Andrea Danti - Fotolia


BYOK grants users the key to cloud encryption kingdom

BYOK options from public cloud providers like AWS and Azure give users more control over their data encryption keys -- but not without some tradeoffs.

Public cloud providers are introducing new services that allow customers to integrate encryption using their own key. This helps ensure a level of data security that meets even the most demanding business and regulatory requirements.

Let's take a closer look at new public cloud encryption services that allow users to bring your own key (BYOK), as well as potential benefits and drawbacks.

Q. What is BYOK and what are the tradeoffs?

Encryption remains the best overall technology for securing sensitive data against loss, theft or even government snooping. But encryption key management typically required organizations to delegate some degree of control to their public cloud provider -- a demand that many companies rejected. For organizations to fully embrace the public cloud, encryption needed to be seamless, with all key control residing within the organization.

Bring your own encryption (BYOE) and BYOK arose to address these issues. The BYOE model allows users to place their own encryption software into a public cloud instance, along with their workloads. With the organization's encryption tools running in the cloud as a service, the workloads' sensitive data can employ encryption before writing data to the cloud provider's storage resources.

The BYOK model is similar, but often leverages the cloud provider's native encryption services, such as 256-bit Advanced Encryption Standard. The encryption keys, however, are based on the user's own hardware, in concert with the provider's hardware, to create a unique key management system. The encryption user controls key creation, storage and management.

There are still potential concerns to evaluate before adopting BYOE or BYOK technology. For example, Key management becomes a critical process for the enterprise using the public cloud; a cloud provider can no longer unlock encrypted files if local keys are lost or forgotten.

Q. Which public cloud providers support BYOK?

Amazon Web Services (AWS) provides encryption capabilities, but users can also generate keys in AWS Key Management Service (KMS) or import keys to KMS from an on-premises key management system. Once imported to KMS, organizations can use the keys to encrypt application data and data exchanged with other integrated AWS services, but the keys never leave KMS.

Users can access KMS through the AWS Management Console, a command-line interface and APIs through the Transport Layer Security protocol.

Other public cloud providers support BYOK models. For example, Microsoft has Azure Storage Service Encryption for Data at Rest, as well as client-side encryption using the Azure Storage Client Library for .NET Nuget package. These rely on Azure Key services.

Other BYOK features

There are numerous capabilities users can look for in BYOK services. For example, AWS KMS users can use identity management tools to define who can manage keys, or who can use keys to encrypt and decrypt data. Some BYOK services can also rotate keys automatically, temporarily disable or re-enable keys, delete unused keys and log all key management activities for auditing.

Google Cloud Platform is also enhancing key management capabilities, allowing uses to supply their own keys for services such as Google Cloud Storage and Google Compute Engine. Organizations considering multicloud deployments should pay close attention to differences in key management services and compatibility.

Q. Are BYOK activities logged or audited?

Logging is an essential part of encryption and key usage services. Just as users need encryption to facilitate data storage in the public cloud, logging and log management are essential to ensure regulatory compliance.

Encryption remains the best overall technology for securing sensitive data against loss, theft or even government snooping.

For example, AWS records all key usage in AWS CloudTrail logs, including API access to KMS. Users can access those logs to examine which keys were referenced, which users were involved and which other AWS services used them. CloudTrail logs are deposited into an encrypted Amazon Simple Storage Service instance that users can access as needed.

Users can also employ services like Amazon CloudWatch to monitor key usage and collect KMS-related metrics for evaluation. CloudWatch records the collected metrics for up to two weeks, allowing users to get a short-term, historical perspective of key and encryption usage. Users can examine CloudWatch metrics through the AWS Management Console or the Amazon CloudWatch API.

Organizations can also automate encryption monitoring and logging. However, encryption monitoring and logging is only beneficial when a business has a clear picture of monitoring goals, the most relevant metrics to watch and the right tools for the job.

Q. Does BYOK meet any recognized compliance standards?

Simply using a cloud provider's encryption and key management services isn't necessarily enough to meet regulatory obligations, such as the Health Insurance Portability and Accountability Act (HIPAA) or PCI DSS. A cloud provider may also need to demonstrate compliance with recognized standards before you use their services. Before any form of public cloud adoption, review the provider's compliance to recognized standards.

For example, AWS adheres to Service Organization Controls (SOC) including SOC 1, SOC 2 and SOC 3. AWS is also certified to ISO 9001, ISO 27017, ISO 27018 and PCI DSS Level 1. This means if your business deals with credit card processing and is obligated to PCI DSS adherence, AWS may be an acceptable provider. AWS is also under evaluation for Federal Information Processing Standard 140-2, used as a security standard by the U.S. Government.

By comparison, Google adheres to SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018 and PCI DSS 3.1; FedRamp Authority to Operate with Google App Engine; and HIPAA compliance for Compute Engine Cloud Storage, Cloud SQL, Genomics and BigQuery. Google also adheres to the E.U. Data Protection Directive; Statement on Standards for Attestation Engagements, Number 16 (SSAE16); and International Standard for Assurance Engagements (ISAE 3402 Type II) assurance standards.

If a cloud provider drops, or falls out of compliance with, a standard, or that relevant standard is revoked, the user may be obligated to cease using those cloud services -- or risk being out of compliance, as well. This adds an important dimension to cloud provider relationship management for the enterprise.

Next Steps

Seven cloud security risks that will ruin IT's day

How to create a cloud DDoS protection plan

Explore how the cloud IAM market continues to evolve

Dig Deeper on Cloud computing security