Bring Your Own Key: full data encryption

A growing number of cloud service providers are betting on data encryption and, more specifically, on BYOK (Bring Your Own Key) formulas that give their customers control over their passwords or keys.

A

ll information that is transmitted over a public communications network, such as the Internet, is in danger of being read, so encryption, and even more so, specific strategies such as BYOK, can be the answer to unsolicited access, building a wall of privacy. 

The task of combining the freedom that companies wish to enjoy when locating their servers wherever they want and the privacy rights of technology users, is a challenge to which encryption can provide an answer. In addition, there is a long-standing debate in digital society about who owns the information that travels over the network: the sender or the provider that stores that information. 

BYOK practices are a mode of encryption that allows a customer to generate and keep the encryption key to protect and access his or her own cloud data. With BYOK, a balance is maintained in the relationship between customers and companies handling sensitive data, as the information becomes unreadable to those who do not possess the keys. Even if a security agency requests access to certain information, the provider, be it Amazon, Microsoft or any other, has no choice but to respond that it is not possible to provide it, keeping the customer’s integrity safe. 

One of the main differences between regular key encryption and BYOK patterns is that, in the first case, keys are encrypted before being stored or transmitted, while in BYOK, customers use their own keys to encrypt and protect their data stored in the cloud or on a service platform. Typically, when customers use such solutions, their data is encrypted using keys provided by the cloud service provider. BYOK schemes place the entire key management cycle on the customer and are also very efficient against attempted theft, attacks or security breaches. 

Sometimes both approaches are used in combination to provide greater security. For example, a cloud service provider may encipher a customer’s keys using encryption, and then allow the customer to import and use their own encryption keys with BYOK. 

BYOK practices can help companies comply with security regulations and standards by enabling them to control their encryption keys and demonstrate that their data is protected, while respecting the freedom of users to manage it. On the other hand, however, it is of little use for companies to rely on encryption modes such as BYOK, if legislative frameworks do not move in the same direction. 

The UK has announced an online security bill that would ban end-to-end encryption. Although the legislative framework, from 2016, already exists to allow the removal of encryption, in practice the UK has never gone so far as to implement this power. Head of instant messaging giant Whatsapp, Will Cathcart, stated that the company will not comply with the requirements of the bill, arguing that it is the most troubling legislation currently being discussed in the Western world and that “compromising the security of the product is not an option.” In addition, the new law could require WhatsApp to implement content moderation policies that would be impossible to comply with without removing end-to-end encryption. Cathcart assured that it will refuse to operate in the UK before jeopardizing the autonomy of its customers, a decision that could be supported and thus followed, by other large companies. 

In certain sectors there is some concern that intelligence agencies and services have the last word when it comes to requesting and accessing private information, disabling the precepts of encryption. A recent example is the controversy that arose from the announcement of certain improvements in Apple’s encryption methods, sparking  dispute among security agencies such as the FBI, which criticized this development because of the added difficulties it will cause when accessing files stored in the cloud in the course of an investigation. The company announced that these new features, available since early 2023, allow users to obtain copies of their encryption keys or incorporate extra protection in the iMessage application, using a mode of identity verification through the comparison of a contact verification key via FaceTime or any other secure call. 

In this regard, to ensure maximum control over privacy and security, TrustCloud will soon incorporate a specific module to cover these aspects, based on rigorous BYOK patterns and practices in which the company and its customers can generate and manage their own encryption keys using a shared key management service (Key Manager), controlling the keys in their entirety. The new TrustCloud BYOK module applies Bring Your Own Key practices in all cases where data needs to be encrypted to ensure privacy, whether during transmission over communication networks (in motion or in transit) or while stored as data files (idle mode). 

In addition, TrustCloud intends to enrich the BYOK offer with BYOC (Bring Your Own Certificate) capabilities. This extension allows customers to add their own digital certificates to a BYOK module. In this way, BYOK is not limited to being a shared key manager and is complemented by a function through which customers can generate and revoke their own certificates and incorporate them into the system, thereby providing them with even greater control over their online data. 

The module will soon be offered as an option within the platform and following TrustCloud’s working guidelines, can be activated or revoked at the customer’s request, the cornerstone being the flexibility and adaptation to all types of profiles.