bring your own key Archives

Cloud Key Management Services: Advantages and Disadvantages

by Puneet

Last updated on May 22, 2023

Services	Advantages	Disadvantages
Bring Your Own Encryption (BYOE)	The Bring Your Own Encryption (BYOE) concept is the desired trust model for organizations that require full control over access to their data regardless of where it is stored or processed. Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure. BYOE enables organizations to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data. Without exposing encryption keys or sensitive data to the cloud, BYOE enhances the security of data within all cloud services such as Database as a Service (DBaaS) environments, as data is always encrypted before being sent to the cloud.	There is an increased latency problem as any data element has to go through repeated cycles of encryption and decryption for utilization in cloud environments, thereby inducing latency related issues. As there are limited interfaces available, there is a requirement to build Custom API’s for integration with multiple cloud service providers, which might not be feasible for a small/medium sized organizations. As the organizations adopt a move to cloud approach, this approach puts increasing pressure on the on-premises infrastructure with respect to scaling, performance, etc.
Bring Your Own Key-Cloud HSM	No Key exposure outside the HSM. FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements. Can perform all core functions of an on-premises HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud. Designed for security. Dedicated hardware and software for security functions.	Need specialized, in-house resources to manage key and crypto lifecycle activities. HSM-based approaches are more cost intensive due to the use of a dedicated hardware appliance. Performance overheads.
Bring Your Own Key-Cloud KMS	No specialized skilled resources are required. Enables existing products that need keys to use cryptography. Provides a centralized point to manage keys across heterogeneous products. Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.	Key exposure outside HSM. FIPS 140-2 Level 3 and above devices not available.
Software Key Manage-ment	With this approach, service accounts, generic administrative accounts which may be assumed by one or more users, can access these secrets, but no one else.	Not compliant with regulatory requirements which specify FIPS-certified hardware.
Secret Management	Run the organizations own key management application in the cloud. Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider. Can perform all core functions of an HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.	N/A

Tags:

About the Author

Puneet

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Bring your own Key Terminology, Education Center

Bring Your Own Key (BYOK) is an approach where the on prem keys are placed in a cloud service provider environment, enabling to use on prem keys with the native cloud key management services to en c rypt and decr y pt content. BYOK requires HS M s (either dedicated or offered as KMS service) but supports all cloud service models (SaaS, PaaS, and IaaS) so long as the cloud vendor offers key management service.

BYOK with Cloud KMS

Organizations can bring their own ‘master’ keys to the cloud, but the cloud provider uses data encryption keys derived from the master for actual encryption and decryption outside the HSMs. As the cloud vendor controls all the underlying hardware and software, they can choose if encryption is done in hardware or software services, while maintaining security of the derived encryption keys.

Advantages

No specialized skilled resources are required
Enables existing products that need keys to use cryptography
Provides centralized point to manage keys across heterogeneous products
Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider

Disadvantages

Key exposure outside HSM
FIPS 140-2 Level 3 and above devices not available

BYOK with Cloud HSM

All encryption operations on the organization’s behalf are performed inside the HSM. The native cloud encryption service may satisfy requests on the organization’s behalf, so encryption and decryption are transparent, but key access and cryptographic operations are kept within the HSM.

Advantages

No Key exposure outside the HSM
FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements
Can perform all core functions of an on prem HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud
Designed for security
Dedicated hardware and software for security functions.

Disadvantages

Need specialized in-house resources to manage key and crypto lifecycle activities
HSM based approaches are more cost intensive due to the dedicated hardware appliance that is made available
Performance overheads