal-Prod Workspace.

  • Key Selection Rules (within Finance-Prod):

    • User email = cfo@acme.com → use Finance-Exec-Key.

    • Default Key: Finance-General-Key.

Sequence Diagram — CFO creating an encrypted Google Sheet:

Sequence Diagram — Regular Finance employee creating an encrypted Google Sheet (uses default key):

Use Cases by Google Workspace App

Here is how the two layers apply to each Google CSE-supported application:

Google Drive (Docs, Sheets, Slides)

Action

KACLS Operation

Layer 1: Routing Rules

Layer 2: Key Selection Rules

Create encrypted document

/wrap

Routes to Workspace

Selects which key encrypts it

Open encrypted document

/unwrap

Routes to Workspace

Selects which key decrypts it

Share encrypted document

N/A (Google sharing)

Recipient's access depends on their key rules when they open it

Common scenario: An HR manager (hr-manager@acme.com) creates an encrypted Google Sheet with salary data. A Routing Rule matches the user's email and routes the request to the HR-Prod Workspace. A Key Selection Rule assigns the HR-Sensitive-Key for this user. When the CFO opens this file, the same two layers evaluate — routing to the correct workspace and selecting the correct key for decryption.

Google Meet

Action

KACLS Operation

Layer 1:

Routing Rules

Layer 2:

Key Selection Rules

Start encrypted meeting

/wrap

Routes to Workspace

Selects which key encrypts the session

Join encrypted meeting

/unwrap

Routes to Workspace

Selects which key decrypts the session

View encrypted recording

/unwrap

Routes to Workspace

Selects which key decrypts the recording

Common scenario: The board of directors holds an encrypted Google Meet. A Routing Rule matches executive emails (ceo@acme.com, cfo@acme.com) and routes them to Executive-CSE Workspace. A Key Selection Rule assigns Board-Meeting-Key when Application = Google Meet. Regular employees' requests route to a different workspace or fall back to the default key.

Google Calendar

Action

KACLS Operation

Layer 1:

Routing Rules

Layer 2:

Key Selection Rules

Create encrypted event

/wrap

Routes to Workspace

Selects which key encrypts event details

View encrypted event details

/unwrap

Routes to Workspace

Selects which key decrypts event details

Common scenario: The Legal team creates encrypted Calendar events for case strategy meetings. A Routing Rule matches Legal team emails (bob@acme.com, diana@acme.com) and routes them to Legal-Prod. A Key Selection Rule assigns Legal-Calendar-Key when Application = Google Calendar. Only users whose requests match the same key flow can view the full event details.

PreviousCSE Key Selection Rules (Within a Workspace)NextBest Practices

Last updated