Control Your Own Key (CYOK) in the Public Cloud

The secure-as-hardware software solution that lets you fully control your cryptographic keys in the public cloud  

( let’s talk )

Are Your Sensitive Assets in the Cloud Under Your Full Control?

Of all the data elements used in the cloud, cryptographic keys are by far the most sensitive, as they are crucial for performing critical tasks such as data protection and identity and authenticity proof.

Compromise or loss of these keys could render fatal results that are irrevocable such as data loss, mass data theft or erosion of business reputation. Thus, cryptographic key control in the cloud is a fundamental requirement for enterprises and therefore it becomes a requirement for the IaaS and SaaS providers to offer full key control solutions to their customers who demand it.

Despite considerable efforts invested in developing offerings such as BYOK (Bring Your Own Key), HYOK (Hold Your Own Key), and CloudHSM, the current solutions still represent a hard compromise between control and usability.

Full Key Control and Management on the Cloud

Based on its innovative vHSM technology, Unbound Key Control (UKC) fully abstracts key management in the cloud. UKC is the first to allow SaaS and IaaS customers to keep full control of their cryptographic keys, while maintaining full functionality of their applications and services in the cloud.

You maintain full control of your crypto keys in the cloud

Key material never exists in the clear – anywhere

Real-time, tamper proof audit log that logs ANY key operation

Instant key revocation with the click of a button

No HSM or any hardware appliance needed

Learn More About To
How to Control Your Keys in the Cloud

Sign Up for a 30 Day Trial in Azure

Here is how some of our customers use Unbound to CYOK:

The diagram below illustrates the CYOK-hybrid deployment mode. In this mode, it is guaranteed that the keys can never be compromised at any event, even by rogue adversary in the cloud or a subpoena.

Control Your Own Key 1

In these examples, a SaaS provider is offering a multi-tenant code signing service in the cloud. They use Unbound Key Control to allow their customers to maintain control of the highly sensitive code signing keys, as shown in two CYOK deployment modes:

CYOK: Each customer is allocated a cryptographically isolated partition on Unbound Key Control (UKC) which is comprised of two UKC notes both hosted on the same IaaS. The UKC customer node is controlled by the customer (left), while the SaaS provider node is controlled by the SaaS provider (right), giving the customer full control of their own keys.

CYOK Hybrid: Each customer is allocated a cryptographically isolated partition on Unbound Key Control (UKC). The UKC customer node is controlled by the customer (left), while the SaaS provider node is controlled by the SaaS provider (right). The customer node is on-premise. In this setup, the customer has ultimate control of the signing keys, and it is guaranteed that they cannot be compromised by any adversary in the cloud – not even a subpoena or a rouge admin.

Control Your Own Key 2

Want to Learn More?