Security Experts:

Bring-Your-Own-Encryption: Is It the Right Choice for Your Enterprise?

Bring Your Own Encryption

Following the recent issues surrounding encryption and encryption tools, some organizations are turning to Bring-Your-Own-Encryption (BYOE), but experts warn that there are some aspects that need to be take into consideration before making the move.

To learn more about the advantage, disadvantages and the challenges posed by BYOE, SecurityWeek reached out to several experts in the field.

BYOE is a cloud computing security model that enables organizations to use their own encryption software and manage their own encryption keys. This is done by deploying a virtualized instance of the encryption software alongside applications hosted in the cloud to securely encrypt data.

BYOE can help an organization properly secure its sensitive data, but it can also help it avoid issues caused by vulnerabilities in widely used encryption tools, like OpenSSL. On the other hand, incorrectly installed or improperly configured encryption software not only fails to protect data, but also gives the user a false sense of security.

The perfect example that BYOE is being adopted by more and more organizations is Amazon’s decision to enhance Amazon Simple Storage Service (S3) support for server-side encryption and allow customers of to use their own encryption keys.

Cloud security company Vormetric told SecurityWeek that BYOE is a very strong trend, with a number of major organizations already using it, and many cloud providers planning on offering the option to their customers.

Advantages of BYOE

As HyTrust Chief Architect Steve Pate points out, allowing the cloud service provider to encrypt the data and hold the encryption keys is like putting family jewels in a safe deposit box and having the bank hold both keys.  

“If you are moving servers to the cloud to platforms such as Amazon EC2 or Microsoft Azure, you will want to encrypt your own data and make sure that you hold the keys. Thus when any data leaves your virtual machine and gets written to storage, the data is encrypted and is not visible to any administrators in the cloud,” Pate told SecurityWeek.

“Encryption, in general, offers two primary advantages: the ability to control data from accidental exposure, and the ability to prevent loss to intentional threat,” said Kevin O’Brien, director of product marketing at CloudLock.

“As an increasing amount of data is moved into the cloud, the nature of risk is evolving; where once we would have seen the majority of data loss to have occurred due to outsiders gaining access to sensitive information, the predominant danger today is from accidental exposure from internal staff or users,” O’Brien noted. “BYOE helps organizations in that it provides a directly controlled, frequently user-centric means of addressing that kind of insider risk.”

Dr. Vincent Berk, CEO of network security company FlowTraq, believes that the most significant advantage of BYOE is diversity ─ the use of bespoke encryption, instead of standard built-in encryption.

“The number of techniques with which we encrypt are based on a small number of mathematical equations, which means in the end that the differences are in code implementation alone. By adding different parameters and programming implementations, creating unique encryption packages, organizations are able to create levels of diversity that reduces the chances that one bug is able to affect such large numbers,” Dr. Berk explained.

Derek Tumulak, Vormetric’s vice president of product management, points out that there are two implementation scenarios: organizations can manage their keys within the cloud environment themselves, or they can manage their keys off the cloud provider’s premises in their own data center or other environment.

“In either case, the primary benefit of managing the keys yourself is that you reduce risks with a smaller attack surface available to threats,” Tumulak said.

In both implementation scenarios, a compromise of the cloud provider’s architecture, physical infrastructure or accounts by a third party is less likely to result in data being compromised. However, organizations that manage their keys off the cloud provider’s premises eliminate the possibility of data becoming compromised as a result of a breach at the cloud provider or legal access by court order, Tumulak noted.

Disadvantages of BYOE

“Some scenarios are not supported,” said Tumulak. “SaaS applications (for the most part) cannot allow you to own the encryption of data. The SaaS providers have not yet implemented the technologies for customers to hold their own keys, and still have full functionality.” 

“There are half-way solutions (cloud-gateways) but these solutions frequently use unsupported interfaces or simply do ‘screen scraping’ (and so require frequent updates and changes as the SaaS environment changes) or disable much search or other SaaS functionality as a result of the SaaS environment not being able to see decrypted information,” Tumulak added.

According to Pate, one of the biggest disadvantages is related to key management.

Encryption Key Management“Not only does key management need to be simple, your key management solution must be highly available so that when your servers request a key, they are always able to get the key. Your key management servers must also be secure so that even staff in your own data centers are never able to get to the keys,” Pate said.

O’Brien believes BYOE puts the burden of implementation and management on the organization itself.

“Philosophically, organizations that are adopting cloud are typically doing so because they wish to increase their operational efficiency, improve collaboration, and minimize the amount of IT infrastructure management that they are required to do. BYOE, for all of the advantages it provides in terms of additional security and defense-in-depth for cloud assets, is not inherently aligned with these goals,” O’Brien told SecurityWeek.

While BYOE might seem like the perfect solution to avoid the problems caused by Heartbleed-like vulnerabilities, there is also a downside, Dr. Berk explained.

Related ResourceAberdeen Research: Encryption, Without Tears

“Having 100 individuals write different encryption packages as opposed to a select few means you’re probably seeing 20 groups of individuals writing their own encryption methods and making mistakes. The fact that these encryption methods will be checked less frequently and used less frequently means bugs will be more random and more difficult to discover,” Dr. Berk said.

What types of organizations should turn to BYOE?

Tumulak says there are four main types of organizations that could benefit from the heightened level of security (and reduced risk) that go with BYOE: ones that have compliance requirements, ones to which the protection of intellectual property is crucial (e.g., aerospace, defense, manufacturing), ones that might be required by their customers to encrypt data at certain standards, and ones that want to reduce the risk of data breaches.

“With both governments around the globe adding penalties for loss of personal information the [reduction of the risk of data breaches] becomes a strong driver.  The US, EU, South Korea, Australia and many others have implemented this policy and more is on the way in the wake of the record data breaches so far in 2014.  If using personally identifiable information that could result in a breach, BYOE is the strongest way to protect data used and stored remotely,” Tumulak said.

According to O’Brien, organizations with a hybrid of on-premise and in-cloud data are well suited by BYOE, especially for their legacy systems that cannot be moved to the SaaS/PaaS/IaaS stack.

“Even in these circumstances, however, they would do well to preface an encryption adoption strategy with a robust understanding of what data constitutes sensitive information and apply strong encryption to it selectively,” O’Brien said.

“Encryption and BYOE are related but still distinct offerings. Organizations consolidating around the use of cloud (and especially public cloud/SaaS) should be cautious about the high performance impacts, end-user workflow impediments, and single-point-of-failure bottlenecks created by using BYOE as a primary defense mechanism for data that will be stored in these modern cloud platforms,” the expert added.

“There can be implementation challenges and significant costs for BYOE, so it is most appropriate for companies that provide a public service and face a legislative requirement to encrypt the data they store in the cloud. Oftentimes this means organizations that handle personally identifiable information on servers – so companies that deal with medical records, financial records and any other highly sensitive data of that nature,” Dr. Berk noted.

Experts believe BYOE is not recommended for organizations with tight budgets or ones that don’t have the IT capabilities necessary to manage it.

BYOE Challenges

BYOE has some advantages, but if the encryption package is misconfigured, it’s as worthless as no encryption. This is one of the biggest risks or challenges for companies that aim to bring their own encryption by building an encryption package from off-the-shelf products, according to Dr. Berk.

“Consider individuals who only purchase exclusive automobiles. If they need a new oil filter or experience mechanical issues, it will take a long time to troubleshoot the problem and find the right replacement parts because there are fewer automobiles of this type and fewer individuals who have experienced similar issues. Ultimately, you’re increasing the chances that you will make a mistake with your encryption package,” Dr. Berk explained.

According to Tumulak, finding a solution that fits your organization’s deployment model, risk posture and IT capabilities is one of the major challenges. Another challenge can be identifying the elements that need to be protected.

“If planning to limit the implementation to only critical assets (production instances, for instance, but not development and test environments), identifying all the locations and data that need protecting can be a difficult first step.  Larger organizations may not have good knowledge of what business units have implemented, or are already using in cloud environments as they may have independently implemented with the knowledge of core IT and IT Security groups,” Tumulak explained.

O’Brien makes an interesting point regarding the “cloud unfriendliness” of BYOE, especially now that cloud strategy takes on an increasingly important role in most organizations. 

“For example, an organization that is using Google Apps and relies heavily on Google Drive may (correctly) identify the need for encryption, but should be cautious about implementing a BYOE strategy that filters their inbound and outbound traffic to the Google platform through a forward or reverse proxy. Doing so will impair the functionality and real-time collaboration of Drive itself,” O’Brien said.

As Pate highlighted, key management is one of the disadvantages of BYOE, but this aspect is also a challenge for organizations that want to use their own encryption.

“Many organizations choose a per-platform encryption solution such as those that come with the database being used. Larger organizations can easily run into trouble by going down this path as they may well end up with multiple encryption solutions from multiple vendors and therefore multiple key management solutions. There are also solutions that are tied to one cloud platform or another resulting in vendor lock-in,” Pate explained.

Addressing BYOE challenges

When it comes to addressing BYOE challenges, Dr. Berk explained, “Organizations should think of BYOE as an engineering process. You must understand where your data flows, when the data will be exposed and when it makes sense to add layers of encryption. Frequent testing is key to making sure you’ve built an encryption package that will withstand the types of threats you expect to face.”

“Think broader. An encryption and key management solution that covers physical as well as virtual servers, all hypervisors and any cloud-based platform allows you to have a single, robust solution which not only gives you the data security you need but also allows you to use it anywhere,” Pate said.

Choosing a solution from a respected vendor is also important, according to Pate, who points to the case of TrueCrypt, whose developers recently announced shutting down the project.

“BYOE represents both a strategic initiative around data protection and an implementation; the best practices for achieving the former are to anticipate and avoid the limitations of the latter,” noted O’Brien.

“Organizations who want the security of encryption while maintaining the benefits of modern (cloud) infrastructure can do so by shifting their encryption approach to a cloud-native solution, especially where they can selectively protect sensitive data (and can combine encryption-as-control with the agility to differentiate sensitive and non-sensitive data),” O’Brien added.

As far as addressing the challenges he has named ─ finding the right solution and identifying what needs protecting ─ Tumulak believes the first issue requires some hard work on the organization’s part in planning and vendor selection. 

“Identify solutions that deploy easily, ideally with minimal changes to your environment (transparent to your applications, if you will).  Solutions should be able to be integrated with your deployment and management solutions (cloud or VMware type images, provisioning systems, SIEM / Security Monitoring, Auditing) and should be within the capabilities for your IT staff to implement and manage without a lengthy services engagement,” Tumulak said.

When it comes to identifying sensitive data, Tumulak points out that commercial tools are available for such tasks.

Related Resource: Aberdeen Research: Encryption, Without Tears - Like most enterprises, you’re deployed encryption broadly to protect information and authenticate systems. In this report, analyst Derek Brink quantifies the costs and effects of three encryption-management strategies. Download the Report

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.