BYOK and Leave It

Spending the last few days at the RSA Conference reminds me how much I enjoy interaction with customers (current or potential); people willing to share their point of view and knowledge about the security challenges they face. Invariably, there is a theme.

This year, the theme was BYOK (Bring Your Own Key). When working with cloud providers, BYOK means customers owning encryption keys, giving them the opportunity to manage keys. However, two valid concerns came up regularly: handing off the keys to cloud providers and not owning an enforcement point for data access.

After encryption keys are generated, they must be handed off to your cloud encryption solution, basically providing a copy of the key as-is. Although I am certain that there are many safeguards in place within the cloud encryption solution, the fact is that the key is not under the control of your Key Management solution. In essence, your Key Management solution becomes a mere Key Generation solution.

Owning the security enforcement point is a standard practice in any security architecture. For an encryption solution, it is owning and not sharing the ability to allow or revoke access to encrypted data based on policy. BYOK is inherently an encryption key shared ownership model.

Meanwhile, the electronic data liability is still yours to keep.

HyTrust DataControl is an end-to-end data encryption solution for workloads, including cradle-to-grave key management and the ability to run on-prem as well as on your cloud hosted workloads. Encryption keys never leave the solution and data access is subject to policies set by security administrators.

Learn more about HyTrust DataControl at http://hytrust.com/products/datacontrol