In the fight to keep ahead of canny cyberattackers CISOs can be forgiven for sometimes hoping there’s s magic tool that will push them one step ahead of the enemy. The latest of these is an encryption technology dubbed “bring your own key,” which could be essential more organizations allow data to be held in the less-than-ideally-secure cloud.
The idea is simple: A user organization holds the encryption keys for their own cloud data. The advantage: Keys are uploaded directly to the enterprise and the cloud service never sees them. The idea has some movement behind it, with initiatives from Microsoft (Key Vault, which integrates with Azure Active Directory), Amazon (Cloud HSM for EC2 and S3 instances) and Adobe (as part of Creative Cloud). Coming soon is a customer supplied encryption key service from Google Compute Engine, now in beta.
But writer Mary Branscombe points out in this article for CSO Online that so-called BYOK could really be only for organizations that have the maturity and skill for key management. After all, if you lose the keys you lose all data encrypted under the system.
A Microsoft official notes that CISOs will have to set and manage vaults, managing vaults — which may require buying a hardware security module (HSM) card or appliance to generate HSM-backed keys — run their own quorums for administrator’s smart cards and PINs, and also save smartcards in the right place. That’s not for many security teams.
And, he warns, they’d have to run a highly availability fault-tolerant data center distributed service to issue keys. Otherwise, imagine the damage a mere denial of service attack could do.
At the moment BYOK seems to be a solution that won’t see widespread adoption. But like any new technology as it matures we will likely see ways in which more CISOs can think of adopting it.