Customer Managed Keys (CMK): explained
Enterprise cloud customers are increasingly demanding Customer Managed Keys for enhanced privacy, security, and control of their sensitive data in the cloud.
What is CMK?
Customer Managed Keys, or CMK, is a cloud architecture that gives customers ownership of the encryption keys that protect some or all of their data stored in SaaS applications. It is per-tenant encryption where your customers can independently monitor usage of their data and revoke all access to it if desired.
CMK goes by many names, none of which are well defined and all of which are very similar:
- BYOK - Bring Your Own Keys
- EKM - Enterprise Key Management
- CHEK - Customer Held Encryption Keys
- CYOK - Control Your Own Key
- HYOK - Hold Your Own Key
- BYOE - Bring Your Own Encryption
- BYOKMS - Bring Your Own Key Management Server
Regardless of name, CMK has these parts:
- Per-tenant encryption for some or all customer data.
- Your customer (tenant) manages a master key or keys needed for decryption.
- Your customer can independently monitor all data access.
- Your customer can independently revoke access at any time.
BYOK can be configured in multiple ways, and its use across companies varies. Download our industry comparison infographic to see what that looks like.
Compare BYOK InfographicBuyers of cloud services and mobile devices should demand that providers offer them the option of managing their own encryption keys.
Infographic eBook on Customer Managed Keys
This informative PDF visually explains CMK and key concepts around it including decision points and trade-offs. Suitable for technical and business-level understanding of the popular security feature.
Breaking down how CMK works
In CMK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your customer can revoke access by refusing to return the key, and they get an independent audit event on every request.
Storing and encrypting data in CMK involves multiple layers of keys. The typical approach uses two layers and is referred to as “envelope encryption.” In envelope encryption, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK.
You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a column to your database schema or persist the EDEK as object metadata.
The sequence diagram below shows the decryption data flow. Notice how the log request data flow provides independent monitoring and the 403 allows revocation:
How CMK Works Infographic5 Things SaaS Companies Get Wrong with CMK
There are five main ways that software providers get it wrong when delivering CMK to their customers -- and without clear standards, these are easy mistakes to make.
SaaS Shield
IronCore Labs’ application-layer encryption (ALE) platform is a highly performant way to handle customer managed keys and other cloud data encryption concerns from keys to audit trails to data sovereignty requirements. It can be combined with other products to enable search over encrypted data and AI data. Learn more about the SaaS Shield platform:
SaaS Shield Product PageIronCore adds a number of features and integrations and handles a variety of supported key management systems including Google Cloud KMS, Amazon KMS, Azure Key Vault, and Thales CipherTrust Manager so your customers can use their platform of choice. IronCore also enables your customers to manage KMS configurations using end-to-end encryption and abstracts policy choices away from developers so your developers can focus on simple integration code without worrying about the complexities of key management, cryptography choices, SIEM integration, and so forth.
The diagram below shows how this works, with IronCore's persistence-free Tenant Security Proxy running in your infrastructure as a Docker container and the Configuration Broker (our administration app) either run by IronCore or running in your infrastructure as a separate Docker container.
Four reasons why you should care about CMK
Customers have been asking for "Customer Managed Keys" functionality for years, but the urgency has increased for a variety of reasons. Most notably:
Consumer privacy laws
In 2017 and 2018, 50 countries passed new privacy laws. The EU's General Data Protection Regulations (GDPR) mandates that companies keep the personally identifiable information (PII) of their customers secure and private. These companies are also responsible for this security when passing PII on to third-party vendors, such as SaaS providers. CMK brings visibility into how data is accessed and brings the ability to revoke that access.
Industry analysts and best practices
Analysts from Gartner, Forrester, and 451 Research all strongly recommend that large companies request CMK as a best practice for SaaS vendors.
Reduced risk of breach
Breaches are ever-present in the news media. Every week a new large brand is embarrassed by a data breach. The complexity of networks and interconnecting systems means a network breach is likely. Knowing this, customers want to know that their data is encrypted and that that encryption isn't transparent to anyone who happens to gain access to a system. In other words, transparent disk encryption and HTTPS are no longer sufficient for IT Vendor Management Review teams.
Top tier has delivered
After years of asking, top SaaS companies have started to offer CMK. Salesforce released their "Cache-only Key Service" in 2019. Also in 2019, Slack released their "Enterprise Key Management" feature. Box has offered CMK (under several different names) for several years now. And Microsoft offers a "Bring Your Own Key" option for its Azure Key Vault. Companies using this feature have begun to demand it from the rest of their vendors, if those vendors handle sensitive and regulated data such as PII.
Benefits of using IronCore Labs for CMK
IronCore provides a turnkey CMK Implementation that quickly and easily integrates into your SaaS application. While do-it-yourself CMK implementations average 15 months, IronCore CMK gets you to market in 90 days, winning you renewals, sales, and competitive differentiation.
- Integrate Once, Many KMS
- Policy Based
- Get it Right
- Developer-proof
- Zero Trust Path
- Low Latency / High Availability
- End-to-end Encryption
- Only a few lines of code
Primary two calls to add to your application:
(EDEK, ciphertext) = IRON.encrypt(metadata, plaintext); plaintext = IRON.decrypt(metadata, ciphertext, EDEK);
For more details, see our "CMK: What Architects Need To Know" white paper or read our documentation.