Bring Your Own Key (BYOK)
Cloud Key Management
Due to the major benefits in flexibility, scalability, and cost reductions, organizations of all sizes are consistently migrating their information technology infrastructure to public cloud platform. While these benefits are well-understood, there are also several security and compliance implications that organizations must consider, as they pose a risk to their proprietary or confidential data.
In a typical cloud platform, secret keys are generated and managed directly by the cloud platform’s cryptographic environment. While this does establish a high degree of security, when the organization lets the cloud provider manage their cryptographic keys, that organization loses control over these keys and thus, their ability to migrate to a different provider should they need to. This also presents a major risk to the organization, as there are limited capabilities for the organization to back up their cryptographic keys. If an outage at the cloud provider leads to the loss of those secret keys, there is no way for the organization to recover their encrypted data.
Furthermore, if the cloud provider directly manages an organization’s cryptographic keys, local employees could access the organization’s sensitive data if proper oversight and controls are not in place. If the local organization is issued a legal order, they are left with no choice but to comply and hand over the organization’s keys.
To address these challenges, many organizations are seeking out a Bring Your Own Key (BYOK) solution, where they can provide and manage their own encryption keys used by the cloud service providers.
With BYOK, organizations can encrypt data inside cloud services with their own keys. This applies most frequently to public clouds such as AWS, Google Cloud Platform, Azure, or in cloud service offerings such as Salesforce.
This ensures organizations that their compliance and reporting requirements are fully addressed, with keys being generated within a FIPS 140-2 Level 3 hardware security module (HSM).
Additionally, it ensures cryptographic keys are generated using a sufficient source of entropy and are protected from disclosure. In typical cloud environments, keys are cryptographically wrapped before transmission to the cloud providers.
BYOK functions through the CLI/API that each cloud provider has developed. These interfaces allow for programmatic management of the organization’s portion of the cloud platform, which fully automates the cloud infrastructure.
An HSM can leverage these APIs to securely generate and distribute the customer-defined keys over a secure channel between their key management platform and the HSM. This enables one-click transfer of the customer defined keys with zero configuration or manual work.
Using the cloud provider’s REST API, the HSM will generate a new empty key object, request an RSA public import key, generate new symmetric or asymmetric working keys, and wrap them with the import key. Once transmitted to the cloud provider, the key will be decrypted with the corresponding private key and decrypted for secure storage.
Keys are generated within the organization’s own HSM, are exported, and are then imported into the cloud provider’s HSM. This ensures data portability and mitigates concerns over vendor lock-in from cloud providers.
With BYOK, organizations retain control of their cryptographic keys, including the ability to generate, distribute, archive, and revoke them. This allows organizations that require more precisely defined rotation policies to control when key rotation occurs. As more advanced resources become available, organizations can replace an old or weak cryptographic algorithm.
In the case of a disaster or emergency, the HSM acts as the authoritative source of all key material. Copies of the cloud cryptographic keys allow organizations to maintain their own disaster recovery plans. If an outage at the cloud provider occurs, an organization has the ability recover their encrypted data.
Additional cryptographic reporting is available in BYOK, including full audit trails, key histories, and usage reports.
Before deploying a BYOK solution, an organization must ensure they have a cloud provider that supports importing externally generated keys. Most public cloud providers support these capabilities.
It’s important to note that with BYOK, the cloud provider still retains a copy of the cryptographic keys in order to natively interface with the ciphertext – either to encrypt the clear data being secured on the cloud platform, decrypt data when requested by the organization’s applications, or re-encrypt ciphertext under a new key for key rotation.
If the organization prefers not to leave a copy of the cryptographic keys with the cloud provider, they will need to deploy a Bring Your Own Encryption (BYOE) solution instead. Through BYOE, the HSM acts as a proxy between the organization and the cloud provider storage solution, handling all cryptographic processing directly. As opposed to BYOK, BYOE typically requires HSMs supporting high throughput rates.
In order to describe the process of BYOK within Futurex’s Hardened Enterprise Security Platform, the Futurex KMES Series 3 will be used as an example.
Futurex’s cloud key management platform is powered by the KMES Series 3, a robust, easy-to-use solution for managing large volumes of keys, certificates, and other cryptographic objects. The KMES is compliant with all major security standards for HSMs including PCI HSM and FIPS 140-2 Level 3.
The KMES Series 3 is powered by a high-performance cryptographic module and has the capability to rapidly generate symmetric secret keys and asymmetric PKI through its easy-to-use interface and API. The process of creating keys can be fully automated, so once the functionality is set up within the host system, an organization can be on its way to secure data storage and reduced compliance scope and cost.
After the initial setup, the KMES Series 3 is ready for the key transfer.
The KMES Series 3 allows organizations to maintain control of keys within the platform and also includes full management, monitoring, and reporting of keys used by the cloud provider. Organizations can maintain an inventory of all cryptographic keys whether they are on the organizations’ premises or remotely hosted within a cloud platform.
The KMES Series 3 can also monitor the health and validity for the cloud hosted keys. If at any point keys expire or reach the end of their service life, the KMES Series 3 can send alerts well in advance of issues that may affect production traffic and availability.
Best practices dictate that cryptographic keys are rotated at regular intervals. There are several reasons for this, the most significant being to:
The KMES Series 3 assists with key rotation management by defining automated rotation policies, in addition to monitoring the health of all cryptographic keys. This means that depending on the policy of the organization, the KMES Series 3 can generate new symmetric or asymmetric keys, establish and authenticate to the cloud platform, and import new keys under a unique RSA import key. Once these processes are completed, the application may then use the new old key to decrypt the existing ciphertext and any new ciphertext will be available to the applications.
In the history of modern cryptography, there have been repeated instances where cryptographic algorithms have been weakened or broken and major industry shifts have resulted. Historically, these transitions were complex, time-consuming, and expensive for organizations deploying or designing cryptosystems. Algorithm transition over time is to be expected, and techniques used within the KMES Series 3 mitigate the risks and downsides of these processes. For forward-looking organizations implementing BYOK, key rotation is a fundamental component of this.
Cryptographic agility refers to the ability to switch between algorithms without rewriting applications or deploying new hardware. Agile cryptosystems can react quickly in the event an algorithm vulnerability or weakness is discovered, reducing the risk of a breach. Additionally, system-wide upgrades are significantly less complex when cryptographic agility is implemented, which also encourages early adoption of new standards and best practices.
When considering cloud platforms and data encryption, organizations often fear the possibility of vendor lock-in and what might occur if an organization wishes to shift to another platform provider.
All platform providers enable keys to be generated and maintained within the cloud providers’ key vaults, but none of these providers allow for the cloud provider-generated keys to be exported if, for example, an organization is migrating to another provider’s solution. This can make data portability an issue, since organizations don’t control keys used to generate that ciphertext.
By deploying BYOK, organizations maintain control over the key used for all applications deployed to the cloud provider. If at any point in the future there is a need to migrate to a new provider, the organization can pull all associated ciphertext and decrypt or translate it to encryption with new keys as required.
An important component of data security is limiting access to sensitive material to only the users that require access. The KMES Series 3 includes a full suite of hierarchical users and permissions capabilities. This allows the deploying organization to centralize all key management operations, including BYOK deployments, to a single centralized key repository.
Organizations may create multiple logical key groups, with only the organization users that own the key having restricted access to these keys. Owners can delegate permissions to individuals within their organization for key management, deployment, archival, storage, and logging. Only users that have been entrusted with access are able to perform the necessary operations on the key.
This flexibility allows for enterprise organizations with thousands of cryptographic keys to isolate them from each other without data exposure between groups. Each organization group is given a restricted view to only keys they own or have been given operational control of. This significantly reduces overhead to the deploying organization, instead of deploying multiple key management solutions that perform the same function, a single unified infrastructure can be deployed for all key management operations.
To ensure keys that have been deployed across the organization maintain availability a redundancy strategy is critical for an organization using the KMES Series 3 as a BYOK solution. The KMES Series 3 can meet these requirements by using its native Masterless Peering algorithm.
The KMES Series 3 will replicate its configuration to its peers within the organization. If one or more KMES Series 3 devices are offline, transactions will be routed to the next available KMES Series 3 within the cluster. Transactions are routed through the Guardian Series 3, which monitors the health and available capacity at each KMES Series 3 managed under it.
Users can push keys to any KMES Series 3 within the cluster and keys will automatically be propagated to all other KMES Series 3 within the cluster. Additionally, keys are double encrypted under the KMES Series 3’s Master File Key or Platform Master Key (3DES and AES-256) along with a mutually authenticated TLS channel between each KMES Series 3.
What sets Futurex’s cloud key management solution apart from others in the marketplace is the Hardened Enterprise Security Platform, Futurex’s complete product line of general purpose HSMs, key management solutions, cryptographic management platforms, and cloud-based services. These devices are built on Futurex’s Base Architecture Model, a common code base that ensures all devices are fully interoperable, scalable, and easily expanded over time.
With this shared code and API functionality, organizations using Futurex products can integrate cloud key management end-to-end throughout their cryptographic ecosystem. For example, key data that has been transferred into their cloud provider is always available and backup up to nth degree scalability. If needing local access, organization users may perform the same cryptographic operations using the local HSMs, performing all operations within the secure boundary of a Futurex HSM.
For organizations preferring cloud-based deployment functionality over on-premises hardware, VirtuCrypt offers cloud access to key management-as-a-service functionality. VirtuCrypt is a cloud-based provider of advanced data encryption and processing solutions. All VirtuCrypt services are powered by Futurex hardware, which includes the KMES Series 3 platform. As such, all the functionality, features, and benefits discussed throughout this article are also available through the VirtuCrypt Cloud.
All VirtuCrypt Services are accessible and manageable through the VirtuCrypt Intelligence Portal (VIP) Dashboard. The VIP Dashboard is a secure, intuitive web application for organizations to review all information related to their VirtuCrypt infrastructure.