Here we look at what it means to “bring your own key”, “control your own key” and “hold your own key” and what the differences are between these three methods for protecting business-critical cryptographic keys used to encrypt data in the cloud.
Key Management for cloud applications
The amount of corporate data stored in the cloud has almost doubled from 48% since the Ponemon Institute published its 2019 Global Cloud Security Study. Storing data in the cloud does create various challenges including:
- Where is the data stored?
- Who can access the data?
- What is the best way to secure the data?
In answering what is the best way to secure data, the focus is on encryption, which requires encryption keys. This brings yet another question, who shall be in control of the keys? According to common law, "possession is nine-tenths of the law," which means that ownership is easier to maintain when an entity has possession, but it is more difficult to enforce ownership and prevent unauthorised access or use of the item in question when they do not have possession.
It is easy to relate the ownership of cryptographic keys to the thinking of “possession is nine-tenths of the law.”
As long as a business entity is in possession of their keys at all times and those keys are kept secure, such as within a hardware security module (HSM), they are kept secure. After all, it is all about control when it comes to encryption keys.
By default, cloud providers will generate encryption keys and then manage the lifecycle of said keys for their customers. However, this is not acceptable for organisations hosting sensitive data in the cloud because they must maintain sole control and ownership over their keys in order to comply with their internal security requirements. This has generated the need for strategies that allow organisations to maintain full control over how and when their keys are used to access and protect their encrypted data.
Therefore, the strategy of “Bring Your Own Key” (BYOK) was created, but that is not without its shortcomings, too. Thus, the introduction of “Hold Your Own Key” (HYOK) and “Control Your Own Key” (CYOK) and more were created to provide additional options for keeping cryptographic keys secure and maintaining control over access to said encryption keys.
The Method of “Bring Your Own Key”
Instead of accepting a cloud provider’s default option of generating and supplying its own encryption keys, which mean a loss of control and headaches if there is ever a need to change providers, “Bring Your Own Key” provides the end-user some level of control over its encryption keys. With BYOK, the user creates, backs up and provides its own encryption keys. The service provider should not have access to the key in the clear, so its encrypted data remains encrypted regardless of who attempts to access it. Key ownership brings great responsibility. If the key is submitted to the service provider, it can be difficult to retrieve immediately if needed, and if the key is lost by either the provider or the end-user, the results could be catastrophic to the business.
BYOK does come with some challenges when you consider what needs to be going on behind the scenes for the end-user. It can present security and operational challenges.
- BYOK allows the end-user to independently generate, back-up and submit its own encryption keys to the cloud.
- Essentially BYOK forfeits control of its encryption keys once they are uploaded to the cloud provider.
- If a key is lost or an error occurs the data cannot be decrypted, which could lead to a standstill.
- If a key is stolen, the entire security operation is jeopardized.
- If a key is lost or stolen, there is very little that can be done since the service provider was initially relieved of their liability with the key.
- The organization needs to be vigilant in maintaining back-ups and subject their operations to high-security measures
The technical implementation of BYOK can differ significantly from cloud providers and also depends on what type of applications are used in the cloud. For most SaaS applications, the cloud provider must have access and possession of the keys to provide their services - which negates the “own” part of BYOK. It is, therefore, important to assess whether the BYOK method supported by your cloud provider and key management system actually addresses your security and key control needs.
The “Control Your Own Key” Method
An alternate method for end-users is the “Control Your Own Key” method. With CYOK, the end-user creates its keys, and they are never exposed to cloud providers regardless of their use in the cloud. The end-user controls the full key lifecycle and can instantly revoke keys at any time. These keys can be held in a protected virtual node within the cloud or be held within a hybrid environment in an on-premise data center.
CYOK allows the end-user to maintain some control over the keys whether they use an on-premise hybrid CYOK system or in a node hosted by the cloud provider.
- Cryptographic keys are uploaded to the cloud, thus in the possession of the cloud provider
- The keys can be used for any purpose.
- The key material is never exposed in the clear.
- The end-user can still revoke and control the keys’ lifecycles.
The “Hold Your Own Key” Method
“Hold Your Own Key” gives organizations full control over their cryptographic keys. The keys remain in the possession of the end-user at all times. With HYOK, data is encrypted before it is sent to the cloud. There is no decryption of the data until it is back on-premise. Therefore, HYOK ensures that sensitive data stays encrypted while in the cloud at all times. Meanwhile, the end-users encryption keys are never exposed.
For organizations that require a higher level security to meet the stringent requirements for data security as it relates to their industry, like banking, finance and healthcare, HYOK provides more stringent security than BYOK and CYOK because:
- The end-user retains physical ownership and logical control of its managed encryption keys, thus always possessing their keys.
- HYOK allows for the immediate revocation of access by deactivating the key’s URL.
- Data associated to a deactivated key is immediately made inaccessible or crypto shredded until if and when the key’s availability is restored.
- HYOK is ideal for organizations that must adhere to strict regulation and compliance policies.
There is no official standardization for key management methods like BYOK, CYOK and HYOK for use with cloud services. However, certain industries, such as the banking and financial sector or healthcare sector are subject to stringent requirements for protecting sensitive data, which makes different methods more preferable than others.
Documents, like Cloud Security Alliance’s “Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations” seek to provide guidance in determining which type of key management system is appropriate for different uses.
Despite the various acronyms that have popped up, BYOK is still used as the umbrella term for keys that are loaded into a cloud environment in order to be used by cloud applications, regardless of the different levels of control, security, auditability and remote management. In response to market demand, Cryptomathic's BYOK infrastructure can be configured based on the specific needs of each customer.
To support the differing market requirements for security, compliance and cost-efficiency, Cryptomathic’s solutions support the variations of BYOK described above. The deployment, technical capability and legal assurances of such mechanisms depend on which cloud service provider is chosen by your business.
Contact us for more information on how to secure your encryption keys in the cloud or download the e-book on BYOK for banking applications.
References and Further Reading
- Selected articles on Bring Your Own Key (2017 - today), by Matt Landrock, Stefan Hansen, Ulrich Scholten and more
- Selected articles on Key Management (2012-today) by Dawn M. Turner, Guillaume Forget, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
- Selected articles on Key Management in the Cloud (2017-today) by Edlyn Teske, Matt Landrock, Rob Stubbs, Stefan Hansen, Ulrich Scholten, Joe Lintzen and more
Key Management in the Cloud - Understanding Encryption's Desired Outcomes and Limitations (2020) by the Cloud Security Alliance
Cloud encryption: Bring Your Own Key is no longer enough (2017)
by Matt Landrock
Cloud Data Security: Who Should Hold the Keys? (2019), by Security Boulevard
Azure's Hold Your Own Key (HYOK) has been released in preview form (2016), by MSFT.com
Cloud Security: BYOK vs. KYOK explained (2021), by Data Henrik
HYOK or BYOK Encryption? A Critical Decision for Cloud Migrations & Multi-Cloud Strategy (2021), by SecuPi
- Key Management in a Multi-Cloud Environment - A blessing or a curse? (2017), by Johannes “Jo” Lintzen
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 1: What is a key management system (2018), by Rob Stubbs
- Buyer's Guide to Choosing a Crypto Key Management System; Part 2: The Requirement for a Key Management System (2018), by Rob Stubbs
- Buyer’s Guide to Choosing a Crypto Key Management System - Part 3: Choosing the Right Key Management System (2018), by Rob Stubbs
CKMS Product Sheet (2016), by Cryptomathic