Bring Your Own Key (BYOK) is an approach where the on prem keys are placed in a cloud service provider environment, enabling to use on prem keys with the native cloud key management services to encrypt and decrypt content. BYOK requires HSMs (either dedicated or offered as KMS service) but supports all cloud service models (SaaS, PaaS, and IaaS) so long as the cloud vendor offers key management service.

BYOK with Cloud KMS

Organizations can bring their own ‘master’ keys to the cloud, but the cloud provider uses data encryption keys derived from the master for actual encryption and decryption outside the HSMs. As the cloud vendor controls all the underlying hardware and software, they can choose if encryption is done in hardware or software services, while maintaining security of the derived encryption keys.

Advantages

  • No specialized skilled resources are required
  • Enables existing products that need keys to use cryptography
  • Provides centralized point to manage keys across heterogeneous products
  • Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider

Disadvantages

  • Key exposure outside HSM
  • FIPS 140-2 Level 3 and above devices not available

BYOK with Cloud HSM

All encryption operations on the organization’s behalf are performed inside the HSM. The native cloud encryption service may satisfy requests on the organization’s behalf, so encryption and decryption are transparent, but key access and cryptographic operations are kept within the HSM.

Advantages

  • No Key exposure outside the HSM
  • FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements
  • Can perform all core functions of an on prem HSM -key generation, key storage, key rotation, and API interfaces to orchestrate encryption in the cloud
  • Designed for security
  • Dedicated hardware and software for security functions.

Disadvantages

  • Need specialized in-house resources to manage key and crypto lifecycle  activities
  • HSM based approaches are more cost intensive due to the dedicated hardware appliance that is made available
  • Performance overheads

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

When a user connects to a website via HTTPS, asymmetric encryption is used. For that to happen, the user uses the server’s public key to initiate the connection. To confirm the authenticity of that public key, certificates are used. The certificate will have details such as who does this certificate belong to, who issued it, a serial number, expiration date and the public key.
This can establish trust where the certificate and the key can be trusted and thereafter the communication between the user and the server is also trusted.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Data encryption of a table in SQL Server is done at the column level, column by column, and utilizes symmetric encryption. The following steps detail how this process occurs within SQL Server:

  • A database master key is created
  • A self-signed certificate is created which will be protected by the database master key
  • A symmetric encryption key to be used for the column level encryption is created from the certificate
  • The table is then encrypted with the EncryptByKey function using the symmetric key and the name of the certificate

To decrypt data, the DecryptByKey function is called, which also requires the symmetric key and the name of the certificate.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Building your Encryption Strategy

Once overlooked, key management in the cloud is becoming a high priority for CISOs as multi-cloud environments become the next step in the continual goal of reducing downtime. Each major cloud provider has its own internal key manager. Amazon Web Services (AWS) has the AWS Key Management Service tucked away inside of the Identity and Access Management (IAM). Azure has the Key Vault to store keys used within its environment. Google has the Cloud Key Management Service. All of them have very different interfaces and offer little control over key sovereignty.

Leverage REST for BYOK

External Key Management services have been slow to answer the problem with their focus on the internal data center. Cloud key managers have not been keen to adopt standards such as the Key Management Interoperability Protocol (KMIP). The latest generation of Key Managers, however, is starting to close the gap. By leveraging the REST interfaces provided by cloud providers, Key Managers can enable Bring Your Own-Key (BYOK) functionality at multi-cloud and enterprise scales. Functionally, most Key Managers can support these new use-cases through APIs and clients. Migrating to a secure cloud infrastructure requires some research as BYOK integrations are still emerging.

How to Decide on a Key Management Partner

There are several questions you should consider before deciding on your key management partner:

  • What is your current usage of encryption?
  • Where should your organization be using encryption but not due to complexity?
  • How many cryptographic objects will the Key Manager support? Will it be able to scale with the continued growth of your company?
  • Does the Key Manager support automation of workloads? With the heavy automation already in your DevOps environment, why introduce a manual bottleneck?
  • Does the Key Manager have the integrations for the tools you use?
  • Is the Key Manager from a company that can be a trusted partner? Managing your keys is only part of the equation. Encryption keys and certificates manage all of your stored data. You need to ensure your organizational data integrity.

By working with experts, you greatly increase your chances of having a platform that performs and provides the security your organization needs to thrive while still protecting vital data. With the right strategy, encryption of your multi-cloud infrastructure can be integrated into your existing DevOps platforms with ease.

Jon Mentzell is a cyber security expert with two decades of systems administration and DevOps experience including security for a cabinet-level government agency. He is currently the Product Security Manager at Fornetix.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk