In this blog, we will delve into BYOK approach to security model of the encryption keys in the cloud. We will also cover how Unbound Key Control can be used to securely enable a multi-cloud strategy for the enterprise.
Cloud Security Model for Cryptography
Enterprises are moving more data into the cloud than ever before (with astonishing 96% adoption rate), in all different types of service models. As the sensitivity of data moving into the cloud increases, security professionals comprehend that there’s no longer a question about whether data should be encrypted. The question today is, who should manage and control the encryption keys?
The primary difference between key management in an enterprise’s data center versus key management in the cloud is ownership and management of the keys. In a traditional data center, all key management functions and tools can be configured and maintained by the enterprise IT team. In cloud environments, there will likely be a shared model or one wholly managed and maintained by the service providers.
Cloud key management processes will largely depend on the type of cloud service in use which will dictate the types of key management available. IaaS cloud providers offer key management services as part of their security offerings. These services are designed to provide a cloud-native experience and are typically pre-integrated with a range of other native services of the respective cloud vendor for ease of use. At the same time, the CSP manages the customers’ keys while customers have limited or no control over their keys. In addition, customers are bound to the features and usage limitations of the service and cannot use the keys for general purpose crypto needs.
Bring your own key (BYOK) encryption services enable businesses to retain a certain level of control over access to their encrypted data. When companies have concerns about how their data is shared, a BYOK service is one basic way to mitigate the risk of unintentional or undesired exposure.
BYOK refers to a cloud security model that enables customers to use their own encryption keys. BYOK schemes utilized by various Cloud Service Providers (CSP) provide the user possibility to upload their encryption keys to the native cloud key management systems (KMS). This operation is performed in a secure manner, while wrapping the encryption keys with a public key, generated within the cloud KMS. The uploaded encryption key is unwrapped at the KMS with the corresponding private key and then can be used with various native CSP applications. Such setup is particularly useful when the customer migrates an existing encrypted database to the cloud, wising to continue using the original encryption keys. At the end, BYOK uploaded the keys to the CSP infrastructure, hence the enterprise forfeited control of these keys, as the CSP now has full access and control over these keys.
Major CSPs have support for BYOK, reflecting the demand for this common security practice of storing the keys in an on-prem location, within the perimeter of the enterprise, and allowing the service provider to use them by importing the keys in a secure manner to the CSP native key management service.
Some customers using the service may be perfectly happy having the CSP manage all aspects of encryption. Small businesses, for example, may not have the expertise on staff or the time needed to dedicate to in-house key management. In such cases, relying on a storage provider may be a better option for maintaining a chosen level of security.
Organizations subject to industry and government regulations with particularly stringent data access requirements or need to comply with legal requirements to have keys under their supervision, may want to retain more control over their data and encryption keys. In such cases, these businesses may not want a storage provider holding the key that could unlock their data.
BYOK provides better security than KMS since it allows companies to continue using their existing encryption keys in the cloud. However it has serious shortcomings, since the added complexity doesn’t add more control, as at the end of the process the CSP has full access and control over the enterprise encryption keys. Having said that, for many cloud services this is the best you can get currently. To learn how to gain full control over encryption keys in the cloud read about Unbound Control Your Own Key (CYOK) concept.
Unbound Key Control Enhancing Key Security in the Cloud
Unbound Key Control (UKC) allows to protect the cryptographic material within it’s secure boundaries, while supporting BYOK to all CSPs that have this feature – Amazon AWS, Microsoft Azure, Google Cloud Platform and IBM Cloud.
As illustrated in the following figure, the process starts with creating an exportable encryption key in UKC. Next, there is a need to obtain the private key from the CSP and to import it to the UKC. Afterwards, we wrap the master key with CSP public key in UKC and export the wrapped key from the UKC. Later, there is a need to import the wrapped key to CSP native key management service, setting it up as the data key for a certain cloud service.
Enablement of Multi-Cloud Strategy
Most enterprises are using more than one IaaS vendor, while 85% of the multi-cloud organizations are managing up to 4 clouds, and are experiencing difficulties with multi-cloud management due to the vendor lock-in carried out by the CSPs native key management services.
UKC can be deployed across entire decentralized hybrid and multi-cloud and geo-distributed environments without disrupting existing application workflows. Using a unified UKC cluster allows securely managing all crypto keys across all sites and across all workloads from one centralized system with a single pane of glass. It is essential for the enterprise the ensure that key management isn’t done in silos and prevent vendor lock-in.