BYOK For Everyone: Choose Your Own Cloud
By Jon Geater
Last year we hit a turning point in cloud adoption for applications processing sensitive data. According to our latest Ponemon/Thales Global Encryption Trends Study, for the first time more enterprises are sending sensitive data to the cloud than deferring out of fear over security risks.
But at the same time more than half also said control of their encryption keys is vitally important to them, and that they would only use encryption keys they directly control inside their business.
Click to Tweet: How can you use sensitive data in the cloud, & still retain your sanity? Welcome to BYOK bit.ly/2bgfVtG pic.twitter.com/ocw7RJfhtY
Also according to the study, 61% of survey respondents also rated keys for external services – including cloud or hosted services – as the most painful to manage. This is because, as my colleague John Grimm noted in a June 2016 blog, “it requires businesses to tread a careful line between the level of control they are willing to relinquish to the cloud provider, and the trust they must instil in this third party to be able to reap the benefits that the cloud has to offer.”
So how to square this circle? How can more than half export data _and_ encrypt it _and_ retain control of the encryption keys while still managing to retain their sanity? Welcome to the wonderful world of Bring Your Own Key (BYOK).
Thales + AWS (+Vormetric + Salesforce)
Thales is no stranger to BYOK; in fact, it’s a pioneer. In 2015, we, in tandem with Microsoft, enabled enterprises to keep control of keys used in Microsoft Azure. The resulting Microsoft Azure Key Vault with enhanced key controls, enabled by Thales nShield, allows enterprises to safeguard sensitive data, manage keys, and maintain control. If you’re curious about what led to the collaboration, the answers are pretty simple:
- Employees were accessing the cloud from all sorts of devices and all sorts of locations (this shouldn’t be surprising: we live in an always-on world of remote working)
- Many enterprises (some of whom were likely competitors to each other) were storing their master keys in the cloud, and feared what might happen if the keys were lost or stolen or somehow mixed up
Is it any wonder respondents describe key management as more “painful?” the further is gets from their local centres?
Fortunately, the Thales BYOK momentum is building and supporting more and more cloud providers. On Thursday, we announced our support for Amazon Web Service’s Key Management Service (AWS KMS). In a nutshell, organizations using AWS KMS will be able to take control of the encryption keys they use in the cloud, and revoke or retire those keys as necessary. This allows them to take advantage of the cloud while keeping the “keys to the kingdom” in-house. I know I mentioned this above, but I cannot underscore enough how hugely important this is. These keys are the root of trust in an enterprise’s entire system – if they are lost, it may might not recover its data. If they are stolen, its secrets might not stay secret for long.