While cloud computing has many advantages, security has been a drawback because the data remains with the cloud service provider (CSP) and isn’t under the direct control of the owner of this information. This means that encryption key security is of the utmost importance for organizations that select this data protection method.
Defining BYOK: What Is Bring Your Own Key All About?
Bring Your Own Key (BYOK) is, in its essence, an administration system that enables businesses to encrypt their data while retaining control and management. Some BYOK programs, however, upload encryption keys to the CSP servers. In these instances, the company once again loses custody of its keys.
A best-practice solution to this “bring your own key” challenge is for the organization to produce more robust keys through a highly secure hardware security module (HSM) and govern the safe export of its keys to the cloud – which improves its key management processes.
Unpacking Bring Your Own Key (BYOK): How Does it Work?
Bring Your Own Key (BYOK) enables businesses to retain control of the encryption credentials for their own data, irrespective of the cloud provider(s) they employ for storing their data. To accomplish this, the following steps must be taken:
- The cloud provider generates its own data encryption keys (DEKs) using the key manager in the cloud platform’s security module.
- The organization employs a third party to generate the encryption keys for these DEKs. The key used to encrypt a CSP’s DEK, caused by a third party, is called a key encryption key (KEK).
- The KEK ‘wraps’ the DEK to ensure only members of the organization, which maintains ownership and control of the KEK, can unlock the DEK and access the data contained within the CSP. Occasionally, this process is referred to as ‘key encircling.’
- When looking at a third party that can produce KEKs and offer key packaging, the organization usually has two alternatives:
- Hardware security modules (HSMs): These are expensive, highly secure, and specialized hardware components that may require additional tools and technologies to communicate with the cloud.
- Software-based key management system (KMS): These apps are on standard servers. The advantages of employing a software-based KMS are greater adaptability, easier administration, and generally decreased expenses.
- The DEK is available to users at the time of encryption and decryption, but the keys are erased from the cache after use. Bear in mind that keys are never deposited in long-term storage. Instead, the DEK or EDEK is encrypted and retained along with the encrypted data.
In a nutshell, BYOK helps public cloud service users produce cryptographic keys within their own ecosystem and maintain control of these keys with easy accessibility on a cloud server of their choice.
How Does BYOK Solve Security Challenges?
There are quite a few reasons for security managers and IT decision-makers to care about BYOK, and even seek it out when they make cloud investments.
1. Comply with data privacy laws
Across 2017 and 2018, 50 nations enacted new laws on privacy. The EU’s General Data Protection Regulations (GDPR) expects businesses to keep their consumers’ personally identifiable information (PII) secure and confidential. When forwarding PII to outside vendors, like SaaS providers, these organizations are also accountable for their security. BYOK offers visibility into data access and the capacity to revoke it.
2. Ease the cultural transition to cloud, thanks to extended control
Security is a primary concern when companies start storing data on the cloud. BYOK allows businesses to take back control of their confidential information. It enables the separation of a lock and key system into two halves – enabling the company to use its own encryption key programs and retain independent authority.
This gives organizations the peace of mind they were looking for (that only authorized personnel have access to their sensitive data. This is particularly important when companies implement the cloud for the first time. It also allows them to confiscate encryption keys from individuals or systems that shouldn’t have access.
3. Better prepare for heterogeneous cloud environments
Administering many encryption keys across multiple platforms (e.g., data center, the cloud, or multi-cloud) can be challenging and time-consuming. Organizations can handle all of their encryption credentials from a single platform by using a BYOK encryption model.
It centralizes key administration by offering one interface for the creation, rotation, and preservation of encryption keys. If the organization has data located in multiple clouds (multi-cloud), it may bring together the management of the various clouds under a single administrator.
4. Add another layer of security
This is the clearest advantage of having your own key. By isolating the encrypted data from its associated key, BYOK creates an additional layer of security for confidential information. With BYOK, organizations can use their encryption key management tools to store encrypted keys and ensure that only they have access, thereby increasing data security.
5. Save money, provided you have the technical expertise
BYOK enables in-house administration of encryption credentials. By overseeing them, organizations may stop paying for key management services from third-party vendors. This, however, precludes the possibility of recurring subscription and licensing fees.
Also, BYOK encryption is designed to make data unintelligible to malicious actors, like hackers and those posing as cloud administrators. This can indirectly reduce costs associated with the disclosure of potentially sensitive information. In turn, this averts steep compliance penalties and revenue loss.
Top Tier BYOK Examples: Zoom and Salesforce
BYOK is fast becoming the industry norm rather than a differentiator. In addition to all the major cloud providers, SaaS companies are also jumping on the bandwagon. Indeed, most organizations appreciate the option to bring their own keys, even if they choose to rely on their CSPs for encryption.
Zoom has introduced a customer-managed key offering reserved for AWS Key Management Service (AWS KMS) customers.
It is intended to satisfy the regulatory needs of the banking, finance, and healthcare sectors. Healthcare providers must adhere to HIPAA specifications, and financial services must comply with NY DFS, the Gramm-Leach-Bliley Act, and other regulations.
Salesforce also provides a BYOK feature as part of Salesforce Shield, a suite of natively integrated security services. It enables users to produce their own encryption key independently of Salesforce, which makes the platform considerably more secure and confidential.
Organizations can use open-source cryptographic libraries like OpenSSL, their current HSM infrastructures, or a third-party solution like AWS KMS.
Closing Thoughts: Is BYOK Watertight?
While BYOK reduces the risk of data loss, especially for data in transit, its security depends on the company’s capacity to protect its keys.
The loss of encryption keys may culminate in permanent data loss. To reduce this risk, try backing up keys after their generation and rotation, desist from deleting keys without triggers, and establish exhaustive key lifecycle management. In addition, having an administration plan encompassing key rotation rules, preservation, revocation steps, and access policies will be beneficial.
Finally, the costs related to BYOK cannot be disregarded – with an eye on management and support costs. BYOK adoption isn’t easy; therefore, organizations might have to invest in additional teams and HSMs, incurring higher expenses.
In short, BYOK is not a silver bullet but a necessary component of your overarching security strategy. Examine all data egress and ingress pathways, such as APIs or file transfers, along with a variety of privileged access criteria. This also applies to authentication and industry-wide best practices such as zero trust.
Up next, read the whitepaper on Protecting your Data End-to-End to build out your security strategy.