The pros and cons of Bring Your Own Key (BYOK) with IaaS and SaaS providers: An in-depth analysis

With the ever-increasing adoption of SaaS, PaaS, and IaaS products, a platform security feature known as Bring Your Own Key (BYOK) has garnered attention for its ability to enhance data security and control.

Clumio’s implementation of BYOK offers a compelling case study for its usage. BYOK enables our customers to increase their security control, and gain transparency into how and when their data stored within Clumio is read.

However, as with any technology, it’s crucial to weigh the benefits against the potential drawbacks to make an informed decision about using a feature.

Note: The information presented is intended to be general and applicable advice for any SaaS platform; however, it may not apply in all situations. The analysis in this article is based on AWS systems, Key Management Services, and Encryption services. Each situation should take into account the organization’s business objectives and risk tolerance.

Backup data is intended to be an immutable copy that can be resilient to cyber attacks. As part of building systems with strong resilience to cyber attacks, we want to ensure that compromise of an account (or generalized unauthorized access) cannot lead to negative impacts on data integrity and availability.

When using Clumio or other SaaS solutions in the off-the-shelf configuration (i.e. electing to have the service provider manage encryption and associated keys, not using BYOK) you inherently gain an out-of-band set of management controls for your backup encryption keys. This means an attacker who has compromised or gained administrative rights in your primary data environment cannot access or affect the data stored in the SaaS platform, assuming the data is immutable by default as it is with Clumio.

If you choose to use BYOK, you do not inherit these out-of-band controls. This places a burden on the end user to carefully evaluate how the BYOK key will be managed, and what impact an attack may have if the keys’ confidentiality is compromised.

Let’s examine this in more depth starting with the advantages of BYOK, the disadvantages, and best practices to mitigate risk of key compromise when electing to use BYOK.

While BYOK offers enhanced control, it also introduces risks if encryption keys are not adequately protected against threats like rogue employees or advanced persistent threats (APTs). In the case of backups, the integrity of the data could be compromised if keys are deleted or mishandled, undermining the very purpose of data backups as a fail-safe in disaster recovery scenarios.

This is a good reminder that BYOK is only as useful as the user’s ability to protect the keys’ confidentiality.

To address these concerns, organizations must adopt a comprehensive security strategy that includes the following:

1. Develop a clear threat model to understand the potential impact of compromised accounts and compromised keys. Understand what type of attacks you are likely to face and how the attackers have operated in the past. Use threat-informed defense modeling.
2. Identify personal accounts, credentials, and access methods that could be used to delete KMS keys. Remember, “only a few people have the ability to do this” limits risk, but isn’t a systematic approach to risk management. As they say, “Hope is not a strategy.”
3. Follow at minimum the AWS security maturity model architecture and ensure the principle of least privilege is enforced across the organization:
4. Create and implement a zero-trust strategy, with separate management for KMS keys used for backups to prevent compromise.
5. For those requiring higher security, establish an out-of-band AWS organization and account, specifically for critical incident response services and KMS keys. This approach minimizes the risk of crossover controls compromising backup integrity.
   • Systems should not share a commonality of access controls such as identity providers.
   • Cross-environment roles should be limited to restrict lateral movement.
   • Include this scenario in your pen testing, or purple teaming. I highly recommend war gaming in a purple team manner if you have the resources to test the integrity of your system.
   • Limit and compartmentalize personnel who have access to revoke or access keys; if a backup administrator’s account is compromised by a third party, the damage would be limited if the compromised account has no access to key management.

The decision to adopt BYOK with any SaaS platform, including Clumio, should be made after carefully considering the balance between enhanced security control and the potential risks associated with key management.

Implementing the recommended security measures can mitigate these risks, ensuring that the integrity of backups remains secure. Ultimately, BYOK’s value lies in its ability to offer organizations greater control over their data security, but this control comes with the responsibility of rigorous key management.

Want to keep reading? Download Secure, Immutable, Air-gapped Data Protection to learn more about Clumio’s security advantages, then read our blog for instructions on how to enable BYOK in your Clumio environment.