Bring your own encryption

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Bring your own encryption (BYOE)—also called bring your own key (BYOK)—refers to a cloud computing security marketing model that purports to help cloud service customers to use their own encryption software and manage their own encryption keys.[1] BYOE allows cloud service customers to use a virtualized example of their own encryption software together with the business applications they are hosting in the cloud, in order to encrypt their data. The business applications hosted is then set up such that all its data will be processed by the encryption software, which then writes the ciphertext version of the data to the cloud service provider's physical data store, and readily decrypts ciphertext data upon retrieval requests.[2] This gives the enterprise the perceived control of its own keys and producing its own master key by relying on its own internal hardware security modules (HSM) that is then transmitted to the HSM within the cloud. Data owners may believe their data is secured because the master key lies in the enterprise's HSM and not that of the cloud service provider's.[3] When the data is no longer needed (i.e. when cloud users choose to abandon the cloud service), the keys can simply be deleted. That practice is called crypto-shredding.


The term BYOE or BYOK was coined in 2014 which was known as the "Year of Encryption" and "Year of Bring Your Own Encryption"[4] after the acronym bring your own device came to prominence in 2011. The idea of BYOE came about in the wake of Edward Snowden's revelations where it is becoming known even the most secure data might be at risk from a government or writ demanding the revelation of its contents. The idea was started to protect the secrecy of an enterprise's sensitive information stored in a third party's data store from convoluted legal issues, where in the past, enterprises are more concerned with the security issues between the cloud service provider and the enterprise.[5]


Balancing security against practicality[edit]

Two lessons have been learnt that see the need to strike a balance between security with practicality (or efficiency)[6] as security continues to be the one of the largest issues.

The two lessons learnt over the years relate to both the context and natural tendency of a human in security technology matters.[7] Firstly, human context should always be used in security technology as problems often occurred due to weaknesses in humans. As a result, cyber threats arise as human nature is easily targeted by complicated security matters. Second, the natural tendency of a human means that a person must never use his or her instinct and place trust on security matters. Instincts often lead to more cyber attacks, thus, regardless of the trustworthiness of a source, instinct should never be used to evaluate particular information.[8]


Reduction of risks[edit]

BYOE somewhat reduce the risks of data leakage involved in cloud storage.[9] BYOE enables the modification of encryption keys by the owning company. There are endless combinations to handle encryption, thus providing a better-than-nothing shield of the company's data from a single bug or hacking attack.

Perceived data ownership[edit]

With their own tenant keys, data owners get a sense of ownership over their data. Formally, the responsibility for the data lies only with the owner, and government agencies may not be able to obtain information from Cloud computing providers (CCP) directly.[10] Even if the providers do pass the data to government agencies, data owners assume data will still be in its encrypted form, hence the provider may not be deemed of evading the data owner's privacy.[11] Anyone who wants the encrypted data may request access directly from the owner of the data, allowing the owner of the data time and space to hire lawyers for the negotiation process of what is to be handed over to the requesting party.[12]

By definition, BYOE secret keys are brought to the Cloud computing provider, hence actual security of BYOE is far from its perceived security. Secret keys are copied over to the Cloud environment, and providers may leak them or hand them over to government agencies at their own discretion, sometimes even without notifying the data owner.

Secured migration[edit]

BYOE facilitates a more secured migration from one CCP to another. There is no absolute clean migration available because a deleted file from the cloud does not mean that the file is completely wiped out from the server's hardware.[13] The only way to secure a totally clean migration is to hold its own key, preventing CCP from accessing the residual encrypted data. The company's data will be kept safe and locked even after the migration.[14]


Security guarantees vs. marketing efforts[edit]

BYOE was born as a reformulation of traditional key management solutions for the Cloud era. Explicitly named to resemble successful trends like bring your own device, BYOE branding hints that responsibility for key management translates to exclusive ownership of keys and data. In reality however,[15] BYOE burdens the data owner with the responsibility for key management, while the owned secret keys are always handed over (read: brought) to the Cloud provider.

Inability to support all applications[edit]

BYOE lacks the ability to support all kinds of applications, for example, the software as a service (SaaS) applications. SaaS applications (most of it) do not allow a person to own encryption of data. This is due to the insufficiency of advances that SaaS providers give to their clients to hold their own particular keys.[16]

Key management[edit]

Furthermore, it is important to note that the greatest challenge of BYOE is in relation to the key management[17] as stated by Chief Architect Steve Pate of HyTrust. Companies are required to be good in their own encryption key management to ensure that the encrypted data would be able to be read again.[18] Besides having a straightforward key management, key management solution ought to be readily accessible when it is requested by a server. At the same time, key management server must be secure in order to ensure that staff in its own data centres would never be able to get the keys.

Global standard[edit]

There is also a need for global standard cloud security platform in order for BYOE to become a practical solution. This standard is required so that any encryption offering can be registered for support by that platform.[19] Therefore, if the industry could not ensure that users choose their encryption from a set of global standard platform, BYOE can be as disturbing as BYOD.[20]


The nature of cloud encryption started off disorderly with some cloud service vendors providing it while others do not. Previously, some of such encryption has to be locked in and still not well-integrated while some encryption schemes solely belong to a specific vendor. In many cases, if encryption was provided, the cloud provider holds the keys which creates a controversial problem for the enterprise. This made many end users lose trust in cloud providers. This trend started to shift when: encrypted data is stored or processed in the cloud, the end users should be the ones controlling the keys.[21]

Both Amazon and Microsoft have cloud-hosted key management systems, the Amazon KMS and Microsoft Azure Key Vault[22] but they both focus on key management instead of providing a way to encrypt customer data. Thales had come forward to assist Microsoft Azure in creating BYOK services for their cloud applications,[23] adding confidence for the Microsoft Azure cloud users.

Businesses have also spotted the opportunity to provide new services. One of such is Key Storage-as-a-Service (KSaas). Dark Matter Labs introduced a new division, KeyNexus, in September 2013, a secured cloud encryption key management service for Amazon Web Services.[24] This independent platform allow companies to store their keys on a separate platform as their data storage while having sole control over their keys.[25] Enterprise storage collaboration company, Box, also announced its new service, Box Enterprise Key Management that allows enterprises to use their own encryption keys to encrypt data in Box.[26] Other cloud storage services that provide encryption are SpiderOak, Wuala, Tresorit and MEGA.[27]

See also[edit]


  1. ^ Rouse, Margaret (22 February 2014). "BYOE(Bring Your Own Encryption)". What Is. Retrieved 10 April 2015. 
  2. ^ Steve, Wexier (24 March 2014). "Solving Cloud Security Will Open Adoption Floodgates". IT Trends & Analysis. Retrieved 10 April 2015. 
  3. ^ Zhang, Hongwen (6 April 2015). "Bring your own encryption: New term in the cloud age". Networks Asia. Retrieved 10 April 2015. 
  4. ^ Smith, Charles. "2014: The year of BYOE (Bring Your Own Encryption)". CipherPoint. Retrieved 10 April 2015. 
  5. ^ Zhang, Hongwen (6 April 2015). "Bring your own encryption: New term in the cloud age". Networks Asia. Retrieved 10 April 2015. 
  6. ^ Zhang, Hongwen (March 2015). "Bring Your Own Encryption and Planet of the Things" (PDF). Wedge Networks. Retrieved 18 April 2015. 
  7. ^ Richard, Moulds (February 2010). "Bridging the Gap Between Operational Efficiency and Security". Thales. Retrieved 18 April 2015. 
  8. ^ Zhang, Hongwen (March 2015). "Bring Your Own Encryption and Planet of the Things" (PDF). A Genisys Group. Retrieved 18 April 2015. 
  9. ^ Palmer, Danny (16 September 2014). "Security technology was viewed like tax – nobody wanted to pay for it, says Vormetric CEO". Computing. Retrieved 10 April 2014. 
  10. ^ Staten, James (14 August 2013). "The Cost of PRISM Will Be Larger Than ITIF Projects". Forrester. Retrieved 18 April 2015. 
  11. ^ Zhang, Hongwen (16 January 2015). "Bring Your Own Encryption: balancing security with practicality". TechRadar. Retrieved 10 April 2015. 
  12. ^ Scott, Brekker (4 November 2014). "Bringing Your Enterprise Cloud Usage Under Control". Redmond Magazine. Retrieved 18 April 2015. 
  13. ^ Lemos, Robert (September 2014). "'Keypocalypse' another barrier to encryption systems". Search Security. Retrieved 18 April 2015. 
  14. ^ Bill, Hackenberger (9 September 2013). "BYOS means bring your own security". Pando Daily. Retrieved 10 April 2015. 
  15. ^ "Does BYOK Mean 'Barely Your Own Keys'? - CC 2017". CC 2017. 2016-07-06. Retrieved 2017-08-14. 
  16. ^ Chloe, Green (5 September 2014). "The intricacies of Bring Your Own Encryption (BYOE)". Information Age. UK. Retrieved 10 April 2015. 
  17. ^ Eduard, Kovacs (15 July 2014). "Bring-Your-Own-Encryption: Is It the Right Choice for Your Enterprise?". Security Week. Retrieved 10 April 2015. 
  18. ^ James, Staten (February 2014). "Why is 'bring your own encryption' (BYOE) important?". SearchCIO. Retrieved 10 April 2015. 
  19. ^ Zhang, Hongwen (6 April 2015). "Bring your own encryption: New term in the cloud age". Networks Asia. Retrieved 10 April 2015. 
  20. ^ Zhang, Hongwen. "Bring your own encryption: balancing security with practicality". ScienceDirect. 2015: 18–20. doi:10.1016/S1353-4858(15)70011-5. Retrieved 10 April 2015. 
  21. ^ Linda, Musthaler (4 October 2013). "Cloud encryption: control your own keys in a separate storage vault". Network World. USA. Retrieved 10 April 2015. 
  22. ^ Richard, Moulds (November 2013). "How 'Bring Your Own Key' will help protect your company's secrets". Thales. Retrieved 18 April 2015. 
  23. ^ "Thales launches BYOK Deployment Service for Microsoft Azure Cloud Applications". Real wire. 31 March 2015. Retrieved 18 April 2015. 
  24. ^ Ariotta, CJ (9 September 2013). "KeyNexus Debuts Remote Key Encryption Management for AWS". Talkin' Cloud. Retrieved 18 April 2015. 
  25. ^ Musthaler, Linda (4 October 2013). "linkedin googleplus Cloud encryption: control your own keys in a separate storage vault". Network World. Retrieved 18 April 2015. 
  26. ^ Serdar, Yegulalp (10 February 2015). "Box: You can bring your own keys to encrypt in our cloud". Info World. Retrieved 18 April 2015. 
  27. ^ Jakiumar, Vijayan (31 December 2013). "Cloud computing 2014: Moving to a zero-trust security model". Computer World. Retrieved 18 April 2015.