In cloud computing, the owner of the data has no direct control over it and is forced to rely on the cloud service provider to keep it safe from unauthorized access. The most commonly accepted solution for protecting information residing in clouds is to encrypt it. The problem with data encryption is that it not only prevents unauthorized users from accessing the data but also adds complications to using the data for legitimately authorized users. Suppose a company hosts its data in encrypted form on a cloud service provider’s (CSP) infrastructure. In that case, it needs some effective form of decryption that does not make it difficult for users to use the data and applications, or negatively affect their user experience. Many cloud providers offer their customers the option to keep their data encrypted, giving them tools to make decryption transparent and unnoticed by authorized users. However, any robust encryption scheme requires encryption keys. And when the data encryption is carried out by the same CSP that holds the data, the encryption keys are also held by that CSP. So, as a customer of a CSP, you cannot have full control over your data, since you cannot trust that your CSP will keep the encryption keys completely safe. Any leakage of these keys could leave your data completely exposed to unauthorized access.
Why you Need BYOE
BYOE (bring your own encryption) may also be referred to as BYOK (bring your own keys), although as these are fairly new concepts, different companies may give each acronym a different meaning. BYOE is a security model specifically tailored to cloud computing, which allows cloud service customers to use their own encryption tools and manage their own encryption keys. In the BYOE model, customers of a CSP deploy a virtualized instance of their own encryption software, along with the application they host in the cloud. The application is configured in such a way that all its information is processed by encryption software. This software encrypts the data and stores it in the form of ciphertext in the cloud service provider’s physical data repository. An important advantage of BYOE is that it allows companies to use cloud services to host their data and applications while complying with data privacy criteria imposed by regulators in certain industries. Even in multi-tenant, third-party environments. This approach allows companies to use the encryption technology that best meets their needs, regardless of the cloud service provider’s IT infrastructure.
Benefits of BYOE
The main benefits you can get from using BYOE are:
Increased security of data hosted on third-party infrastructures. Full control of data encryption, including algorithm and keys. Monitoring and access control as an added value. Transparent encryption and decryption so as not to affect the data usage experience. Possibility to strengthen security with hardware security modules.
It is commonly believed that it is enough for information to be encrypted to be safe from risk, but this is not the case. The level of security of encrypted data is only as high as the security of the keys used to decrypt it. If the keys are exposed, the data will be exposed, even if it is encrypted. BYOE is a way to prevent the security of the encryption keys from being left to chance and the security implemented by a third party, i.e. your CSP. BYOE is the final lock on a data protection scheme that would otherwise have a dangerous breach. With BYOE, even if your CSP’s encryption keys are compromised, your data will not be.
How BYOE Works
The BYOE security scheme requires the CSP to offer its customers the option to use their own encryption algorithms and encryption keys. To use this mechanism without affecting the user experience, you will need to deploy a virtualized instance of your encryption software alongside the applications you host on your CSP. Enterprise applications in the BYOE scheme must be configured so that all the data they handle passes through the encryption application. This application sits as a proxy between the front and back end of your business applications so that at no time is data moved or stored unencrypted. You must ensure that the back end of your business applications stores a ciphertext version of your data in the physical data repository of your CSP.
BYOE Versus Native Encryption
Architectures that implement BYOE offer greater confidence in the protection of your data than native encryption solutions provided by CSPs. This is made possible by using an architecture that protects structured databases as well as unstructured files and big data environments. By using extensions, BYOE’s best-of-breed solutions allow you to use the data even during encryption and rekeying operations. On the other hand, using the BYOE solution to monitor and log data access is a way to anticipate threat detection and interception. There are also BYOE solutions that offer, as an added value, high-performance AES encryption, enhanced by hardware acceleration, and granular access control policies. In this way, they can establish who can access data, at what times, and through which processes, without the need to resort to specific monitoring tools.
Key Management
In addition to using your own encryption module, you will need encryption key management (EKM) software to manage your encryption keys. This software allows IT and security administrators to manage access to encryption keys, making it easier for companies to store their own keys and keep them out of the hands of third parties. There are different types of encryption keys depending on the type of data to be encrypted. To be truly effective, the EKM software you choose must be able to deal with any type of key. Flexible and efficient encryption key management is essential when companies combine cloud systems with on-premises and virtual systems.
Hardening BYOE with an HSM
A hardware security module, or HSM, is a physical security device used to perform cryptographic operations quickly and with maximum security. Such cryptographic operations include encryption, key management, decryption, and authentication. HSMs are designed for maximum trust and robustness and are ideal for protecting classified data. They can be deployed as PCI Express cards, stand-alone devices with Ethernet network interfaces, or simply external USB devices. They have their own operating systems, specially designed to maximize security, and their access to the network is protected by a firewall. When you use an HSM in combination with BYOE, the HSM takes on the role of a proxy between your business applications and your CSP’s storage systems, taking care of all the necessary cryptographic processing. By using the HSM for encryption tasks, you ensure that these tasks do not impose annoying lags on the normal operation of your applications. In addition, with an HSM you minimize the chances of unauthorized users interfering with the management of your keys or encryption algorithms.
In Search of Standards
When adopting a BYOE security scheme, you should look at what your CSP can do. As we have seen throughout this article, for your data to be truly secure in a CSP’s infrastructure, the CSP must ensure that you can install your own encryption software or HSM along with your applications, that the data will be encrypted in the CSP’s repositories, and that you and no one else will have access to the encryption keys. You may also explore some best cloud access security broker solutions to extend the organization’s on-premise security systems.
