Bring your own encryption (BYOE)—also called bring your own key (BYOK)—refers to a cloud computing security model to help cloud service customers to use their own encryption software and manage their own encryption keys. BYOE allows cloud service customers to use a virtualized example of their own encryption software together with the business applications they are hosting in the cloud, in order to encrypt their data. The business applications hosted is then set up such that all its data will be processed by the encryption software, which then writes the ciphertext version of the data to the cloud service provider's physical data store. This gives the enterprise the ultimate control to its own keys and producing its own master key by relying on its own internal hardware security modules (HSM) that is then transmitted to the HSM within the cloud. Data is secured because the master key lies in the enterprise's HSM and not that of the cloud service provider's.
Contents
History
The term BYOE or BYOK was coined in 2014 which was known as the "Year of Encryption" and "Year of Bring Your Own Encryption" after the acronym bring your own device came to prominence in 2011. The idea of BYOE came about in the wake of Edward Snowden's revelations where it is becoming known even the most secure data might be at risk from a government or writ demanding the revelation of its contents. The idea was started to protect the secrecy of an enterprise's sensitive information stored in a third party's data store from to convoluted legal issues, where in the past, enterprises are more concerned with the security issues between the cloud service provider and the enterprise.
Balancing security against practicality
Two lessons have been learnt that see the need to strike a balance between security with practicality (or efficiency) as security continues to be the one of the largest issues.
The two lessons learnt over the years relate to both the context and natural tendency of a human in security technology matters. Firstly, human context should always be used in security technology as problems often occurred due to weaknesses in humans. As a result, cyber threats arise as human nature is easily targeted by complicated security matters. Second, the natural tendency of a human means that a person must never use his or her instinct and place trust on security matters. Instincts often lead to more cyber attacks, thus, regardless of the trustworthiness of a source, instinct should never be used to evaluate particular information.
Reduction of risks
BYOE greatly reduce the risks of data leakage involved in cloud storage. BYOE enables the modification of encryption keys by the owning company. There are endless combinations to handle encryption, thus providing a stronger shield of the company's data from a single bug or hacking attack.
Data ownership and responsibility
With their own tenant keys, the ownership of the data lies only with the owner, government agencies will not be able to obtain information from Cloud computing providers (CCP) directly. Even if the providers do pass the data to government agencies, the data will still be in its encrypted form, hence the provider will not be deemed of evading the data owner's privacy. Anyone who wants the encrypted data has to ask for access directly from the owner of the data, allowing the owner of the data time and space to hire lawyers for the negotiation process of what is to be handed over to the requesting party.
Secured migration
BYOE facilitates a more secured migration from one CCP to another. There is no absolute clean migration available because a deleted file from the cloud does not mean that the file is completely wiped out from the server's hardware. The only way to secure a totally clean migration is to hold its own key, preventing CCP from accessing the residual encrypted data. The company's data will be kept safe and locked even after the migration.
Inability to support all applications
BYOE lacks the ability to support all kinds of applications, for example, the Software as a Service (SaaS) applications. SaaS applications (most of it) do not allow a person to own encryption of data. This is due to the insufficiency of advances that SaaS providers give to their clients to hold their own particular keys.
Key management
Furthermore, it is important to note that the greatest challenge of BYOE is in relation to the key management as stated by Chief Architect Steve Pate of HyTrust. Companies are required to be good in their own encryption key management to ensure that the encrypted data would be able to be read again. Besides having a straightforward key management, key management solution ought to be readily accessible when it is requested by a server. At the same time, key management server must be secure in order to ensure that staff in its own data centres would never be able to get the keys.
Global standard
There is also a need for global standard cloud security platform in order for BYOE to become a practical solution. This standard is required so that any encryption offering can be registered for support by that platform. Therefore, if the industry could not ensure that users choose their encryption from a set of global standard platform, BYOE can be as disturbing as BYOD.
Trends
The nature of cloud encryption started off disorderly with some cloud service vendors providing it while others do not. Previously, some of such encryption has to be locked in and still not well-integrated while some encryption schemes solely belong to a specific vendor. In many cases, if encryption was provided, the cloud provider holds the keys which creates a controversial problem for the enterprise. This made many end users lose trust in cloud providers. This trend started to shift when: encrypted data is stored or processed in the cloud, the end users should be the ones controlling the keys.
Both Amazon and Microsoft have cloud-hosted key management systems, the Amazon KMS and Microsoft Azure Key Vault but they both focus on key management instead of providing a way to encrypt customer data. Thales had come forward to assist Microsoft Azure in creating BYOK services for their cloud applications, adding confidence for the Microsoft Azure cloud users.
Businesses have also spotted the opportunity to provide new services. One of such is Key Storage-as-a-Service (KSaas). Dark Matter Labs introduced a new division, KeyNexus, in September 2013, a secured cloud encryption key management service for Amazon Web Services. This independent platform allow companies to store their keys on a separate platform as their data storage while having sole control over their keys. Enterprise storage collaboration company, Box, also announced its new service, Box Enterprise Key Management that allows enterprises to use their own encryption keys to encrypt data in Box. Other cloud storage services that provide encryption are SpiderOak, Wuala, Tresorit and MEGA.