Overview

Introduction

The goal of the solution is to integrate Google Workspace Client-Side Encryption (CSE) with the internal Key Management Service (Oten KMS) platform through a single Key Access Control Layer Service (KACLS). The solution enables:

• Full control of the key lifecycle (create, wrap, unwrap, rewrap).

• Separation of encryption policies by org, workspace, group, and user.

• Ensuring multi-tenant isolation without requiring multiple integration links in Google Admin.

Who holds the key to your data?

When you use Google's Client-Side Encryption (CSE) feature, you are applying an additional layer of security to your data. Think of it this way:

• Google's Role: Provides the "house" (Docs, Sheets, Slides) and handles the actual data encryption using DEKs

• Your Role: Maintain ultimate control through Oten KMS that manages your CMKs

• DEK (Data Encryption Key): Unique key generated by Google for each document

• CMK (Customer Master Key): Your master key managed in Oten KMS that protects all DEKs

Google never has access to this "master key," ensuring that only your company can control the decryption of sensitive data.