Bring Your Own Keys (BYOK): explained

Enterprise cloud customers are increasingly demanding Bring Your Own Keys for enhanced privacy, security, and control of their sensitive data in the cloud.


What is BYOK?

Bring Your Own Keys, or BYOK, is a cloud architecture that gives customers ownership of the encryption keys that protect some or all of their data stored in SaaS applications. It is per-tenant encryption where your customers can independently monitor usage of their data and revoke all access to it if desired.

BYOK goes by many names, none of which are well defined and all of which are very similar:

  • EKM - Enterprise Key Management
  • CMK - Customer Managed Keys
  • CHEK - Customer Held Encryption Keys
  • CYOK - Control Your Own Key
  • HYOK - Hold Your Own Key
  • BYOE - Bring Your Own Encryption
  • BYOKMS - Bring Your Own Key Management Server

Regardless of name, BYOK has these parts:

  • Per-tenant encryption for some or all customer data.
  • Your customer (tenant) manages a master key or keys needed for decryption.
  • Your customer can independently monitor all data access.
  • Your customer can independently revoke access at any time.

BYOK can be configured in multiple ways, and its use across companies varies. Download our industry comparison infographic to see what that looks like.

Compare BYOK Infographic
Buyers of cloud services and mobile devices should demand that providers offer them the option of managing their own encryption keys.
─ Gartner
Play: Play: What are customer managed keys?

Infographic eBook on Bring Your Own Keys

This informative PDF visually explains BYOK and key concepts around it including decision points and trade-offs. Suitable for technical and business-level understanding of the popular security feature.

Breaking down how BYOK works

In BYOK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your customer can revoke access by refusing to return the key, and they get an independent audit event on every request.

Storing and encrypting data in BYOK involves multiple layers of keys. The typical approach uses two layers and is referred to as “envelope encryption.” In envelope encryption, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK.

You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a column to your database schema or persist the EDEK as object metadata.

The sequence diagram below shows the decryption data flow. Notice how the log request data flow provides independent monitoring and the 403 allows revocation:

How BYOK Works Infographic
Customer Managed Keys OverviewEncrypted DEKDEKYou StoreEncrypted Data + Encrypted KeysYour CustomerControls Keys and Audits Access

5 Things SaaS Companies Get Wrong with BYOK

There are five main ways that software providers get it wrong when delivering BYOK to their customers -- and without clear standards, these are easy mistakes to make.

SaaS Shield

IronCore Labs’ application-layer encryption (ALE) platform is a highly performant way to handle customer managed keys and other cloud data encryption concerns from keys to audit trails to data sovereignty requirements. It can be combined with other products to enable search over encrypted data and AI data. Learn more about the SaaS Shield platform:

SaaS Shield Product Page
UserSaaSCustomer KMSGet dataFetch EDEKDecrypt EDEKFetch Encrypted dataLog Request to SIEMDecrypted DEKDecrypt Data using DEKAfter decrypt, DEK is wipedReturn Data403 DeniedErroralt[Grant][Deny]UserSaaSCustomer KMS

IronCore adds a number of features and integrations and handles a variety of supported key management systems including Google Cloud KMS, Amazon KMS, Azure Key Vault, and Thales CipherTrust Manager so your customers can use their platform of choice. IronCore also enables your customers to manage KMS configurations using end-to-end encryption and abstracts policy choices away from developers so your developers can focus on simple integration code without worrying about the complexities of key management, cryptography choices, SIEM integration, and so forth.

The diagram below shows how this works, with IronCore's persistence-free Tenant Security Proxy running in your infrastructure as a Docker container and the Configuration Broker (our administration app) either run by IronCore or running in your infrastructure as a separate Docker container.

ConfigurationBrokerClient LibraryApplicationTenantSecurity ProxyZero-trust configuration storeCustomer KMS / HSMCustomer SIEMAWSAzureGCPStackDriverSplunkLogRhythmWeb Browser (Admin)End-to-end Encryption

Four reasons why you should care about BYOK

Customers have been asking for "Bring Your Own Keys" functionality for years, but the urgency has increased for a variety of reasons. Most notably:

Consumer privacy laws

In 2017 and 2018, 50 countries passed new privacy laws. The EU's General Data Protection Regulations (GDPR) mandates that companies keep the personally identifiable information (PII) of their customers secure and private. These companies are also responsible for this security when passing PII on to third-party vendors, such as SaaS providers. BYOK brings visibility into how data is accessed and brings the ability to revoke that access.

Industry analysts and best practices

Analysts from Gartner, Forrester, and 451 Research all strongly recommend that large companies request BYOK as a best practice for SaaS vendors.

Reduced risk of breach

Breaches are ever-present in the news media. Every week a new large brand is embarrassed by a data breach. The complexity of networks and interconnecting systems means a network breach is likely. Knowing this, customers want to know that their data is encrypted and that that encryption isn't transparent to anyone who happens to gain access to a system. In other words, transparent disk encryption and HTTPS are no longer sufficient for IT Vendor Management Review teams.

Top tier has delivered

After years of asking, top SaaS companies have started to offer BYOK. Salesforce released their "Cache-only Key Service" in 2019. Also in 2019, Slack released their "Enterprise Key Management" feature. Box has offered BYOK (under several different names) for several years now. And Microsoft offers a "Bring Your Own Key" option for its Azure Key Vault. Companies using this feature have begun to demand it from the rest of their vendors, if those vendors handle sensitive and regulated data such as PII.

Benefits of using IronCore Labs for BYOK

IronCore provides a turnkey BYOK Implementation that quickly and easily integrates into your SaaS application. While do-it-yourself BYOK implementations average 15 months, IronCore BYOK gets you to market in 90 days, winning you renewals, sales, and competitive differentiation.

  • Integrate Once, Many KMS
  • Policy Based
  • Get it Right
  • Developer-proof
  • Zero Trust Path
  • Low Latency / High Availability
  • End-to-end Encryption
  • Only a few lines of code

Primary two calls to add to your application:

      (EDEK, ciphertext) = IRON.encrypt(metadata, plaintext);
      plaintext = IRON.decrypt(metadata, ciphertext, EDEK);

For more details, see our "BYOK: What Architects Need To Know" white paper or read our documentation.