Bring your own encryption ( BYOE ) - also called bring your own key ( BYOK ) - referring to the marketing model cloud computing security is intended to help cloud service customers use their own encryption software and manage their own encryption keys. BYOE enables cloud service customers to use virtualization examples from their own encryption software along with their business applications hosting in the cloud, to encrypt their data. The hosted business application is then set up so that all its data will be processed by the encryption software, which then writes the ciphertext version from the data to the physical data storage service provider of the cloud, and easily decrypts the ciphertext data in the fetch request. It gives the company a perceived control of its own key and generates its own master key by relying on its own internal hardware security module (HSM) which is then forwarded to HSM in the cloud. Data owners may believe that their data is secure because the primary key lies in the corporate HSM and not the cloud service provider. When data is no longer needed (ie when cloud users choose to leave the cloud service), those buttons can be easily deleted. The practice is called crypto-shredding.
Video Bring your own encryption
History
The term BYOE or BYOK was created in 2014 known as the "Encryption Year" and "The Year Bringing Your Own Encryption" after the acronym brought your own device into fame in 2011. The idea of ​​BYOE arose in the wake of Edward Snowden's revelation where it became known even data the safest one may be at risk from the government or the writing demands the revelation of its contents. This idea was initiated to protect the confidentiality of the company's sensitive information stored in third-party data storage from complicated legal issues, where in the past, companies were more concerned with security issues between cloud and enterprise service providers.
Maps Bring your own encryption
Problem
Balancing security against practicality
Two lessons have been learned that see the need for a balance between security and practicality (or efficiency) as security continues to be one of the biggest problems.
Two lessons learned over the years relate to the human nature and natural tendency of security technology. First, the human context should always be used in security technology because problems often occur because of weakness in humans. As a result, the threat of cyberspace arises because human nature is easily targeted by complicated security issues. Secondly, the natural tendency of man means that one should not use his instincts and put confidence in security issues. Instinct often causes more cyber attacks, so, regardless of source trust, instinct should not be used to evaluate certain information.
Benefits
Risk reduction
BYOE somewhat reduces the risk of data leakage involved in cloud storage. BYOE allows modification of encryption keys by the owner company. There is an endless combination to handle encryption, thus providing better shielding of enterprise data from a single bug or hack attack.
Ownership of perceived data
With their own tenant keys, data owners get a sense of ownership over their data. Formally, the responsibility for data rests solely with owners, and government agencies may not be able to obtain information from Cloud computing providers (CCP) directly. Even if the provider does send data to a government agency, the data owner considers the data to remain in encrypted form, so the provider may not be deemed to avoid the privacy of the data owner. Anyone who wants encrypted data can request direct access from the data owner, allowing the owner of the time and space data to hire a lawyer for the negotiation process what will be submitted to the requesting party.
By definition, BYOE's secret key is brought to Cloud computing providers, so the real security of BYOE is far from the impression of its security. Secret keys are copied to the Cloud environment, and providers can leak them or submit them to government agencies at their own discretion, sometimes without even notifying the data owner.
Safe migration
BYOE facilitates safer migration from one CCP to another. No absolute net migration is available because files deleted from the cloud do not mean that the files are completely removed from the server hardware. The only way to secure a truly clean migration is to hold your own key, preventing the CCP from accessing the remaining encrypted data. Company data will be stored securely and locked even after migration.
Challenges
Security vs. vs. security marketing efforts
BYOE was born as a reformulation of traditional key management solutions for the Cloud era. Explicitly named after such successful trends as bringing your own devices, BYOE's branding clues that the responsibility for key management translates to exclusive key ownership and data. But in reality, BYOE weighs the data owner with responsibility for key management, while the secret key is always delivered (read: brought) to the Cloud provider.
Inability to support all apps
BYOE does not have the ability to support all types of applications, for example, software as a service application (SaaS). SaaS apps (mostly) do not allow anyone to have data encryption. This is due to the lack of progress provided by SaaS providers to their clients to hold their own dedicated keys.
Key management
Furthermore, it is important to note that the biggest challenge of BYOE is in relation to key management as stated by Chief Architect Steve Pate of HyTrust. Companies are required to be good at their own encryption key management to ensure that the encrypted data will be readable again. In addition to having a straightforward key management, key management solutions should be easily accessible when requested by the server. At the same time, the key management server must be secure to ensure that the staff in the data center alone can never get the key.
Global standard
There is also a need for a global standard cloud security platform for BYOE to be a practical solution. This standard is required for any encryption offerings to be registered for support by that platform. Therefore, if the industry can not ensure that users choose their encryption from a set of global standard platforms, BYOE can be just as annoying as BYOD.
Trends
The nature of cloud encryption begins irregularly with some cloud service vendors providing it while others do not. Previously, some such encryption had to be locked and still not well integrated while some encryption schemes belonged only to certain vendors. In many cases, if encryption is provided, the cloud provider holds the key that creates a controversial issue for the company. This makes many end users lose confidence in cloud providers. This trend starts to shift when: encrypted data is stored or processed in the cloud, the end user must be the one who controls the key.
Both Amazon and Microsoft have key management systems hosted in the cloud, Amazon KMS and Microsoft Azure Key Vault but both focus on key management rather than providing a way to encrypt customer data. Thales has come to help Microsoft Azure create BYOK services for their cloud applications, adding trust to Microsoft Azure cloud users.
Businesses have also seen opportunities to provide new services. One is Key Storage-as-a-Service (KSaas). Dark Matter Labs introduces its new division, KeyNexus, in September 2013, a secure cloud encryption key management service for Amazon Web Services. This independent platform allows companies to store their keys on separate platforms as their data storage while only having control over their keys. The company's storage collaboration firm, Box, also announced its new service, Box Enterprise Key Management that allows companies to use their own encryption keys to encrypt data in the Box. Other cloud storage services that provide encryption are SpiderOak, Wuala, Tresorit, and MEGA.
See also
- Cloud computing security
- Encryption
- Trust non-existent (Internet security)
References
Source of the article : Wikipedia
0 Comments