Thanks to Edward Snowden’s revelations about the NSA, the comprehensive hacking of Sony, and on-going legal battles over whether email stored in the cloud belongs to the people sending it or the service hosting it, more and more cloud services have moved to encrypt data. Some are going even further, offering Bring Your Own Key (BYOK) options, where the user holds the encryption keys for their own cloud data.
Google Compute Engine started offering a preview service for encrypting both data and compute with your own keys this summer, and Amazon offers both soft key management and the much pricier (and slower to set up) Cloud HSM service for EC2 and S3 instances, where your keys live in dedicated Hardware Security Modules in Amazon’s cloud. Adobe Creative Cloud now supports customer-managed data encryption keys to protect content synced to Creative Cloud accounts.
Microsoft’s Key Vault is intended to be a single, audited, versioned, secure vault that integrates with Azure Active Directory for authentication. Key Vault allows you to store passwords, configuration details, API keys, certificates, connection strings, signing keys, SSL keys and encryption keys for Azure Rights Management, SQL Server TDE, Azure Storage, Azure Disk Encryption, for your own .NET applications on Azure, and for encrypting VMs using EMC’s CloudLink Secure VM. Keys in Key Vault can be stored either as soft keys that are encrypted at rest by a system key in an HSM or loaded directly into a Microsoft HSM (in a chosen geographic region) from your own HSM, so you can create keys on premise and transfer them to Key Vault.
Dan Plastina, who runs the Microsoft Information Protection group that includes Key Vault, points out the advantages of managing keys for different systems in the same way. “The beauty here is if you come up with a mechanism that works for Office 365 workloads like Exchange, SharePoint and OneDrive for Business, and that same mechanism also works for line of business apps, for VMs, stuffing secrets into VMs, CRM, SQL Server, HD Insight, you start lighting up your Microsoft workloads with a paradigm that is very similar and training that is very similar.” He says that’s that critical if you’re considering BYOK, because of the dangers of losing your keys.
“You’re looking for something you can wrap your brain around and train your staff to do, because you do not want to lose your key because then you lose your data,” Plastina says. When you use HSM-backed keys, like Cloud HSM or BYOK in Azure Key Vault, the keys are uploaded directly from your HSM to theirs and the cloud service never sees them. That means they can’t hand your keys over – to an attacker or a government investigation. But it also means that they can’t give you back your keys.
“If you lose your keys, all the data encrypted to the key is gone for ever,” Plastina says. “When the key is transferred from their infrastructure into our HSM, it’s done in a way we can’t see it, so if the customer comes back and says the building burned down and the HSM is gone, then all the keys are gone and that's it – game over. As the saying goes, with great power comes great responsibility. People need to be up to the task if they want to get involved.”
Service-managed keys can give you the assurances of per tenant and per subscription keys, with segregation of duties and auditing, without the headache of managing keys. “But with BYOK, we're requesting customers get involved in significant way,” Plastina says. “That means setting up vaults, managing vaults; in some cases, that requires HSM-backed keys so they’re purchasing an HSM on premise, they have to run their own quorums for administrator’s smart cards and PINs, they have to save smartcards in the right place. It definitely raises the burden on them.”
Bring your own bank
If you’re considering whether bringing your own keys – which also means securing your own keys – is right for your business, the first question to ask is are you ready to become a bank, because you’ll have to run your key infrastructure with the same rigor, down to considering the travel plans of officers of the company. If you have three people authorized to use the smart card that gives access to your key, you don’t ever want to let all three of them on the same plane.
The burden of securing those keys means that although some Microsoft customers, particularly in the automotive industry, have opted for BYOK, “others say ‘we trust Microsoft is going to do the right thing’,” says Plastina. “They all start by saying ‘I want to be in control,’ but as they see the responsibility and they understand to what extreme lengths Microsoft taking this responsibility, they say ‘why don’t you just do it.’ They don't want to be the weaker link in a chain.”
Even some New York financial institutions, who initially wanted BYOK that ran against their own on-premises HSMs decided against that when they considered what could go wrong, says Paul Rich from Microsoft’s Office 365 team. “An HSM could have been powered down, taking out a vast swathe of user base. They quickly got the idea that this is potentially a great denial of service attack that malicious insider or attacker performs on the company. These are our most sophisticated customers who are highly sensitive that this is a big responsibility but also a threat of potential destruction, whether that’s accidental or malicious.”
Some businesses believe they need BYOK to comply with legal requirements to have keys under their supervision. There are a range of interpretations of what that actually means in different jurisdictions; “we believe we're meeting the spirit and intent of those laws,” says Plastina. A service like Key Vault can make it easier to keep keys in specific geographies, especially for smaller companies who don’t have physical infrastructure in all the territories they do business in.
However, there are still some businesses that want the option to bring their own keys – or even to host them in an HSM that they run. In many ways, hosting your own keys contradicts the reason many companies are adopting cloud services; for the speed, simplicity and cost savings of not running their own infrastructure to provide those services. If you want to keep acceptable performance and service levels, you’re going to need significant infrastructure.
“Those customers would be required to run a highly availability fault-tolerant data center distributed service to issue keys,” Plastina warns. It's not a service that Microsoft offers today, but he says it’s important for industries like banking – who already have the processes and expertise to secure keys, as well as the experience in vetting employees.