What Are the Security Challenges with BYOK for Hybrid Cloud Users?
This blog was originally published by Unbound Security here.
Written by Lior Levy, Unbound Security.
Refer to Unbound Security's webinar on November 18, 2021 for more information about key management and cryptography.
Moving to the cloud usually brings several advantages, such as flexibility, scalability, and cost-effectiveness. However, it also results in multiple security challenges – the main one being how the cryptographic keys are managed between existing infrastructure and cross cloud(s).
To address these challenges, two critical questions should be addressed by the enterprises consuming cloud services: “Who is responsible for encryption security – the Cloud Service Provider (CSP) or the organization?” and “Is the key management strategy compliant to government and industry-led regulations?”
This blog will explore how organizations leverage cryptographic control of their most critical data in the cloud and what security considerations should be addressed to bypass the vulnerabilities resulting from the deployment of such technologies.
BYOK: Gaining Proprietorship of Your Keys
CSPs provide a Key Management Service (KMS) that can generate encryption keys on behalf of customers and manage them throughout their lifecycle. The problem with this form of key management is that organizations lack sole control and ownership over the keys, resulting in confidentiality risks and failure to meet compliance or internal security requirements.
Bring Your Own Key (BYOK) comes in to address this issue. It is an encryption key management system that allows organizations to generate their own encryption keys and retain control and management of these keys. However, not in all cases… Depending on the technology’s deployment, businesses can still lose control of their cryptographic keys to the CSP.
The following sections will explore why.
How BYOK Works
BYOK typically allows cloud users to import their own key material. Users can generate the keys using an on-premise or virtual HSM then upload them to the CSP’s KMS. The upload is usually protected using a public key provided by the CSP.
This customer-generated key is then used to encrypt Data Encryption Keys (DEKs) – not the actual data – generated by the cloud KMS. From there, enterprise applications can use the key by connecting to the CSP’s KMS.
In this setup, the customer can generate their own key. However, this key is then uploaded to the cloud, which gives the CSP full access and control over the key. In the end, all other key management lifecycle processes are taken back to the CSP, meaning that the BYOK deployment has not brought control and management back to the enterprise despite the added complexity.
BYOK Cryptographic Considerations for Hybrid Cloud Users
There are several considerations that can help organizations deploy BYOK and achieve the desired management capabilities.
Key Management Responsibilities
Key management is basically the process of managing encryption keys throughout their lifecycle. This typically involves key generation, storage, distribution, rotation, use, and deletion. When implementing BYOK, organizations should determine the amount of control the deployment is going to bring.
The ideal situation is to have complete control over the keys if an organization is subject to stringent data access requirements or needs to comply with complex requirements that necessitate having the keys under their supervision.
Controlling Access to Your Keys
If your key is stored and managed in the CSP KMS, they have access to the key and, by extension, your data. This means that the cloud service employees can compromise the data. Even worse, the government can subpoena the cloud service for the encrypted data and the decryption key and prevent them from notifying you about it.
If you have total control over your keys through an external key controller, you will always know whenever your data needs to be accessed. On top of that, you will be able to implement IAM policies to control access to your key store. For example, you can grant and revoke CSP access to your keys (for encryption and decryption) at any time.
A Cloud Agnostic Deployment
The modern-day enterprise is multi-cloud as the approach enables a combination of better performance and cost savings. While deploying BYOK, it’s crucial to ensure that the setup isn’t reliant on a single cloud. Failure to do that would result in vendor-locking, which would then negate several benefits of moving to the cloud in the first place.
While BYOK ensures that you can migrate your encrypted data and its keys to the cloud, avoid refactoring your applications to fit a certain CSP. Instead, opt for an intermediary that can communicate with the CSP using a standard protocol like RESTful API. The intermediary will handle all backend intricacies and ensure you can run your service or application on any cloud that makes the best business case for doing so. Note that this also means avoiding cloud HSMs provided by CSPs such as AWS as you can’t migrate encryption keys managed there.
BYOK with Cloud KMS vs. External Key Management
BYOK with Cloud KMS allows organizations to bring their own ‘master’ keys to the cloud, but all data is still encrypted using the CSP’s keys. This key management model doesn’t require any specialized skilled resources, and it provides native integration with other services provided by the CSP. However, the CSP remains in control of the encryption keys’ lifecycle management.
External key management eliminates CSP control, and it is implemented by using a supported external key management partner through services such as Google Cloud External Key Manager (Cloud EKM). This key management model allows organizations to store and manage keys outside the CSP’s KMS, gaining total control over the location and distribution of the keys. Organizations can then regulate access to the keys and manage them from a centralized platform.
On-Premise vs. Virtual HSM
To bring your keys under total control, you will need to store them in your own HSM, on-prem or virtual. An on-prem HSM provides complete control over your keys and policies as you won’t have any dependency. However, it requires a substantial upfront investment in terms of hardware, skilled personnel, and management software, among others, and don’t support the requirements of modern applications that drive digital services.
A virtual HSM will offer flexible services while providing scalability and on-demand cryptographic services. Third-party virtual HSMs will also facilitate deploying a multi-cloud infrastructure, and they are more suitable for small and medium businesses.
Enhancing BYOK Security & Control in the Cloud
BYOK brings benefits to the organization in terms of confidentiality, control, and compliance. However, organizations need to plan carefully to ensure that their BYOK deployment doesn’t retain management with the CSP. You can do this by using an external FIPS 140-2 Level 2 (and higher) certified key management service to store your cryptographic keys outside the CSP KSM.
To maximize the security of your stored keys and prevent a single point of failure, you can use an external key management service that takes advantage of multiparty computation (MPC). Such a service will split your keys into multiple random shares, and you will still retain control as you can choose where the key shares are located. Since the CSP won’t have the keys and no unauthorized party can access the full key, the organization can keep any data in the cloud no matter how sensitive it is while meeting compliance and governance guidelines.
The webinar Cloud First Cryptography and Virtualization. Securing Fragmented Data. gives more information about key management and cryptography. Watch live on November 18, 2021, or view the on-demand recording.
About the Author
Lior is the Director of Solution Architecture at Unbound Security. Lior has 20+ years of experience in information security, working with the largest financial institutions and other enterprises world wide, handling pre-sales, product management, solution architecture and enablement.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.