This article was featured in Issue 4 of Orbit TRC Magazine, Global Relay’s exclusive publication focusing on Technology, Risk, and Compliance.
Your organization probably uses at least one cloud app or service. Maybe it’s Office 365, Amazon Web Services (AWS), or Global Relay. Organizations entrust their data to cloud service providers (CSPs) to take advantage of the cloud’s many benefits – from performance and ease of use to reliability and cost savings.
What if a CSP could process your data without being able to read it? This is the promise of vendor solutions that give organizations control over the encryption keys used to protect their data. Vendors and industry analysts have adopted a confusing array of acronyms to describe these solutions – BYOE (Bring Your Own Encryption), BYOK (Bring Your Own Key), HYOK (Hold Your Own Key), CYOK (Control Your Own Key), and more.
What do these acronyms mean, how do these solutions work, and how do they affect your risk profile and bottom line? The vendor promises are appealing, but these solutions come with risks and limitations. It’s important to clearly define what outcomes you want to achieve, understand the benefits and trade-offs involved with BYOE, and evaluate a vendor’s security and privacy controls holistically.
Most people are aware of encryption and its role in data security and privacy. It helps to protect confidential data from unauthorized access and is an important line of defense in preventing data breaches.
Encryption keys are used to encrypt and decrypt data. Whoever has the decryption key can view data in a readable format (known as cleartext or plaintext). Key management deals with generating, storing, protecting, using, distributing, and destroying encryption keys. Proper key management ensures that only authorized systems and users can access or decrypt confidential data.
Typically, CSPs hold and manage encryption keys for their customers. BYOK, BYOE, and similar solutions shift the responsibility for key management to the customer.
Demystifying The Acronyms
It’s important to understand that acronyms like BYOK and BYOE are marketing terms, not technical ones. Vendor solutions vary, and there are no generally accepted definitions from standard-setting organizations like the International Organization of Standardization (ISO) or the National Institute of Standards and Technology.
What connects the acronyms is a focus on key management in the cloud, specifically on using key management to give CSP customers more privacy and control over their data. In this article, I’ll focus on BYOE, where only the customer or an independent third party holds the encryption key. Data is encrypted before it’s sent to the CSP, and the CSP has no access to the key or unencrypted data.
BYOE In Action
To understand BYOE, think of the popular messaging app WhatsApp. Its most attractive privacy feature is its end-to-end encryption. Encryption keys are only stored on the conversation participants’ devices. The sender’s device encrypts the message before sending it, and only the recipient’s device has the key to decrypt it. This means that WhatsApp and its parent company, Meta, have no access to message content.
In enterprise environments, BYOE solutions allow an organization to encrypt data before sending it to a CSP and decrypt it when retrieving it. The encryption keys are stored either in the organization’s data centers or with a different CSP.
What Are The Benefits of BYOE?
BYOE offers three major benefits: control, privacy, and compliance.
1. Control: When compared to a CSP native encryption model, BYOE gives you more control over encryption keys. You can enforce your own policies and procedures in areas like key generation, encryption algorithms, encryption strength, and key destruction.
2. Privacy: You can use BYOE to prevent a CSP from accessing your data in plaintext. This allows you to benefit from the cloud without disclosing your confidential data to a third party. It also provides an additional line of defense against an external data breach.
3. Compliance: You can use BYOE to help you to comply with regulatory, legal, or best practice requirements.
Compliance Implications of BYOE
Some vendors that offer BYOE solutions say that it is a compliance requirement or established best practice. In reality, it’s just one tool that you can use to meet compliance and security requirements.
Many laws and regulations – including the EU General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act Security Rule, and SEC/FINRA regulations –- do recommend or require personal and confidential data to be encrypted. But they don’t typically impose key management requirements in cloud environments.
What Are The Best Practices?
There’s no doubt that encryption is a best practice. There are also established best practices around encryption algorithms and strengths, as well as key management activities like key generation, storage, and use. But there is limited independent guidance on BYOE and similar models in cloud environments.
The Cloud Security Alliance (CSA) is one organization that has published guidance on this topic. Its Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations provides details on the available models, as well as recommendations for which ones to use. The guidance encourages organizations to clearly define their business needs and understand what encryption can (and can’t) accomplish.
Notably, the CSA recommends using a CSP’s native encryption solution unless you have “clear reasons to use other models.” In other words, the CSP’s native encryption is the best option for many organizations and in many situations. BYOE isn’t a one-size-fits-all solution and shouldn’t be considered the default best practice.
Considering The Risks
BYOE has many potential benefits. But, as everyone knows, there’s no free lunch. By eliminating or mitigating some risks, you create others. BYOE increases cost and complexity, requires more infrastructure and internal expertise, and has negative performance, scalability, and availability effects. It also restricts a CSP’s ability to troubleshoot data quality or processing issues.
It also places the heavy responsibility of key management onto your organization. If something goes wrong, your CSP will likely be powerless to help. For example, if your key management infrastructure has an outage, the CSP’s service will no longer function. You could also lose access to your data if your key management solution isn’t sufficiently resilient.
These risks lead to a contradiction. Your organization likely uses the cloud to benefit from its performance, ease-of-use, and cost savings. But BYOE can negatively affect all of these benefits.
Evaluating Vendor Controls Holistically
BYOE is just one control that your organization can use to ensure data security, privacy, and control in the cloud. It’s important to assess CSPs holistically, considering all of a vendor’s controls taken together. Controls to consider include:
• Hardware security modules: The gold standard in key management, these physical devices provide unmatched protection for encryption keys. A CSP that uses them can prevent all employees, even the most privileged systems administrators, from accessing customer encryption keys
• Separation of duties: Following best practices, systems administrators and other operations staff shouldn’t be responsible for key management. This should be assigned to a separate group like the security team
• Audit logging: All activities, including access by CSP staff, should be logged and auditable
• Contractual requirements: Vendor agreements should include confidentiality and non-disclosure provisions
• Key control options: Even if the CSP holds the encryption keys, it may allow customers to perform certain key management activities, such as disabling their key.
To benefit from cloud computing, you have to put a certain level of trust in the CSP. You must still rely on its controls in areas like availability and data integrity even if you choose to use the BYOE model.
When choosing a CSP, all organizations should perform due diligence, understand what’s possible, clearly identify their requirements, and determine whether the CSP has a combination of controls to meet their requirements. BYOE can provide security and privacy benefits, but it’s just one option. Before pursuing a BYOE strategy, you should carefully weigh the benefits against the risks, limitations, and other available options.
Orbit TRC, offers a unique blend of perspectives for corporates and regulated entities on the latest developments that impact technology, risk and compliance.