Cloud Data Centers Need Encrypted Lock Boxes

Bring-your-own-key (BYOK) is a solution in which the end user enterprise, rather than the cloud service provider (CSP) or vendor, controls the encryption keys.

Ambuj Kumar is CEO and Co-founder of Fortanix.

For the past several years we have seen many countries creating residency laws, some of which require all government-related data to be stored locally, while others require all consumer data to be stored locally.  European Union countries as well as Russia, China, Brazil and India, are the major proponents of such laws. 

It is not an easy task to satisfy data residency requirements. On one hand, due to cybersecurity concerns, strict residency laws can hinder cloud productivity. Modern IT infrastructure relies on economies of scale, such as a self-driving car may use artificial intelligence software to train itself with a large amount of training data. The more data that is available to the software, the better the software, which makes it easier to contribute more data for training. This process is critical for the success of many cloud applications, from financial transactions to customer relationship management and search engines.

A true hallmark of the internet era has been the free movement of data, leading to concerns as to whether or not residency laws will hinder the development of cloud infrastructure and software. However, if technology is used to secure the data and minimize chances of data getting into the wrong hands, residency laws might actually increase data sharing which would ultimately create new use cases.

A general approach by many cloud application developers has been to keep data stored locally to satisfy residency laws while using encryption to keep the data secure. This means that securing the encryption keys is needed.  Allowing customers keep the encryption keys means that they can get the benefit of using third-party data centers without sacrificing control or security, or falling afoul of data residency requirements.

Bring-your-own-key (BYOK) is a solution in which the end user enterprise, rather than the cloud service provider (CSP) or vendor, controls the encryption keys. Enterprises may store the keys locally and make them available to the CSP’s software when needed.  The enduser enterprise can thus benefit from the services offered by the CSP while literally holding the keys to its data and controlling who and what software can use the data. It’s like a lockbox being stored remotely and protected. Before someone can open the lockbox, the person must contact you to gain access.  If approved, the user can temporarily gain access with the key remotely over the air!

BYOK has continued to gain traction.  Customers store their keys locally and thus avoid a cloud lock-in situation in which they are dependent on a particular cloud provider. This requirement is especially important for enterprise customers who operate across the globe both in the public cloud and on-premises, and who want a central source of truth and control.

The downside of BYOK and enterprises keeping keys locally is technological complexity and integration challenges. However, using a modern solution that offers the flexibility and ease-of-use of modern era software with HSM-grade security can minimize these challenges. 

Any time an enterprise shares with or brings its key to a cloud vendor, care must be taken to ensure the key itself is secure while the vendor’s applications use it. An attack (either external or from a malicious insider) on the vendor may leave all its users vulnerable.

The advantage of third-party vendors keeping the keys is that enterprises are not locked-in with a particular cloud. The enterprises can use any cloud that works best for them considering latency, functionality, and geographic factors. Additionally, separating keys from cloud providers helps achieve a sort of separation of church (security) and state (cloud service provider).

Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish