Your data is secure, but who holds the key?

A closer look at Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) key management models

Cyber criminals are zoning in on South Africa, largely attributed to both the fast rise in cloud adoption and the slower uptake of sophisticated cyber security measures.

At the same time, local companies face the need to innovate and improve customer experience and comply with increasingly stringent regulations, which leads to new data security challenges.

When implementing (or improving) a cyber security strategy, companies must decide on how to approach the encryption and decryption of their data.

This is a particularly critical decision and can be likened to choosing who to entrust with the key to your house, containing your most valuable possessions.

Frans Marx, Business Development Manager for CyberTech, a division of Altron, believes that strong partnerships are imperative. “Cloud providers will follow best practices to protect your data and offer you a secure solution as far as their capability and technology allows,”

“But as the subscriber and data owner, you are ultimately responsible for your data. And your customers will hold you, not your cloud provider, accountable should something happen to their personal data.”

For this reason, there’s been a move away from ‘normal’ cloud-based encryption, which sees cloud providers generate, manage and store the keys that are used to encrypt and decrypt data.

Says Marx, “This is similar to leaving the key to your house in the lock; once access to your house is gained, breaking in is relatively easy. If a malicious third-party gains access to the database, they would find all sensitive information in one place, including the cryptographic key”.

Instead, cloud providers are increasingly advocating for ‘Bring your own Key’ and ‘Hold your Own Key’ encryption models.

Bring Your Own Key (BYOK) Explained

In a ‘Bring Your Own Key’ model the cryptographic key is generated on-premise in the client’s own Hardware Security Module (HSM). After cryptographic protection is applied to the key, it is then transferred to the cloud service provider.

While the cloud provider cannot ‘recover’ the key, modify permissions, or view the key, the key is stored in the cloud and the cloud provider could use it to decrypt the client’s data. “This could be compared to giving your key to a house-sitter – you may trust them, but if something goes wrong, it is still ultimately your responsibility,” explains Marx.

For some organisations, BYOK provides an acceptable level of security, but for those dealing with particularly sensitive data, or for highly regulated industries, this simply isn’t enough.

Hold Your Own Key (HYOK) Explained

Cloud service providers have made it possible for companies to retain complete control of their cryptographic key at all times. Here, they can generate it, manage it remotely, and store it in their own environment, this is known as a ‘Hold Your Own Key’ model. In this scenario, the cloud provider does not have access to the key at all.

This ability to ‘Hold Your Own Key’ – or decide which trusted ‘key custodians’ should have access – means that the key is completely separated from the database, and that all encryption and decryption work is done separately, with the client’s own HSM hardware. So, instead of leaving the key to your house in the lock, you are entrusting it to only a few, close, trusted people within the household.

“It’s far more reassuring to know that in the event of an attack on your database via your cloud service provider, your decryption key – and therefore your data – is completely safe,” Marx notes.

“Ultimately, this approach benefits both the customer and the cloud service provider. It mitigates risk for both parties”.

And, rather than the key being accessible to all authorized company users, in a HYOK scenario, it’s only provided to authorized users on a strict “need-to-know” basis. This removes the risk of any potential in-house malicious threats or negligence.

Choosing an HSM (Hardware Security Module)

Whether one opts for a BYOK or HYOK approach, it is important to select an appropriate HSM solution. According to Marx, there are several factors to consider, including:

• Using a solution that provides key management architecture without “locking you in” to a specific HSM vendor, such as Security World key management by nCipher;
• Deciding whether to host your HSM in-house and on-premises or to host it with your cloud provider (who will ensure it is stored separately from your database);
• Opting for “HSM as a Service” – the subscription option for “renting” an HSM and paying a monthly fee, rather than purchasing it;
• Technical considerations – different HSMs are designed for different purposes and provide different levels of performance, at different costs, for different scales. Marx explains that an HSM for a financial organisation for example, needs a high-performance HSM because of the fast turnarounds required during transactions.

To conclude, Marx says that in a world in which ‘data is gold’ and cyber-attacks are becoming shrewder and more frequent, it makes sense to work with reputable, specialized service providers and consultants. “They can provide guidance on critical decision making and can develop a tailored cyber security strategy that will adapt alongside the evolving threat landscape.”