What is bring your own key (BYOK)?
Bring your own key (BYOK) is an innovative concept to allow public cloud users to keep control of the cryptographic keys used in the cloud to secure their data. With public cloud services exploding, BYOK is now supported by all major cloud services. BYOK enables public cloud users to generate their own high-quality master key locally and securely transmit the key to a cloud service provider (CSP) to protect data in multi-cloud environments. To generate and manage high-quality keys, BYOK uses FIPS and Common Criteria Certified Hardware Security Modules (HSMs) that the cloud user maintains locally or leases as a service.
BYOK enables organizations that migrate to the cloud to achieve:
- Flexibility, convenience and cost effectiveness
- Strong control of sensitive data and applications
- Full visibility into the use of keys in the cloud
- The highest level of data security, integrity and trust
What is the role of BYOK?
BYOK provides users of public cloud services with the ability to generate cryptographic keys in their own environment and maintain control of these keys, while making them available for use in the cloud of their choice when needed.
How does BYOK work?
CSPs protect their customers’ data in the cloud with robust encryption. The cryptographic key that encrypts the data (tenant key) forms the basis of cloud storage security. Cloud user generated master key using BYOK essentially creates a closed box to protect tenant keys in CSP data centers. This gives the cloud user control over the tenant key, ensuring it is only used for an authorized purpose, and ultimately protects the security of the data in the cloud.
What are some examples of CSPs supporting BYOK?
Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce.
How is BYOK different from Hold Your Own Key (HYOK)?
Hold Your Own Key (HYOK) is an option offered by Microsoft to manage the most confidential data of cloud users within their own security perimeter. Microsoft is replacing HYOK with Double Key Encryption (DKE), which enables cloud users to take advantage of hybrid environments with additional levels of protection, control and confidence.
Why do we need a BYOK?
The security of your encrypted data is as good as the protection provided by the encryption keys. BYOK gives cloud users the control and confidence they need, whether they are deploying a single cloud provider, hybrid or multi-cloud strategy. BYOK and the use of HSM allow cloud users to avoid the difficulties of vendor dependency, which can make it difficult to migrate from one CSP to another. HSM modules are specifically designed to prevent a hacker from finding critical cryptographic keys by placing them in a tamper-proof location rather than in software.