ServicesAdvantagesDisadvantages
Bring Your Own Encryption (BYOE)
  • The Bring Your Own Encryption (BYOE) concept is the desired trust model for organizations that require full control over access to their data regardless of where it is stored or processed.
  • Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure. BYOE enables organizations to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data.
  • Without exposing encryption keys or sensitive data to the cloud, BYOE enhances the security of data within all cloud services such as Database as a Service (DBaaS) environments, as data is always encrypted before being sent to the cloud.
  • There is an increased latency problem as any data element has to go through repeated cycles of encryption and decryption for utilization in cloud environments, thereby inducing latency related issues.
  • As there are limited interfaces available, there is a requirement to build Custom API’s for integration with multiple cloud service providers, which might not be feasible for a small/medium sized organizations.
  • As the organizations adopt a move to cloud approach, this approach puts increasing pressure on the on-premises infrastructure with respect to scaling, performance, etc.
Bring Your Own Key-Cloud HSM
  • No Key exposure outside the HSM.
  • FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements.
  • Can perform all core functions of an on-premises HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
  • Designed for security.
  • Dedicated hardware and software for security functions.
  • Need specialized, in-house resources to manage key and crypto lifecycle activities.
  • HSM-based approaches are more cost intensive due to the use of a dedicated hardware appliance.
  • Performance overheads.
Bring Your Own Key-Cloud KMS
  • No specialized skilled resources are required.
  • Enables existing products that need keys to use cryptography.
  • Provides a centralized point to manage keys across heterogeneous products.
  • Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.
  • Key exposure outside HSM.
  • FIPS 140-2 Level 3 and above devices not available.
Software
Key
Manage-ment
  • With this approach, service accounts, generic administrative accounts which may be assumed by one or more users, can access these secrets, but no one else.
  • Not compliant with regulatory requirements which specify FIPS-certified hardware.
Secret Management
  • Run the organizations own key management application in the cloud.
  • Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider.
  • Can perform all core functions of an HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
  • N/A

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Building your Encryption Strategy

Once overlooked, key management in the cloud is becoming a high priority for CISOs as multi-cloud environments become the next step in the continual goal of reducing downtime. Each major cloud provider has its own internal key manager. Amazon Web Services (AWS) has the AWS Key Management Service tucked away inside of the Identity and Access Management (IAM). Azure has the Key Vault to store keys used within its environment. Google has the Cloud Key Management Service. All of them have very different interfaces and offer little control over key sovereignty.

Leverage REST for BYOK

External Key Management services have been slow to answer the problem with their focus on the internal data center. Cloud key managers have not been keen to adopt standards such as the Key Management Interoperability Protocol (KMIP). The latest generation of Key Managers, however, is starting to close the gap. By leveraging the REST interfaces provided by cloud providers, Key Managers can enable Bring Your Own-Key (BYOK) functionality at multi-cloud and enterprise scales. Functionally, most Key Managers can support these new use-cases through APIs and clients. Migrating to a secure cloud infrastructure requires some research as BYOK integrations are still emerging.

How to Decide on a Key Management Partner

There are several questions you should consider before deciding on your key management partner:

  • What is your current usage of encryption?
  • Where should your organization be using encryption but not due to complexity?
  • How many cryptographic objects will the Key Manager support? Will it be able to scale with the continued growth of your company?
  • Does the Key Manager support automation of workloads? With the heavy automation already in your DevOps environment, why introduce a manual bottleneck?
  • Does the Key Manager have the integrations for the tools you use?
  • Is the Key Manager from a company that can be a trusted partner? Managing your keys is only part of the equation. Encryption keys and certificates manage all of your stored data. You need to ensure your organizational data integrity.

By working with experts, you greatly increase your chances of having a platform that performs and provides the security your organization needs to thrive while still protecting vital data. With the right strategy, encryption of your multi-cloud infrastructure can be integrated into your existing DevOps platforms with ease.

Jon Mentzell is a cyber security expert with two decades of systems administration and DevOps experience including security for a cabinet-level government agency. He is currently the Product Security Manager at Fornetix.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk