Last, but certainly not least, let's go over encryption. Google Cloud encrypts customer data stored at rest by default, with no additional action required from users. A data encryption key, or DEK, using AES-256 symmetric key, is used. And the key itself is encrypted by Google using a key encryption key, KEK. This is so that the DEK can be stored local to the encrypted data for fast decryption, with no visible performance impact to the user. To protect the KEKs, they are stored in Cloud KMS. The keys are rotated periodically and automatically for added security. This diagram shows a simple app engine application that uses Cloud Storage. The data is encrypted using AES-256, using a DEK, and decrypted transparently to the application where the data is read. Now, for compliance reasons, you may need to manage your own encryption keys rather than the automatically generated keys, as just discussed. In this scenario, you can use Cloud Key Management Service, or Cloud KMS, to generate what are known as customer-managed encryption keys, CMEK. These keys are stored in Cloud KMS for direct use by cloud services. You can manually create the key using a dialogue similar to the one shown here and specify the rotation frequency, which defaults to 90 days. The keys you create can then be used when creating storage resources, such as disks or buckets. When you're required to generate your own encryption key or manage it on-premises, Google Cloud supports customer-supplied encryption keys, CSEK. Those keys are kept on-premises and not in Google Cloud. The keys are provided as part of API service calls, and Google only keeps the key in memory and uses it to decrypt a single payload or block of returned data. Currently, customer-supplied encryption keys can be used with Cloud Storage and Compute Engine. You should also consider the Data Loss Prevention API to protect sensitive data by finding it and redacting it. Cloud DLP provides fast, scalable classification and redaction for sensitive data elements, like credit card numbers, names, Social Security numbers, US and selected international identifier numbers, phone numbers, and Google Cloud credentials. Cloud DLP classifies this data using more than 90 predefined detectors to identify patterns, formats, and check sums, and even understands contextual clues. Some of these are shown on the right. You can optionally redact data as well, using techniques like masking, secure hashing, tokenization, bucketing, and format-preserving encryption.