Multi-cloud key management and BYOK

Cloud providers such as Google Cloud Platform, AWS, and Microsoft Azure work hard to be the service provider of choice for enterprise customers. They often push the envelope with specialized features and capabilities unique to each platform. These features can often add real value for certain industries and applications and help to differentiate the platforms from each other.


At the same time, the reliance on unique services across the various public clouds creates a barrier that inhibits enterprise customers from easily switching from one cloud provider to another or managing applications efficiently across a multi-cloud environment.

In addition, all the public cloud vendors have their own solution for encryption key management, which can be extended to specific applications for enhanced data protection. While this establishes a high degree of security, organizations lose control over the keys and give up the ability to easily migrate to different cloud platforms.

Many organizations start off with the intention of sticking to a preferred cloud provider. But over time, they may need to host certain applications or access certain services that are only available on certain clouds. When that happens, they invariably migrate to a multi-cloud environment. For smaller organizations, it may be possible to stay with a single provider, but as organizations grow, they have to consider going multi-cloud. And from a redundancy standpoint, having the ability to move from one cloud to another in case something happens is very attractive to larger organizations. Additionally, organizations may have an audit requirement involving backup or redundancy capabilities and simply can’t be sole source on a single vendor.

Furthermore, if the cloud provider directly manages an organization’s cryptographic keys, local employees could access the organization’s sensitive data if proper oversight and controls are not in place. Also, if the cloud provider is issued a legal order, they are left with no choice but to comply and hand over the organization’s keys.

Use your own keys

To address these challenges, cloud providers have introduced support for Bring Your Own Key (BYOK) that allows organizations to encrypt data inside cloud services with their own keys while still continuing to leverage the cloud provider’s native encryption services to protect their data.

Even with BYOK, keys still exist in the cloud providers’ key management service. But because keys are now generated, escrowed, rotated, and retired in an on-premises hardware security module (HSM), BYOK helps organizations to more fully address compliance and reporting requirements. Another benefit is that companies can ensure cryptographic keys are generated using a sufficient source of entropy and are protected from disclosure.

While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. With AWS, you import keys through the AWS Management Console, a command-line interface, and with APIs through the TLS protocol. Microsoft has the Azure Storage Service Encryption for data at rest along with the Azure Storage Client Library, and keys must be stored in Azure Key Vault. Google Cloud Platform meanwhile has its own set of tools for managing keys for services such as Google Cloud Storage or Google Compute Engine.

Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques. Needless to say, all this complexity and variability is the enemy of efficient operations and any missteps can put critical data at risk.

The irony is that at the end of the day, you’re trying to accomplish the same thing, namely encrypt application data in the cloud using keys. That’s also the good news. Because you have a singular goal of key management, many organizations are turning to centralized key management to manage the full lifecycle of cloud keys.

BYOK scenario

In the BYOK scenario, centralizing key management can offer significant advantages by allowing organizations to consolidate policies and procedures, develop consistent, repeatable, and well-documented practices, and – most importantly – reduce the risks of exposing keys.

As mentioned above, even with BYOK, organizations still have to leave a copy of their cryptographic keys with the cloud provider. To address this problem, cloud providers are starting to develop interfaces to allow their customers to fully utilize external key management systems. Not only will this give organizations complete control of their keys, but it points toward centralization as the accepted best practice for managing encryption across multiple cloud environments.

Based on the broad trend toward multi-cloud and the challenge of key management in a multi-cloud world, it’s safe to assume that other cloud providers will be adding improved for support for external key management. This will make it increasingly easier to simplify key management functions across multiple clouds while allowing you to retain full control over your data and encryption keys.

Don't miss