Spend a few minutes talking to most technologists about public cloud services and you'll quickly reach a firm conclusion:...
cloud can be challenging from a security standpoint. In part, this is because of the nature of the cloud itself. One of the things that makes the cloud beneficial and powerful is its commodification of the technology substrate, which means everything below a given level of the technology stack -- the level varies by cloud model -- can be viewed as a black box from a customer point of view. This is powerful because it means that a customer can redirect resources that it would otherwise spend on the management of technology to other more directly business-visible efforts.
From a security point of view, there are a few implications. First, it means potentially ceding portions of responsibility for technical security control operation to service providers, which can be a scary proposition for larger, more risk averse, or heavily regulated organizations. It also can impact the operation and security profile of certain controls. In the case of encryption for example, the question of key ownership becomes a significant point. When an organization cedes control over key management and operation to a service provider, that service provider of necessity now has access to that key -- and, by extension, the data that key protects.
This means that the service provider has the ability to access encrypted data should situations require it. For example, in a situation where a service provider receives a request for access to data from law enforcement, there is no technical barrier gating access to the data -- despite the fact that the data is encrypted. Likewise, gaps in technical or administrative safeguards (e.g., key management, expiry or access to keys) at the service provider might put data at risk.
Benefits of bring your own encryption
Because of this, it is now more common for service providers to offer the concept of bring your own encryption or BYOE -- sometimes referred to as bring your own key or BYOK -- for this situation. Under this model, the customer becomes the owner and manager of encryption keys instead of the CSP. This allows the customer the ability to use existing key management, encryption, vaulting or other software and hardware in combination with the service provider to allow encryption functionality but limit access to the key material from the service provider.
Depending on the specific implementation, bring your own encryption can allow the use of hardware security modules, third-party key management tools, access management and logging tools or other key brokering capabilities. This provides a number of potential benefits to the customer. First and most obviously, it means the cloud customer is required to be in the loop on sharing of data, including situations in which the receiving part is law enforcement. Meaning, it creates a technical barrier that requires the customer's involvement before access to data is granted.
Keeping the cloud customer in the loop is valuable in and of itself, but there are additional ways in which bring your own encryption can benefit customers. For instance, it can help enforce spoliation in the event that an organization seeks to change service providers. If a service provider needs to walk away from a cloud relationship, knowing that the customer is the only one with access to the key can provide a level of assurance that data is no longer accessible to the service provider when the relationship is terminated. Likewise, for those organizations that wish to ensure that geographic restrictions are placed on data, bring your own encryption can help enforce that -- even if the data does somehow wind up in another region other than that expected by the customer, the customer can control the degree to which it is accessible by retaining ownership of the key.
Given the benefits of BYOE, the next logical question for cloud customers is the relative complexity of implementation -- i.e., how easy or difficult is it to implement this and under what circumstances is it available.
It is important to note that not every cloud provider offers the bring your own encryption option for every service they provide. Amazon offers it in the AWS Key Management Service, and Microsoft offers it in Azure Key Vault, plus Salesforce recently introduced its Shield product providing this functionality. In the storage world, providers like Box and Tresorit provide the capability for customers to utilize their own keys as well. However, not all CSPs -- particularly smaller providers -- have yet to implement this functionality. So, for organizations that this functionality is important to, they need to recognize that selection of service providers that offer this functionality may be limited.
Additionally, it is important that organizations have a level of self-awareness with respect to their own readiness before they seek to undertake a bring your own encryption implementation. Many organizations are not exactly the most rigorous or disciplined when it comes to cryptographic hygiene -- i.e., key management procedures, key expiry and other implementation details. If your organization is already challenged with key management in on-premises implementations, it may be asking more than is prudent to extend this to BYOE -- it may wind up with just as chaotic a situation outside of its borders. Also, it's important that organizations have an understanding of shadow usage in their environments since cloud usage it doesn't know about is unlikely to incorporate the bring your own encryption feature until it's intentionally applied.
Lastly, it's important that organizations are ready to handle the availability and logistical considerations that go along with supporting BYOE. If a cloud provider requests a key to accomplish a particular operation, the environment needs to be ready to support that. Does the organization have the staff in place to service key creation? Has the organization appropriately locked down its own internal access so that only those personnel allowed to do so can create and access keys? These are just as important in a BYOE situation as they are in an on-premises key management situation.
Bring your own encryption can bring tremendous value and flexibility, but making the best use of it takes some preparation and thought.
Check out these best practices for cloud encryption key management
Find out if customer-managed encryption keys work with sync and share
Learn how aliases affect cloud encryption key management