BYOK: A key to better cloud security, but is it for you?

In the fight to keep ahead of canny cyberattackers CISOs can be forgiven for sometimes hoping there’s s magic tool that will push them one step ahead of the enemy. The latest of these is an encryption technology dubbed “bring your own key,” which could be essential more organizations allow data to be held in the less-than-ideally-secure cloud.

The idea is simple: A user organization holds the encryption keys for their own cloud data. The advantage:  Keys are uploaded directly to the enterprise and the cloud service never sees them. The idea has some movement behind it, with initiatives from Microsoft (Key Vault, which integrates with Azure Active Directory),  Amazon (Cloud HSM for EC2 and S3 instances) and Adobe (as part of Creative Cloud). Coming soon is a customer supplied encryption key service from Google Compute Engine, now in beta.

But writer Mary Branscombe points out in this article for CSO Online that so-called BYOK could really be only for organizations that have the maturity and skill for key management. After all, if you lose the keys you lose all data encrypted under the system.

A Microsoft official notes that CISOs will have to set and manage vaults, managing vaults — which may require buying a hardware security module (HSM) card or appliance to generate HSM-backed keys — run their own quorums for administrator’s smart cards and PINs, and also save smartcards in the right place. That’s not for many security teams.

And, he warns, they’d have to run a highly availability fault-tolerant data center distributed service to issue keys. Otherwise, imagine the damage a mere denial of service attack could do.

At the moment BYOK seems to be a solution that won’t see widespread adoption. But like any new technology as it matures we will likely see ways in which more CISOs can think of adopting it.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web