Thursday, May 18, 2017

ICMC17: Control Your CLoud: BYOK is GOod, But Not Enough

Matt Landrock, CEO, Cryptomathic

BYOK suggests a one-way mechanism: your key, my cloud.

The word "Key" tends to be generally understood in a very broad sense (symmetric and asymmetric),  however in cloud service providers it has a bit of a different definition.

The current key management servifes offered are MS Azure, Amazon AWS and Google Cloud Platform. Azure uses Thales and Amazon uses Gemalto, Google doesn't appear to use an HSM at this time. Their biggest differences are around the BYOK protocols (key wrapping, etc).

BYOK is an important tool, but should not be the only tool in your tool box.  It will help you get your own key into the cloud, so you know it meets your standards for generation. The cloud provider will handle things for you, but not in a consistent way - so lots of hurdles to go through to get this done.

MYOK - Manage Your Own Keys! MYOK implies you can manage import/export, lifecycle and generation all by yourself. Provision when you need them, destroy when you're done.  How can you do this in a way that is meaningful for your business?

Centralized key managers are moving into the market space.

Key management is more than just keys - name, algorithm, length, export settings. And, many key formats end up being very vendor specific (some use standards like PKCS#8, but many more are just proprietary).