Bring your own key (BYOK) is a popular term relating to key management for cloud applications. However, a lack of standardization makes it confusing to understand the various meanings that exist under bring your own key. To help understand this, the Cloud Security Alliance (CSA) in its document “Key Management in Cloud Services” has been helpful in describing the various meanings and concepts surrounding “Bring Your Own Key.”
There is currently no standardization of BYOK and its meaning may differ from company to company. In addition to BYOK (Bring Your Own Key), there are other acronyms used, including HYOK (Hold Your Own Key) and CYOK (Control Your Own Key) - and more recently Bring You Own Encryption (BYOE). These related terms are becoming more widely used by technology companies as demand for banking-grade cloud computing grows. However, one must realize that these are considered more as marketing terms than technological terms.
While NIST documentation, such as NIST SP 800-57, does not mention BYOK, it does define the “Owner” of a private key as any entity that is authorized to use that private key. It also defines the owner of a symmetric key as an entity that is authorized to use the key.
To be technical about this, this does muddy the waters of key ownership because these keys do end up being used by the cloud service provider. The NIST definition of key owner negates the “O” in virtually every BYOK scheme on the market for SaaS, since the private key or symmetric key are ultimately being used by the cloud service provider (CSP).
It’s worth noting that BYOK is not one particular implementation — the term doesn’t clearly indicate any technical design, legal risk or outcome. Therefore, CSA advises that “technical professionals should not use the term and should actively discourage its use among the professional community as well as the press.”
Difference between Key Ownership/Control vs Usage vs Possession
There is some confusion caused by the lack of standardization and CSA’s document asserts that “difference in ownership” is something to be considered. It is essential to understand the difference between key ownership/control vs usage vs possession.
Key ownership of a key does not guarantee achieving the goal of privacy. Instead, it is possession that is the main issue in protecting the privacy of keys.
When an organization shares its keys with a cloud service provider, they must accept the reality that the provider can access the data protected by the keys in order to work on it, unless other measures have been taken to prevent this from happening.
For practical security purposes, emphasis for web security and privacy standards should be placed more on the possession and usage of encryption keys, rather than ownership/control.
Therefore, focus should be placed on the desired degree of privacy when choosing a key management system to manage a cloud environment.
Cryptomathic’s Approach to the Concept of BYOK
Instead of BYOK, HYOK, or CYOK, Cryptomathic has historically used the term “manage your own key” or MYOK (which can be considered the same or similar to HYOK). This approach to key management works to manage the key throughout the entire life cycle of the key, from creation to destruction. With Cryptomathic's approach, the application key is stored in an on-premise or cloud-based, single tenant, banking-grade HSM or HSM pool (FIPS 140-2 Level 3), where it remains under the complete control of its owner, not a third-party.
With the HYOK model, the customer/user can actively define to which services the key management system provides keys. But by definition, data and keys need to be made accessible to defined services to the cloud infrastructure. These cloud native applications and services need to have access to unencrypted data/keys.
This is the remaining weak point in a BYOK / MYOK / HYOK infrastructure. We advocate for a further-going scope of BYOK/MYOK, which also includes the management & control of the policies which define and manage the rights of cloud applications.
Going beyond BYOK is the concept of Bring Your Own Encryption (BYOE), which can actually deliver on the security promises that have been promoted with BYOK. The concept of BYOE should allow the usage and possession of the cryptographic keys to be separated from the CSP applications, effectively addressing the concern many organizations have in relation to key control, access to the key and it’s usage. With BYOE a cryptographic platform which uses the keys should be seperated from the cloud applications - giving true ownership of the keys' usage and possession - whether the encryption platform is in the cloud or in an on-premise data center. Currently true BYOE is not a technical reality, such advancements still relies on the CSPs to open their interfaces to allow for third party encryption companies to address these security concerns.
For more information on the pros and cons of BYOK, please contact your Cryptomathic representative.
References and Further Reading
- Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations (October, 2020), by the Cloud Security Alliance
- Key Management Guidelines, SP 800-57 (May 2020), by NIST
- Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more
- Selected articles on Key Management (2012-today) by Dawn M. Turner, Guillaume Forget, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
- Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
- Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
CKMS Product Sheet (2016), by Cryptomathic