How to own your data keys in the cloud

Things are looking good, I am migrating nearly all my services to “the Cloud” and just like everyone else,( we’re all using Software as a Service to some degree), we’ve already migrated email, collaboration, file storage, and our customer relationship management. We are even contemplating moving the core of our data-centre — financial systems, databases etc to public platform and infrastructure “as a Service” providers, all to run in parallel with our on-premise systems. In return I get cost effectiveness, reliability, agility, and security.

So are there any issues?

Infrastructure as a Service entails handing over ownership and operational control of your IT infrastructure to a third party but does that include responsibility for data security !?

Your service provider ensures computer, storage, and networking components are secure from external attackers and their other tenants, but it’s still you who must protect your data and application access to it.

But my provider provides encryption

Encryption is the fundamental security technology in modern computing. The vast majority of cloud service providers enable network encryption by default to protect data in transit and for data at rest, both to protect files and archives from unwanted inspection by authorized infrastructure managers, and in case of data leaks from the cloud service. But this is only truly effective when encryption keys are properly protected.

Right so?…

Controlling encryption keys — and therefore your data — you need to decide who creates keys (you or your provider), where they are managed (on-premises or in-cloud), how they are stored (hardware or software), how keys will be maintained,  and how to integrate with each different cloud model you use. You then still need to decide whether to use your own encryption library or invoke your cloud service to encrypt on your behalf.

Ok so what’s wrong with using my cloud service to encrypt?

On some levels nothing, however there is a worry that legal litigation from both local or foreign (where services may be hosted in different countries) law enforcement  could result in a subpoena for all their data. In either case you need to ensure that cloud providers cannot be compelled to turn over their encryption keys and thereby possible access to your data. If the vendor is never provided with your encryption keys, they cannot turn them over, ensuring your data’s privacy and control.

So how do you own your data keys in the cloud?

Bring Your Own Key (BYOK) allows you to encrypt your data and retain control of your encryption keys. The best solution is to generate your keys in your own HSMs, in your own environment to create and securely export your keys to the cloud.

Take a look at

nCipher – ( With nShield hardware security modules (HSMs) from nCipher Security, you can bring your own keys (BYOK) to your cloud applications, whether you’re using Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure. nShield high-assurance HSMs enable you to continue to benefit from the flexibility and economy of cloud services, while strengthening the security of your key management practices and gaining greater control over your keys.

Download the solution brief to learn more about how nShield BYOK gives you greater control over your keys.