BYOK (Bring Your Own Key) for clouds and regional compliance

Security professionals are tasked with:

• assuring the security of their company’s assets and services,

• maintaining compliance with a continuously evolving interpretation of the regulatory and compliance landscape, and

• doing so cost-effectively.

Clearly, this is a challenging task. The March 12, 2021 ruling by the Conseil d’Etat – France’s highest administrative court – is a perfect example of the balancing act that must be achieved. Fortunately, solutions exist to make this balancing act more manageable.

An excellent write-up on the case is available at iapp: Why this French court decision has far-reaching consequences for many businesses. Rather than re-hash those details, I’d like to focus on one of the following three primary factors in the court’s decision to allow continued operations and services:

• Legal safeguards

• Technical safeguards

• Other guarantees taken

Technical Safeguards: No Encryption Key Access By The Cloud Provider

The judge noted that data hosted by AWS is encrypted, and the key is held by a trusted third party in France, not by AWS. This technicality of the implementation provided technical assurance that AWS could not provide U.S. authorities with access to clear text, even if AWS were legally compelled to do so.

 Of course, there were many other contributing factors to the court’s ruling that this solution was not in violation of GDPR and Schrems II. But this was a crucial factor and one of the few under the control of the security professionals responsible for assuring both security and compliance. 

Bring Your Own Key

Bring Your Own Key (BYOK) is one of the common terms used to describe the model where data is hosted by a cloud service provider (CSP) but the keys required to access the encrypted, cloud-hosted data is hosted and controlled by a party that is completely independent of the CSP. This party may be the client responsible for the data or a trusted third party. 

BYOK introduces critical security and operational benefits:

• The CSP never has visibility or access to the keys: This eliminates the risk that the CSP could become legally compelled to turn over data, or the risk of a rogue or compromised CSP administrator using their access to keys to gain access to clear text.

• Separation of the lock and key: Encrypted data and encryption keys are stored in different domains, under different administrative control for security best practices.

• Common key management across multiple clouds: The same BYOK solution can provide and protect keys used across multiple CSPs, enterprise locations, and distributed end-users.

 MPC and BYOK

Secure multiparty computation (MPC) is a form of cryptography that is particularly useful for creating, protecting, and managing cryptographic keys. Secure MPC is also ideal for facilitating BYOK services across single, multiple or hybrid clouds.

Our recent blog, Secure MPC for Agile Enterprise Key Management, provides a general introduction to MPC and its role in key management. The cliff notes version is that MPC allows you to spin up one or multiple virtual key management systems in the form of distributed virtual machines. No single machine ever creates or has visibility to a complete key, which mitigates the risk that any single machine can be compromised to yield access to a complete key.

Ideally, the virtual KMS is distributed across multiple locations, under different administrative domains. These locations may be local to your premises, or in private or public clouds. In fact, a common approach is to host different virtual machines in different public clouds, each under different administrative controls, so that no single cloud, machine, or administrator could become corrupt or compromised to yield access to a complete cryptographic key.

The ability to spin up new instances of a virtual KMS in different geographies makes it an ideal option for providing localized BYOK services in different geographies, all with localized hosting and control for full regulatory compliance and data sovereignty. The nature of the BYOK services allows the KMS to be used across one or multiple clouds within a given geography, providing the ideal balance of security, compliance, and economics.