Are Your Sensitive Assets in the Cloud Under Your Full Control?
Of all the data elements used in the cloud, cryptographic keys are by far the most sensitive, as they are crucial for performing critical tasks such as data protection and identity and authenticity proof.
Compromise or loss of these keys could render fatal results that are irrevocable such as data loss, mass data theft or erosion of business reputation. Thus, cryptographic key control in the cloud is a fundamental requirement for enterprises and therefore it becomes a requirement for the IaaS and SaaS providers to offer full key control solutions to their customers who demand it.
Despite considerable efforts invested in developing offerings such as BYOK (Bring Your Own Key), HYOK (Hold Your Own Key), and CloudHSM, the current solutions still represent a hard compromise between control and usability.
Full Key Control and Management on the Cloud
You maintain full control of your crypto keys in the cloud
Key material never exists in the clear – anywhere
Real-time, tamper proof audit log that logs ANY key operation
Instant key revocation with the click of a button
No HSM or any hardware appliance needed
Here is how some of our customers use Unbound to CYOK:
The diagram below illustrates the CYOK-hybrid deployment mode. In this mode, it is guaranteed that the keys can never be compromised at any event, even by rogue adversary in the cloud or a subpoena.
In these examples, a SaaS provider is offering a multi-tenant code signing service in the cloud. They use Unbound Key Control to allow their customers to maintain control of the highly sensitive code signing keys, as shown in two CYOK deployment modes:
CYOK: Each customer is allocated a cryptographically isolated partition on Unbound Key Control (UKC) which is comprised of two UKC notes both hosted on the same IaaS. The UKC customer node is controlled by the customer (left), while the SaaS provider node is controlled by the SaaS provider (right), giving the customer full control of their own keys.
CYOK Hybrid: Each customer is allocated a cryptographically isolated partition on Unbound Key Control (UKC). The UKC customer node is controlled by the customer (left), while the SaaS provider node is controlled by the SaaS provider (right). The customer node is on-premise. In this setup, the customer has ultimate control of the signing keys, and it is guaranteed that they cannot be compromised by any adversary in the cloud – not even a subpoena or a rouge admin.