Customer Managed Keys: An Overview
What it is, how it works, and why it matters.
Enterprise SaaS customers are increasingly demanding “Customer Managed Keys” for enhanced privacy, security, and control of their sensitive data in the cloud.
Customer Managed Keys, or CMK, is a cloud architecture that gives customers ownership of the encryption keys that protect some or all of their data stored in SaaS applications. It is per-tenant encryption where your customers can independently monitor usage of their data and revoke all access to it if desired.
CMK is known by many names:
- EKM - Enterprise Key Management
- BYOK - Bring Your Own Keys
- CHEK - Customer Held Encryption Keys
- BYOE - Bring Your Own Encryption
Regardless of name, CMK has these parts:
- Per-tenant encryption for some or all customer data.
- Your customer (tenant) manages a master key or keys needed for decryption.
- Your customer can independently monitor all data access.
- Your customer can independently revoke access at any time.
Buyers of cloud services and mobile devices should demand that providers offer them the option of managing their own encryption keys.
In CMK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your customer can revoke access by refusing to return the key, and they get an independent audit event on every request.
Storing and encrypting data in CMK involves multiple layers of keys. The typical approach uses two layers and is referred to as “envelope encryption.” In envelope encryption, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK.
You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a column to your database schema or persist the EDEK as object metadata.
The sequence diagram below shows the decryption data flow. Notice how the log request data flow provides independent monitoring and the 403 allows revocation:
IronCore adds a number of features and integrations and handles a variety of supported key management systems including Google Cloud KMS, Amazon KMS, and Azure Key Vault so your customers can use their platform of choice. IronCore also manages the KMS configurations using end-to-end encryption and abstracts policy choices away from developers so your developers can focus on simple integration code without worrying about the complexities of key management, cryptography choices, SIEM integration, and so forth. The diagram below shows how this works, with IronCore's persistence-free Encryption Service running in your infrastructure as a docker container.
Customers have been asking for customer managed keys for years, but the urgency has increased for a variety of reasons. Most notably:
In 2017 and 2018, 50 countries passed new privacy laws. The EU's General Data Protection Regulations (GDPR) mandates that companies keep the personally identifiable information (PII) of their customers secure and private. These companies are also responsible for this security when passing PII on to third-party vendors, such as SaaS providers. CMK brings visibility into how data is accessed and brings the ability to revoke that access.
Analysts from Gartner, Forrester, and 451 Research all strongly recommend that large companies request CMK as a best practice for SaaS vendors.
Breaches are ever-present in the news media. Every week a new large brand is embarrassed by a data breach. The complexity of networks and interconnecting systems means a network breach is likely. Knowing this, customers want to know that their data is encrypted and that that encryption isn't transparent to anyone who happens to gain access to a system. In other words, transparent disk encryption and HTTPS are no longer sufficient for IT Vendor Management Review teams.
After years of asking, top SaaS companies have started to offer CMK. Salesforce released their "Cache-only Key Service" in 2019. Also in 2019, Slack released their "Enterprise Key Management" feature. Box has offered CMK (under several different names) for several years now. And Microsoft offers a "Bring Your Own Key" option for its Azure Key Vault. Companies using this feature have begun to demand it from the rest of their vendors, if those vendors handle sensitive and regulated data such as PII.
IronCore provides a turnkey CMK Implementation that quickly and easily integrates into your SaaS application. While do-it-yourself CMK implementations average 15 months, IronCore CMK gets you to market in 90 days, winning you renewals, sales, and competitive differentiation.
- Integrate Once, Many KMS
- Policy Based
- Get it Right
- Zero Trust Path
- Low Latency / High Availability
- End-to-end Encryption
- Only a few lines of code
Primary two calls to add to your application:
(EDEK, ciphertext) = IRON.encrypt(metadata, plaintext); plaintext = IRON.decrypt(metadata, ciphertext, EDEK);
For more details, see our "CMK: What Architects Need To Know" white paper or read our documentation.