Bring your own encryption

Last updated

Bring your own encryption (BYOE), also known as bring your own key (BYOK), is a cloud computing security marketing model that aims to help cloud service customers to use their own encryption software and manage their own encryption keys. [1] BYOE allows cloud service customers to use a virtual instance of their own encryption software together with the business applications they are hosting in the cloud in order to encrypt their data. [2] The hosted business applications are then set up so that all their data will be processed by the encryption software, which then writes the ciphertext version of the data onto the cloud service provider's physical data store, and readily decrypts ciphertext data upon retrieval requests. [3] This gives the enterprise the perceived control of its keys and producing its own master key by relying on its own internal hardware security modules (HSM) that are then transmitted to the HSM within the cloud. Data owners may believe their data is secured because the master key lies in the enterprise's HSM and not that of the cloud service provider. [4] When the data is no longer needed (i.e. when cloud users choose to abandon the cloud service), the keys can simply be deleted to render data encrypted with said keys permanently inaccessible. This practice is called crypto-shredding.

Contents

Benefits

By using its own keys, an organization can securely store data with unique encryption that no other party has access to. [5] This can allow multiple organizations to share the same hardware infrastructure via cloud services like Amazon Web Services (AWS) or Google Cloud while maintaining encryption to comply with HIPAA or similar standards.

Drawbacks

With multiple users sharing the same hardware and each using their own encryption, resource utilization can be higher compared to traditional encryption practices. While it may be possible to minimize this issue, that may hinder the security benefits. [6]

See also

Related Research Articles

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

A remote, online, or managed backup service, sometimes marketed as cloud backup or backup-as-a-service, is a service that provides users with a system for the backup, storage, and recovery of computer files. Online backup providers are companies that provide this type of service to end users. Such backup services are considered a form of cloud computing.

Software as a service is a form of cloud computing in which the provider offers the use of application software to a client and manages all the physical and software resources used by the application. The distinguishing feature of SaaS compared to other software delivery models is that it separates "the possession and ownership of software from its use". SaaS began around the turn of the twenty-first century and became the main form of software application deployment by 2023.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

Cloud storage is a model of computer data storage in which data, said to be on "the cloud", is stored remotely in logical pools and is accessible to users over a network, typically the Internet. The physical storage spans multiple servers, and the physical environment is typically owned and managed by a cloud computing provider. These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment secured, protected, and running. People and organizations buy or lease storage capacity from the providers to store user, organization, or application data.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

Platform as a service (PaaS) or application platform as a service (aPaaS) or platform-based service is a category of cloud computing services that allows customers to provision, instantiate, run, and manage a modular bundle comprising a computing platform and one or more applications, without the complexity of building and maintaining the infrastructure typically associated with developing and launching the application(s), and to allow developers to create, develop, and package such software bundles.

<span class="mw-page-title-main">Cloud computing</span> Form of shared internet-based computing

Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often have functions distributed over multiple locations, each of which is a data center. Cloud computing relies on sharing of resources to achieve coherence and typically uses a pay-as-you-go model, which can help in reducing capital expenses but may also lead to unexpected operating expenses for users.

Eucalyptus is a paid and open-source computer software for building Amazon Web Services (AWS)-compatible private and hybrid cloud computing environments, originally developed by the company Eucalyptus Systems. Eucalyptus is an acronym for Elastic Utility Computing Architecture for Linking Your Programs To Useful Systems. Eucalyptus enables pooling compute, storage, and network resources that can be dynamically scaled up or down as application workloads change. Mårten Mickos was the CEO of Eucalyptus. In September 2014, Eucalyptus was acquired by Hewlett-Packard and then maintained by DXC Technology. After DXC stopped developing the product in late 2017, AppScale Systems forked the code and started supporting Eucalyptus customers.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

<span class="mw-page-title-main">Cloud computing architecture</span> Overview about the cloud computing architecture

Cloud computing architecture refers to the components and subcomponents required for cloud computing. These components typically consist of a front end platform, back end platforms, a cloud based delivery, and a network. Combined, these components make up cloud computing architecture.

Datain use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random-access memory (RAM), CPU caches, or CPU registers.

Google Cloud Platform (GCP), offered by Google, is a suite of cloud computing services that provides a series of modular cloud services including computing, data storage, data analytics, and machine learning, alongside a set of management tools. It runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, and Google Docs, according to Verma, et.al. Registration requires a credit card or bank account details.

Cloud computing is used by most people every day, but there are issues that limit its widespread adoption. It is one of the fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. Cloud computing biggest advantage is flexible lease and release of resources as per the requirement of the user. Its other advantages include efficiency, compensating the costs in operations and management. It curtails down the high prices of hardware and software

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

"X as a service" is a phrasal template for any business model in which a product use is offered as a subscription-based service rather than as an artifact owned and maintained by the customer. Originating from the software as a service concept that appeared in the 2010s with the advent of cloud computing, the template has expanded to numerous offerings in the field of information technology and beyond it. The term XaaS can mean "anything as a service".

Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data may be considered to exist in three states: data at rest, data in transit and data in use. General data security principles, such as in the CIA triad of confidentiality, integrity, and availability, require that all three states must be adequately protected.

References

  1. Rouse, Margaret (22 February 2014). "BYOE(Bring Your Own Encryption)". What Is. Retrieved 10 April 2015.
  2. "Control of Your Cloud Data Encryption with Bring Your Own Encryption (BYOE)". parachute.cloud. 2021-09-21. Retrieved 2023-12-25.
  3. Steve, Wexier (24 March 2014). "Solving Cloud Security Will Open Adoption Floodgates". IT Trends & Analysis. Archived from the original on 20 April 2015. Retrieved 10 April 2015.
  4. Zhang, Hongwen (6 April 2015). "Bring your own encryption: New term in the cloud age". Networks Asia. Archived from the original on 14 August 2017. Retrieved 10 April 2015.
  5. "Bring Your Own Encryption to the Public Cloud". Thales Group. Retrieved 22 May 2024.
  6. "THE RIGHT WAY TO THINK ABOUT BRING YOUR OWN KEY ENCRYPTION". Antimatter. Retrieved 22 May 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.