Product announcement: Try the new Cloaked AI beta

Customer managed keys explained

Enterprise SaaS customers are increasingly demanding customer managed keys for enhanced privacy, security, and control of their sensitive data in the cloud.


What is CMK?

Customer Managed Keys, or CMK, is a cloud architecture that gives customers ownership of the encryption keys that protect some or all of their data stored in SaaS applications. It is per-tenant encryption where your customers can independently monitor usage of their data and revoke all access to it if desired.

CMK is known by many names:

  • EKM - Enterprise Key Management
  • BYOK - Bring Your Own Keys
  • CHEK - Customer Held Encryption Keys
  • HYOK - Hold Your Own Key
  • BYOE - Bring Your Own Encryption
  • BYOKMS - Bring Your Own Key Management Server

Regardless of name, CMK has these parts:

  • Per-tenant encryption for some or all customer data.
  • Your customer (tenant) manages a master key or keys needed for decryption.
  • Your customer can independently monitor all data access.
  • Your customer can independently revoke access at any time.

CMK can be configured in multiple ways, and its use across companies varies. Download our industry comparison infographic to see what that looks like.

Compare CMK Infographic
Buyers of cloud services and mobile devices should demand that providers offer them the option of managing their own encryption keys.
─ Gartner
Play: Play: What are customer managed keys?

Breaking down how CMK works

In CMK, you encrypt sensitive customer data before you store it. When you need data access, you call your customer’s infrastructure to get the decryption key. Your customer can revoke access by refusing to return the key, and they get an independent audit event on every request.

Storing and encrypting data in CMK involves multiple layers of keys. The typical approach uses two layers and is referred to as “envelope encryption.” In envelope encryption, you first encrypt data with a data encryption key or DEK. You use a second master key, or MK, to encrypt the DEK, producing an Encrypted DEK or EDEK.

You have access to the DEK while you are encrypting or decrypting, but you agree to wipe the key from memory after use. You never persist the DEK to storage. Instead, you store the encrypted DEK, or EDEK, alongside encrypted data. Typically you add a column to your database schema or persist the EDEK as object metadata.

The sequence diagram below shows the decryption data flow. Notice how the log request data flow provides independent monitoring and the 403 allows revocation:

How CMK Works Infographic
Customer Managed Keys OverviewEncrypted DEKDEKYou StoreEncrypted Data + Encrypted KeysYour CustomerControls Keys and Audits Access
UserSaaSCustomer KMSGet dataFetch EDEKDecrypt EDEKFetch Encrypted dataLog Request to SIEMDecrypted DEKDecrypt Data using DEKAfter decrypt, DEK is wipedReturn Data403 DeniedErroralt[Grant][Deny]UserSaaSCustomer KMS

IronCore adds a number of features and integrations and handles a variety of supported key management systems including Google Cloud KMS, Amazon KMS, Azure Key Vault, and Thales CipherTrust Manager so your customers can use their platform of choice. IronCore also enables your customers to manage KMS configurations using end-to-end encryption and abstracts policy choices away from developers so your developers can focus on simple integration code without worrying about the complexities of key management, cryptography choices, SIEM integration, and so forth.

The diagram below shows how this works, with IronCore's persistence-free Tenant Security Proxy running in your infrastructure as a Docker container and the Configuration Broker (our administration app) either run by IronCore or running in your infrastructure as a separate Docker container.

ConfigurationBrokerClient LibraryApplicationTenantSecurity ProxyZero-trust configuration storeCustomer KMS / HSMCustomer SIEMAWSAzureGCPStackDriverSplunkLogRhythmWeb Browser (Admin)End-to-end Encryption

Four reasons why you should care about CMK

Customers have been asking for customer managed keys for years, but the urgency has increased for a variety of reasons. Most notably:

Consumer privacy laws

In 2017 and 2018, 50 countries passed new privacy laws. The EU's General Data Protection Regulations (GDPR) mandates that companies keep the personally identifiable information (PII) of their customers secure and private. These companies are also responsible for this security when passing PII on to third-party vendors, such as SaaS providers. CMK brings visibility into how data is accessed and brings the ability to revoke that access.

Industry analysts and best practices

Analysts from Gartner, Forrester, and 451 Research all strongly recommend that large companies request CMK as a best practice for SaaS vendors.

Reduced risk of breach

Breaches are ever-present in the news media. Every week a new large brand is embarrassed by a data breach. The complexity of networks and interconnecting systems means a network breach is likely. Knowing this, customers want to know that their data is encrypted and that that encryption isn't transparent to anyone who happens to gain access to a system. In other words, transparent disk encryption and HTTPS are no longer sufficient for IT Vendor Management Review teams.

Top tier has delivered

After years of asking, top SaaS companies have started to offer CMK. Salesforce released their "Cache-only Key Service" in 2019. Also in 2019, Slack released their "Enterprise Key Management" feature. Box has offered CMK (under several different names) for several years now. And Microsoft offers a "Bring Your Own Key" option for its Azure Key Vault. Companies using this feature have begun to demand it from the rest of their vendors, if those vendors handle sensitive and regulated data such as PII.

Benefits of using IronCore Labs for CMK

IronCore provides a turnkey CMK Implementation that quickly and easily integrates into your SaaS application. While do-it-yourself CMK implementations average 15 months, IronCore CMK gets you to market in 90 days, winning you renewals, sales, and competitive differentiation.

  • Integrate Once, Many KMS
  • Policy Based
  • Get it Right
  • Developer-proof
  • Zero Trust Path
  • Low Latency / High Availability
  • End-to-end Encryption
  • Only a few lines of code

Primary two calls to add to your application:

      (EDEK, ciphertext) = IRON.encrypt(metadata, plaintext);
      plaintext = IRON.decrypt(metadata, ciphertext, EDEK);

For more details, see our "CMK: What Architects Need To Know" white paper or read our documentation.