Bring Your Own Key (BYOK) – The Untold Story

Bring Your Own Key doesn’t mean that you are in total control of your encryption keys. It only means that you supplied an encryption key and got a false sense of security in return.
bring your own key parablu casb Cloud
As cries around security and privacy in the cloud gained momentum, a handful of cloud and SaaS vendors have countered that with a concept that is commonly advertised to customers as Bring Your Own Key (call it BYOK for short). The idea here is to overcome the fundamental objection that the encryption of data at rest which is provided by the public cloud or SaaS vendors is not adequate protection for customer data, since the cloud or SaaS vendor can decrypt the data and gain access to it any time. BYOK strives to reassure customers that they control the keys used for encrypting their data in the cloud.  But do they really?

Each time I meet an IT manager or CIO, I am surprised at how good a marketing job proponents of BYOK have done.

Bring Your Own Key does allow the customer to provide an encryption key, but in many cases, once you get beyond that, it doesn’t seem to do a whole lot to protect the customer’s interests any more than before.

  1. For one thing, the encryption key the customer provides is many times not even the key used to encrypt the data. The SaaS or cloud vendor uses their own key to encrypt and then uses the customer’s key to encrypt their key.
  2. Depending on the service being provided, the SaaS or cloud vendor still retains the ability to perform operations on the customer’s data (like full text indexing or analytics).
  3. The cloud or SaaS vendor seems to have access to the customer’s key at any point in time to perform operations without requiring the customer’s explicit permission to do so. Remember that they may not be able to see the customer’s key, but they can use it to decrypt data as needed.
  4. Customers rarely if ever can change their key at will.

Unfortunately, this is the type of “Trust Me” security that many customers are accepting.  While most cloud and SaaS vendors are reputed organizations and most of the usage they make of the customer’s key are legitimate, the main concerns everybody has around cloud security – like a rogue employee on the SaaS/Cloud vendor’s payroll or a Government demand to turn over customer data – are still not addressed.

Let’s set a few things straight:

Cloud – As the FSFE (Free Software Foundation Europe) put it nicely: “There is no cloud, just other people’s computers.” To be more precise, other people’s computers, managed by humans. If you think that cloud’s a nice and safe place that cannot be compromised, then think again.

Encryption – Best practice encryption requires a separation of duties between the owner of the data and the cloud or SaaS vendor. This means, you should control the encryption and the keys and let the cloud or SaaS vendor manage the data.

 Large doesn’t necessarily mean safe – A highly reputed Cloud or SaaS provider with decades of experience and billions of dollars of market capitalization aren’t necessarily safe if there is no technological barrier preventing them from getting to your data.

So, go ahead and ask these hard questions of your Cloud or SaaS vendor:

Question # 1: Am I the only one with access to my encryption keys?

Key management is the most complex part of any security system dealing with data encryption. Ideally you are the only one who should be able to generate and keep the encryption keys. That is what BYOK should promise. If yes, how is your data being decrypted in the cloud? The truth is, you have to “share” the keys with the Cloud or SaaS vendor.

Question # 2: Ask how eDiscovery and Indexing happen without keys

Imagine that your Cloud/SaaS vendor wasn’t able to access your keys to decrypt data without your permission. Just check if they are still able to offer you eDiscovery, Search, Content Indexing, DLP, and Analytics. If they are, it means that they can use your encryption keys to decrypt data. And, if they can do that, that technically means your data can be accessed for reasons other than for providing these services too.

Question # 3: How does your Hardware Security Module (HSM) Work?

HSM is supposed to be hardware that is built to hold your encryption keys and also process encryption / decryption functions securely.  A number of cloud providers and SaaS vendors now provide an HSM in the cloud.  When using BYOK, the encryption key you provide goes into the Cloud HSM.  And just as good HSMs are supposed to do, once the keys go in there, no one can get access to the keys. Not even the cloud provider or SaaS vendor.  Which is great, but the part that most customers may not fully get their head around is that the SaaS or cloud vendor is freely able to use the customer’s keys to decrypt their data via the HSM.  So, the customer keys maybe invisible, but their data isn’t!

Question # 4: Can I change my key and not tell anyone?

Finally, you can ask if you are free to change the keys anytime. If BYOK works correctly, the answer should be “yes”. So follow it up with these two – “Can I change the keys and not inform you – the cloud or SaaS vendor?” and “Would changing keys mean any disruption in service?

There are several more questions you can ask, but I think these should help you get a good feel into how safe your data is.

Data security and privacy is critical and “Trust Me” just doesn’t work. What you need to trust in is a technology barrier that clearly separates the cloud provider from the data. Here is what the Cloud Security Alliance unequivocally states (Section 2.1.2):

“However, based on the Segregation of Duties security principle, key management ideally should be separated from the cloud provider hosting the data. This provides the greatest protection against both an external breach of the service provider as well as an attack originating from a privileged user/employee of the provider. Additionally, this segregation of duties prevents the cloud provider from unauthorized disclosure of customer data, such as compliance with a subpoena, without the customer knowledge or approval. The customers should retain complete control over their data and only they should be able to comply with disclosure requests.”

So go ahead and ask the hard questions. If you don’t get a satisfactory answer, that simply means you need to effect the separation of control yourself. Consider using a CASB or Privacy Gateway based solution which protects your interests. At the end of the day, it’s your data at stake.

Take control of your encryption keys. Take control of your data.