The intricacies of Bring Your Own Encryption (BYOE)
Giving cloud end-users the flexibility to apply their own encryption solves many of the problems around privacy, but there are lots of factors for enterprises to consider before making the move
Short of time?
This year’s steady drumbeat of major data breaches, Snowden disclosures, and other cyber-attacks are causing all sorts of businesses to look well beyond compliance requirements to what it will take to protect themselves and their customers from additional risks. As such, Bring-Your-Own-Encryption (BYOE) looks like a very strong trend – cloud providers want an increasing amount of flexibility around implementing encryption and, at the very least, want the ability to enable their customers to maintain control of their own encryption keys.
The main drivers for BYOE
Before we look at the challenges and opportunities that BYOE affords cloud hosting providers, it is important to understand the main drivers for the heightened level of security (and reduced risk) that go with BYOE. These are: compliance with standards, risk of breaches, protection of intellectual property (IP), and, lastly, contractual requirements. In the first instance, any organisation that has compliance requirements – such as PCI DSS – will need to fully meet those requirements and ensure a segregation of roles by user type, or provide for what are called 'compensating controls' if allowed. Secondly, increasing reports of cyber-attacks, along with governments around the globe introducing harsher penalties for loss of personal information add further weight to the arguments for the encryption of cloud data.
> See also: Keys to the castle: encryption in the cloud
Organisations with critical information, the loss of which could fundamentally damage their business – typically aerospace, defence, financial or manufacturing – need the strongest data assurance solutions available. But, these solutions must not impede their ability to take advantage of the scalability and flexibility that the cloud model brings. For cloud providers whose customers are in one of the areas mentioned above, it is not unusual to be required to encrypt data to the same standards as that customer applies to their own data. Indeed, this stipulation is frequently passed through as a contractual requirement for doing business.
How it works
To understand how BYOE works, there are two typical implementation scenarios to consider from an end user perspective, the first is for the end user to manage their encryption keys within the cloud environment, and the second is managing encryption keys away from the cloud provider’s premises in the end user’s own data centre or other environment.
In both cases, the cloud provider does not usually manage the keys or set the encryption and access policies, which means there is less possibility that a compromise of the cloud provider’s architecture or physical infrastructure by a third party could compromise data. That said, a compromise of a cloud provider’s account might be leveraged to access the key and policy management environment, and then used to get access to data.
It’s important to bear in mind that case one still leaves open an area that many organisations worry about, and that’s legal access to data by court order. A court order received by a cloud provider (in whatever physical jurisdiction any data actually resides) could compel the cloud provider to hand over access to encryption management environments, which could ultimately give access to end user data – all without the end user’s knowledge.
Case two is more secure, in that the management environment is within the end user’s direct control. The end user controls physical and logical access to the encryption management and policy within its own local environment, rather than managing it within the cloud. As only the accounts and/or processes that an end user grants data access to will have that data decrypted for them, this approach reduces the chances of compromises at the cloud provider, or of legal action against the cloud provider forcing them to hand over data.
When BYOE is not supported
However, it is crucial to understand that there are some scenarios where BYOE is not supported. SaaS applications (for the most part) cannot allow you to own the encryption of data. The SaaS providers have not yet implemented the technologies for customers to hold their own keys, and still have full functionality. There are half-way solutions (cloud-gateways) but these solutions frequently use unsupported interfaces or simply do 'screen scraping' (and so require frequent updates and changes as the SaaS environment changes) or disable much search or other SaaS functionality as a result of the SaaS environment not being able to see decrypted information. As such, organizations need to closely review the tradeoffs inherent in these approaches, and ultimately decide when it is possible to make use of SaaS offerings based on compliance and risk, as well as functionality available.
As with all technology, it is important to remember that not all organisations have a need for it, like those that simply do not process sensitive information – yet, there are increasingly few of these as personal information becomes an increasingly valuable commodity on the black market. Also, smaller organisations without the IT staff available to properly manage BYOE may rule the technology out. As such, for an organisation considering whether BYOE would suit their operations, it is important to conduct careful evaluation of all alternatives that can work within their cloud deployment models and fall within their IT management capabilities. Any solution chosen must also work with your legacy data centre environments and provide favourable overhead costs and TCO.
Ultimately, before considering whether BYOE is for you, identifying what needs protecting and understanding who is accessing your data is crucial. If you are planning to limit BYOE to critical assets – like production instances, but not the development and test environments – identifying all the locations and data that needs protecting can be difficult, but it is an essential first step. BYOE will invariably mean that businesses can confidently transition their operations to the cloud, enabling them to take control of their data protection responsibilities regardless of whether a public, private or hybrid cloud implementation is in place.
Sourced from Sol Cates, CSO, Vormetric