What benefits does a "bring your own key" encryption service offer? In which situations would it be better to use...
such a product/service rather than allowing a vendor to hold the keys?
Bring your own key (BYOK) encryption services enable businesses to retain control over access to their encrypted data. When companies have concerns about how their data is shared, a BYOK service is one way to mitigate the risk of unintentional or unknown exposure.
Consider what can happen when a cloud storage provider manages encryption keys: The provider is responsible for creating a key management system to serve all its customers, which is protected by the security measures the provider has in place -- this would include monitoring and audit procedures.
Some customers using the service may be perfectly happy having the storage provider manage all aspects of encryption. Small businesses, for example, may not have the expertise on staff or the time needed to dedicate to key management. In such cases, relying on a storage provider may be the better option for maintaining a chosen level of security.
Organizations subject to industry and government regulations or with particularly stringent data access requirements may want to retain more control over their data and encryption. In such cases, these businesses may not want a storage provider holding the key that could unlock their data.
Consider this hypothetical scenario: A company stores documents with a cloud storage service. A law enforcement agency serves a warrant to the cloud provider to access copies of the company's documents. The provider, believing it is under legal obligation to comply with the warrant, decrypts the documents and releases them. Under such a hypothetical situation, if the customer organization had managed its own keys, the law enforcement agency would have had to consult with the customer to decrypt the data. Of course, all parties involved have to follow laws; using a BYOK service is not a way to circumvent them. However, there may be cases where it is important for the party who owns the data to know about such warrants. For example, imagine if, unknown to the cloud provider, the customer's legal advisors successfully suppressed the warrant. Should the data have been released by the cloud provider? What are the implications of releasing the data under a legal order that was later deemed invalid? These are legal questions that should be addressed by legal professionals.
When organizations need or want to retain control over the release of data, using a BYOK encryption service can help maintain that level of control. BYOK touches on legal issues that are well beyond the scope of information technology and security and should be considered by legal counsel. Needless to say, nothing in this article should be considered legal advice.
Ask the Expert!
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email! (All questions are anonymous.)
Learn more about Box's new BYOK encryption service
Learn more about the importance of Bring Your Own Key encryption for securing data in the cloud.
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading