The Nuances of BYOK and HYOK
Min-Hank Ho of Baffle offers commentary on the nuances of BYOK and HYOK, and which one might be right for your enterprise’s needs. This article originally appeared in Insight Jam, an enterprise IT community enabling the human conversation on AI.
A modern data security posture is more complex than ever because the way companies use data is multifaceted. Data analytics has transformed data from something that must be stored away and protected to an asset that yields market-differentiating insight. But, as we know, it must still be protected. In fact, industry and governmental privacy regulations stipulate clear mandates for more stringent data security.
Two emerging data security methods that reflect the evolving nature of data use are Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK). Both ensure that data is encrypted and decrypted using a key management system. Using keys, organizations can feel confident that only those with access to encryption keys will be able to access data.
While BYOK and HYOK share similarities, the two methods have very different use cases. Understanding the difference between BYOK and HYOK will help organizations determine which approach makes the most sense, depending on their specific needs.
The Nuances of BYOK and HYOK
Understanding BYOK
In a BYOK model, companies storing cloud data in a multi-tenant environment — which is most common — generate and manage their encryption keys in a multi-tenant, cloud-based key management system (KMS). Users can create, encrypt and rotate keys and then provide these keys to the cloud service provider (CSP). Here is a breakdown of BYOK’s benefits and challenges.
Benefits:
- Regulatory compliance: BYOK can help organizations comply with data protection regulations, requiring them to maintain control over encryption keys and demonstrate exclusive access to them.
- Data sovereignty: Companies that operate in multiple global regions can use BYOK to comply with data sovereignty laws.
- Key control: BYOK offers more stringent data control and ensures data remains within prescribed geographic boundaries.
- Isolation from CSP: BYOK isolates the encryption keys from the CSP, which reduces the risk of the CSP gaining unauthorized access to sensitive data.
- Flexibility: Organizations can use their preferred encryption algorithms and key management practices, allowing them to tailor their security measures to their unique requirements.
Challenges:
- Complexity: BYOK may require additional infrastructure and processes for key management.
- Key management overhead: Managing encryption keys may require additional resources to address long-term planning and maintenance.
- Potential data loss: Should a company lose its keys, it risks permanent data loss. It would require a comprehensive backup and recovery plan, which can also be costly.
- Key distribution challenges: Distributing encryption keys securely in multi-cloud or hybrid environments can be difficult, given the stringent security requirements.
BYOK is a logical option for large, multinational companies in highly regulated industries, such as healthcare and financial services. Such organizations have the resources to invest in the security necessary to avoid significant fines that can impact reputational damage and erode trust.
It is also important to note the emergence of KYOK, similar to BYOK. Still, instead of using a multi-tenant, cloud-based KMS, users manage keys through a dedicated hardware security module (HSM) that it — not the CSP — controls.
Understanding HYOK
When organizations have cloud-based datasets that are not being used in data analytics computations, HYOK makes more sense. HYOK is a model in which the customer possesses and manages the encryption keys outside the cloud infrastructure. Encryption occurs before cloud migration and remains encrypted during its life cycle. Decryption only occurs once data is back on-premises. Here is a breakdown of HYOK’s benefits and challenges.
Benefits:
- Maximum security: HYOK provides the highest security and control over encryption keys because the CSP can never access them. This reduces unauthorized access to its lowest level possible.
- Data isolation: HYOK ensures data remains isolated, drastically reducing the impact of a potential cloud breach.
- Regulatory compliance: With complete control over keys, HYOK supports strict regulatory requirements where organizations must demonstrate full control over encryption keys. This is especially helpful when operating in areas with data sovereignty regulations.
- Key management flexibility: Organizations can determine the encryption algorithms, key lengths and key management practices that make the most sense for their needs.
Challenges:
- Complexity/overhead: HYOK can require HSMs or other secure key storage solutions.
- Data loss: Like BYOK, data can be permanently lost if encryption keys are lost.
- Dependency on physical hardware: Because keys are not stored in the cloud, HYOK can require physical hardware for key storage. In addition to cost and complexity, hardware can create additional vulnerabilities (theft, damage, etc.).
- Cost: HYOK is often expensive to set up and maintain. Costs can include HSMs or secure key storage devices.
HYOK is ideal for an organization with even higher data privacy and protection requirements than those that use BYOK, such as defense and financial services. When insider threats are a serious concern, HYOK offers an extra layer of protection.
Organizations with the most stringent security requirements may choose HYOK because it ensures that the CSP never possesses or has access to the encryption keys. Examples include government or military information, where data access control must be absolute. Further, HYOK can help organizations isolate their data from potential CSP-related vulnerabilities or breaches.
Final Thoughts on BYOK and HYOK
The value companies extract from data must be balanced, so companies need to remain vigilant in protecting it. By employing forward-thinking security measures like BYOK and HYOK — and understanding which method is appropriate for each use case — organizations can ensure their data is protected at all times and reduce the risk of non-compliance.