Bring your own key

What is bring your own key (BYOK)?

Bring your own key (BYOK) is an innovative concept to allow public cloud users to keep control of the cryptographic keys used in the cloud to secure their data. With public cloud services exploding, BYOK is now supported by all major cloud services. BYOK enables public cloud users to generate their own high-quality master key locally and securely transmit the key to a cloud service provider (CSP) to protect data in multi-cloud environments. To generate and manage high-quality keys, BYOK uses FIPS and Common Criteria Certified Hardware Security Modules (HSMs) that the cloud user maintains locally or leases as a service.

BYOK enables organizations that migrate to the cloud to achieve:

  • Flexibility, convenience and cost effectiveness
  • Strong control of sensitive data and applications
  • Full visibility into the use of keys in the cloud
  • The highest level of data security, integrity and trust

What is the role of BYOK?

BYOK provides users of public cloud services with the ability to generate cryptographic keys in their own environment and maintain control of these keys, while making them available for use in the cloud of their choice when needed.

How does BYOK work?

CSPs protect their customers’ data in the cloud with robust encryption. The cryptographic key that encrypts the data (tenant key) forms the basis of cloud storage security. Cloud user generated master key using BYOK essentially creates a closed box to protect tenant keys in CSP data centers. This gives the cloud user control over the tenant key, ensuring it is only used for an authorized purpose, and ultimately protects the security of the data in the cloud.

What are some examples of CSPs supporting BYOK?

Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce.

How is BYOK different from Hold Your Own Key (HYOK)?

Hold Your Own Key (HYOK) is an option offered by Microsoft to manage the most confidential data of cloud users within their own security perimeter. Microsoft is replacing HYOK with Double Key Encryption (DKE), which enables cloud users to take advantage of hybrid environments with additional levels of protection, control and confidence.

Why do we need a BYOK?

The security of your encrypted data is as good as the protection provided by the encryption keys. BYOK gives cloud users the control and confidence they need, whether they are deploying a single cloud provider, hybrid or multi-cloud strategy. BYOK and the use of HSM allow cloud users to avoid the difficulties of vendor dependency, which can make it difficult to migrate from one CSP to another. HSM modules are specifically designed to prevent a hacker from finding critical cryptographic keys by placing them in a tamper-proof location rather than in software.

Confluence Security Advisory 2022-06-02

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Confluence Server and Data Center – CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability

Atlassian has published a notification on a critical vulnerability affecting all on premise instances of Confluence (Server and Data Center) – unauthenticated remote code execution vulnerability in Confluence Server and Data Center.

What You Need to Do

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:

  • Restricting access to Confluence Server and Data Center instances from the internet.
  • Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.

Powerscript for Jira – how to block editing a field or fields for a given role or roles.

Power Scripts™ – Jira script automation
JIRA PowerScript Sctipts Plugin is a very useful plugin if you want to automate tasks while working with Jira projects to save time on repetitive tasks. The most important features are the ability to automate repetitive tasks, scripts added to the workflow, transit, and event listener.

It can be found on atlassian marketplace under this link. Unfortunately, it is not free, but the price is very affordable.

Script code

Read more Powerscript for Jira – how to block editing a field or fields for a given role or roles.

How does the VPN work? – A question from the telegram.

My today’s answer to the question from the telegram – maybe someone will need such a summary of information about VPN 😀

The VPN set itself encrypts the data, but what servers do I connect to, etc., it still goes to the ISP?

  • No matter how the VPN is set, whether it’s your own or bought, it should encrypt the data. If you set it yourself you know how it was configured and you know who has the encryption key – in case of purchased VPN not exactly.
  • As for the ISP – you have to get out of that VPN somewhere, so at the point of the appointment, when traffic from a VPN starts to come out of the world with a “normal” connection yes – this or that ISP sees what comes out of you unencrypted + DNS queries.

Read more How does the VPN work? – A question from the telegram.