In a recent cloud security survey conducted by the SANS Institute, 40% of organizations indicated they were currently...
storing or processing sensitive data in the cloud. According to the survey, 40% cited unauthorized access from other cloud tenants as their most pressing security concern, most felt they did not have a suitable degree of visibility into cloud provider operations and security controls, and many also mentioned encryption as a primary control they were implementing or planning to implement to secure their data in the cloud.
All of these factors combine to drive organizations toward new models and tools for data protection, with encryption at the forefront. Cloud service providers introduced many new encryption offerings within the past several years. Both Amazon and Microsoft partner with organizations that offer dedicated hardware security modules (HSMs) for their respective cloud services, and Amazon has a dedicated key management service that integrates with their APIs and identity and access management services for simple user- and group-based key management and monitoring within the AWS cloud environment.
BYOK encryption services
However, many organizations are still leery of cloud service providers having access to encryption keys stored within the service provider environment. In a study conducted in early 2015 by the Ponemon Institute, 50% of respondents stated that implementation of encryption technology was challenging, and trying to integrate internal encryption and key management tools with cloud provider technology can compound the issue. There is a growing trend with cloud providers to help with this to some extent by providing "bring your own key (BYOK)" encryption services, where customers maintain the encryption keys instead of the service provider.
With BYOK, enterprises know a cloud provider cannot, for example, turn their encryption keys over to law enforcement agencies or expose them in a breach. This is an attractive option for larger, more mature organizations that have the internal key management tools and staff expertise to manage and maintain their own keys. Not all providers offer these types of services today, but more are adding these capabilities all the time. In addition to Amazon and Microsoft -- which both offer a variety of simple and more complex key management and BYOK offerings -- Box.com offers a security solution, Box Encryption Key Management, that gives customers the ability to manage, create and revoke their own encryption keys through implementation of a SafeNet HSM that is run in Amazon Web Services (CloudHSM) and on the customer premises.
Google has enabled a BYOK strategy for Google Compute Engine (GCE) in a beta offering as of July 2015. This way, organizations that already have specific keys in use, or want to control the generation of keys -- beyond the Google-provided AES-256 keys in GCE -- can do so. Currently, this BYOK strategy does require Google to retain the keys internally during the processing of the request, but IT teams will then be able to maintain the keys themselves internally if they choose. Google does not allow you to manage an HSM, such as Amazon's CloudHSM, within the GCE cloud, either. The new service is available through APIs, the "gcloud" command line, and in the GCE Developer's Console.
Challenges with BYOK encryption
When enterprises implement BYOK, in many cases, they are making a significant investment in time and money. Keys need to be created and stored securely on premises, backed up carefully, and these backups need to be secured carefully. If an organization loses or corrupts its keys in a BYOK scenario, the provider is not in a position to help them, which could be catastrophic. Additional measures to protect keys will also be needed, including split-key access to any master keys, role-based controls and auditing for key access and encryption policy management, and some type of secure storage -- usually an internal HSM -- that keys are maintained in.
The BYOK trend will likely continue to grow as a service offering, despite the headaches that come with managing your own keys. Some organizations want this level of control or require it for compliance, and more cloud service providers will work to accommodate this in the near future.
Check out some other benefits of BYOK services
Learn how to limit the damage when encryption keys are exposed
Find out how aliases affect cloud encryption key management