Understanding Cloud Encryption and Key Management – Part 2

Posted: August 25, 2020
Category: Cloud

As organizations go through digital transformation and embrace cloud platforms and SaaS (software-as-a-service) applications, security remains crucial. You have to maintain compliance with regulatory and industry frameworks, while navigating the shared responsibility model and the elements of cloud and data security that you must manage. A big part effective cloud security is understanding cloud encryption and key management.

This is the second in a 2-part series focused on cloud encryption and key management. In Part 1, I outlined that there are a range of options available for cloud key management. I also explained that they exist on a spectrum where the easier it is to implement and manage, the less protection it provides. Part 1 focused on the left end of the spectrum—the cloud encryption options provide or managed by the cloud service provider. In Part 2, we will take a closer look at the remaining alternatives, all of which give you full ownership and control over your encryption keys.


Bring Your Own Key—or BYOK—leverages the native KMS of the cloud provider but uses a key that you generate externally and own and control yourself. There are three primary benefits to BYOK over just using a key generated by the native KMS. First, you control how the key is generated and you can be more confident in the integrity of the key. Second, you can maintain the backup of your own key, so you are not completely dependent on the cloud provider. Finally, because you own and control the key, you can delete the key at any time and instantly block access to your data. Some cloud providers impose a grace period for revoking or deleting a key—time that leaves your data exposed to unnecessary risk.


Organizations that want a higher level of security can remove the cloud service provider from the equation. BYOE stands for Bring Your Own Encryption. This model gives you full ownership and control of your data from end to end—including both the encryption key and the underlying encryption software or algorithm as well. With BYOE, your encryption and data protection are entirely separate and do not rely on or integrate with any native services from the cloud services provider.

You control the encryption itself with BYOE, which means you can use stronger algorithms or encryption methods. With BYOE, you can choose to use OS file system or application level encryption that provides additional protection from vulnerabilities in the cloud platform itself, and guards against disk or storage layer attacks. Aside from greater control and security for your data, BYOE also allows you to manage data mobility across different cloud providers or local networks within a hybrid cloud infrastructure seamlessly, without ever exposing your data in the clear.


The last option on the cloud encryption and key management spectrum is Hold Your Own Key (HYOK). HYOK is unique, in that it isn’t directly related to encrypting your data. It allows you to have more control and a higher level of security for the encryption keys and software that protects your data. HYOK enables you to maintain your own root of trust—placing your encryption keys at the top of the key management hierarchy. These keys are typically not exportable and are used strictly to protect the other keys your organization uses to encrypt data. Azure Information Protection and Cloud EKM (external key manager) for GCP (Google Cloud Platform) are examples of major cloud platform providers embracing HYOK and giving customers more control over their own data and keys.

Protecting Data in the Cloud

The cloud provides an array of potential benefits in terms of cost, agility, scalability, and performance. It is crucial, however, to understand the shared responsibility model and the spectrum of cloud encryption and key management options available to you so you can implement the data protection that strikes the right balance between complexity and security, and provides a foundation that lets you take advantage of the cloud without sacrificing security.


This blog was written by Victor Mendoza, Senior Cloud Security Consultant at Set Solutions.