The Bring Your Own Encryption (BYOE) concept is the desired trust model for organizations that require full control over access to their data regardless of where it is stored or processed.
Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure. BYOE enables organizations to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data.
Without exposing encryption keys or sensitive data to the cloud, BYOE enhances the security of data within all cloud services such as Database as a Service (DBaaS) environments, as data is always encrypted before being sent to the cloud.
There is an increased latency problem as any data element has to go through repeated cycles of encryption and decryption for utilization in cloud environments, thereby inducing latency related issues.
As there are limited interfaces available, there is a requirement to build Custom API’s for integration with multiple cloud service providers, which might not be feasible for a small/medium sized organizations.
As the organizations adopt a move to cloud approach, this approach puts increasing pressure on the on-premises infrastructure with respect to scaling, performance, etc.
Bring Your Own Key-Cloud HSM
No Key exposure outside the HSM.
FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements.
Can perform all core functions of an on-premises HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
Designed for security.
Dedicated hardware and software for security functions.
Need specialized, in-house resources to manage key and crypto lifecycle activities.
HSM-based approaches are more cost intensive due to the use of a dedicated hardware appliance.
Bring Your Own Key-Cloud KMS
No specialized skilled resources are required.
Enables existing products that need keys to use cryptography.
Provides a centralized point to manage keys across heterogeneous products.
Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.
Key exposure outside HSM.
FIPS 140-2 Level 3 and above devices not available.
Software Key Manage-ment
With this approach, service accounts, generic administrative accounts which may be assumed by one or more users, can access these secrets, but no one else.
Not compliant with regulatory requirements which specify FIPS-certified hardware.
Run the organizations own key management application in the cloud.
Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider.
Can perform all core functions of an HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
Deciding which cloud crypto vendor is best for you? Choosing between Amazon Web Services or Microsoft Azure is heavily debated by users. The transition toward uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. The use of encryption depends on the protection of the keys. Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.
Amazon Web Services Key Management Services (AWS KMS):
AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data. Data Keys are generated, encrypted and decrypted by CMKs. The CMKs can never leave the AWS KMS. The CMKs could be customer managed or AWS managed. Data keys are used to encrypt data. AWS KMS does not store, manage or track data keys. AWS KMS cannot use data key to encrypt data for you. You have to use and manage data keys. AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.
Azure Key Vault:
Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.