Does secure cloud computing mean BYOK?

Thanks to Edward Snowden’s revelations about the NSA, the comprehensive hacking of Sony, and on-going legal battles over whether email stored in the cloud belongs to the people sending it or the service hosting it, more and more cloud services have moved to encrypt data. Some are going even further, offering Bring Your Own Key (BYOK) options, where the user holds the encryption keys for their own cloud data.

Google Compute Engine started offering a preview service for encrypting both data and compute with your own keys this summer, and Amazon offers both soft key management and the much pricier (and slower to set up) Cloud HSM service for EC2 and S3 instances, where your keys live in dedicated Hardware Security Modules in Amazon’s cloud. Adobe Creative Cloud now supports customer-managed data encryption keys to protect content synced to Creative Cloud accounts.

Microsoft’s Key Vault is intended to be a single, audited, versioned, secure vault that integrates with Azure Active Directory for authentication. Key Vault allows you to store passwords, configuration details, API keys, certificates, connection strings, signing keys, SSL keys and encryption keys for Azure Rights Management, SQL Server TDE, Azure Storage, Azure Disk Encryption, for your own .NET applications on Azure, and for encrypting VMs using EMC’s CloudLink Secure VM. Keys in Key Vault can be stored either as soft keys that are encrypted at rest by a system key in an HSM or loaded directly into a Microsoft HSM (in a chosen geographic region) from your own HSM, so you can create keys on premise and transfer them to Key Vault.

Dan Plastina, who runs the Microsoft Information Protection group that includes Key Vault, points out the advantages of managing keys for different systems in the same way. “The beauty here is if you come up with a mechanism that works for Office 365 workloads like Exchange, SharePoint and OneDrive for Business, and that same mechanism also works for line of business apps, for VMs, stuffing secrets into VMs, CRM, SQL Server, HD Insight, you start lighting up your Microsoft workloads with a paradigm that is very similar and training that is very similar.” He says that’s that critical if you’re considering BYOK, because of the dangers of losing your keys.

“You’re looking for something you can wrap your brain around and train your staff to do, because you do not want to lose your key because then you lose your data,” Plastina says. When you use HSM-backed keys, like Cloud HSM or BYOK in Azure Key Vault, the keys are uploaded directly from your HSM to theirs and the cloud service never sees them. That means they can’t hand your keys over – to an attacker or a government investigation. But it also means that they can’t give you back your keys.

“If you lose your keys, all the data encrypted to the key is gone for ever,” Plastina says. “When the key is transferred from their infrastructure into our HSM, it’s done in a way we can’t see it, so if the customer comes back and says the building burned down and the HSM is gone, then all the keys are gone and that’s it – game over. As the saying goes, with great power comes great responsibility. People need to be up to the task if they want to get involved.”

Service-managed keys can give you the assurances of per tenant and per subscription keys, with segregation of duties and auditing, without the headache of managing keys. “But with BYOK, we’re requesting customers get involved in significant way,” Plastina says. “That means setting up vaults, managing vaults; in some cases, that requires HSM-backed keys so they’re purchasing an HSM on premise, they have to run their own quorums for administrator’s smart cards and PINs, they have to save smartcards in the right place. It definitely raises the burden on them.”

Bring your own bank (BYOK)

If you’re considering whether bringing your own keys – which also means securing your own keys – is right for your business, the first question to ask is are you ready to become a bank, because you’ll have to run your key infrastructure with the same rigor, down to considering the travel plans of officers of the company. If you have three people authorized to use the smart card that gives access to your key, you don’t ever want to let all three of them on the same plane.

The burden of securing those keys means that although some Microsoft customers, particularly in the automotive industry, have opted for BYOK, “others say ‘we trust Microsoft is going to do the right thing’,” says Plastina. “They all start by saying ‘I want to be in control,’ but as they see the responsibility and they understand to what extreme lengths Microsoft taking this responsibility, they say ‘why don’t you just do it.’ They don’t want to be the weaker link in a chain.”

Even some New York financial institutions, who initially wanted BYOK that ran against their own on-premises HSMs decided against that when they considered what could go wrong, says Paul Rich from Microsoft’s Office 365 team. “An HSM could have been powered down, taking out a vast swathe of user base. They quickly got the idea that this is potentially a great denial of service attack that malicious insider or attacker performs on the company. These are our most sophisticated customers who are highly sensitive that this is a big responsibility but also a threat of potential destruction, whether that’s accidental or malicious.”

Some businesses believe they need BYOK to comply with legal requirements to have keys under their supervision. There are a range of interpretations of what that actually means in different jurisdictions; “we believe we’re meeting the spirit and intent of those laws,” says Plastina. A service like Key Vault can make it easier to keep keys in specific geographies, especially for smaller companies who don’t have physical infrastructure in all the territories they do business in.

However, there are still some businesses that want the option to bring their own keys – or even to host them in an HSM that they run. In many ways, hosting your own keys contradicts the reason many companies are adopting cloud services; for the speed, simplicity and cost savings of not running their own infrastructure to provide those services. If you want to keep acceptable performance and service levels, you’re going to need significant infrastructure.

“Those customers would be required to run a highly availability fault-tolerant data center distributed service to issue keys,” Plastina warns. It’s not a service that Microsoft offers today, but he says it’s important for industries like banking – who already have the processes and expertise to secure keys, as well as the experience in vetting employees.

BYOK and Office 365

You don’t have to bring and manage your own keys to get more control and transparency, says Rich. BYOK isn’t the only way to get around the tension between having no control over encryption and losing most of the benefits of a cloud service by encrypting your data before putting it into the service.

“If you encrypt data before it goes into the service it can’t be reasoned over, so simple table stakes stuff like spam and virus detection can’t be done, and the higher level features like legal holds, and Delve document discovery and so on all require access to the content people are putting in. CIOs understand that and they want the functionality of those features when they come to the cloud. What they’re asking is ‘how can we allow you to do that reasoning with the machines that the service is comprised of but not have your people looking at our data?’”

The alternative is the new Office Lockbox. “The idea is that people at the cloud service don’t have access to your content. You can be assured of zero human access by Microsoft to your content. If there is a support reason we would need access, we ask for permission and until we get that, humans running the service wouldn’t be able to able to access it.” Customers get transparency and visibility, says Rich; they can see what access requests are coming in, control who in the business is approving those and get logs what activity took place while the content was accessible.

If you’re wondering what would stop Microsoft simply claiming that it didn’t have access, or admins doing more than the logs show, Rich points to the Government Security Program Microsoft runs to provide controlled access to Microsoft source code, which NATO recently renewed. “We agree with our customers, we want to take the lockbox code and have it be part of a program that allows third-party code reviews and shows it doesn’t have side doors or back doors.”

Delivering the Lockbox meant rewriting the Office services to remove the default that came from the on-premise server software where the admin always had access to the data. That’s been done for Exchange and the Lockbox option is already available; it will be an option for SharePoint in Q1 of 2016.

Office 365 is also moving from relying on BitLocker to encrypt the servers that workloads run on, which doesn’t protect them while they’re running, to encrypting at the application layer. That’s been done for SharePoint already and is in progress for Exchange. Microsoft’s Rich predicts it will be ready by the end of 2015, with Skype for Business following later. “That separates the data administrator from the service administrator much more strongly,” he claims. That will enable BYOK too. “We’ll be wrapping the key that we use in the application layer to protect mailbox content with the Azure Key Vault key that the customer owns.”

“When the service is fully released, our plan is to offer customers a small number of keys, perhaps 10 or 20, that you use with your tenant for Exchange, SharePoint and Skype for Business. Most customers say they don’t need more than a handful of keys, say three keys for America, Europe and APAC that they put in Key Vault HSMs in those geographies.

Those keys will need safeguarding but it won’t make running Office 365 much more complicated, he predicts. “You will do a minimal amount of management, to rotate the keys occasionally,” says Rich. “The way you use these keys is as an exit strategy for the whole service. In normal operation, we don’t have access to your content; if a human needs access then the Office Lockbox is the answer and you know who had access and when. The key in the Key Vault it used to turn all the lights out at once when you leave the building.”

Secure your keys

Given how few businesses are securing the keys they’re already responsible for, according to a survey last year, BYOK and HYOK will be beyond the scope of many businesses. The Ponemon Institute found half of enterprises have no centralized controls for their SSH keys and many don’t rotate keys, which leaves them more vulnerable to attack. Losing cloud encryption keys would be even more problematic, as you’ll lose data permanently.

Remember, BYOK isn’t the only key-related security responsibility you might be taking on soon. Windows 10 includes the new Device Guard option to limit PCs to only running signed applications that either come from the Windows Store or have been signed, by an ISV or by an enterprise themselves, using keys that chain up the Microsoft certificate authority. ISVs and Microsoft can sign apps that any enterprise can run; but those kinds of organizations already have processes for protecting high value keys.

The signing keys enterprises get are more limited and produce signed apps that you can only run in your own domain. But that still means that an attacker who compromises your signing keys can produce malware that your most secure devices will trust.

If you’re using Device Guard to configure code integrity for your PCs, Microsoft’s Chris Hallum points out that “it’s really important that the accesses are held by trusted people, that you’re using two-factor authentication and that only a limited number of senior people in your organisation who you trust have access.”

In 2007, hackers stole the keys that Nokia used to digitally sign apps for its Symbian OS and blackmailed the company into handing over millions of euros in an attempt to get them.

If you aren’t prepared to deal with everything from fire to blackmail as a potential denial of service attack on your IT infrastructure and company data, you may not be ready to bring your own keys. Recently, a bug in the plugin GitHub created for Visual Studio 2015 mean that a developer who embedded his AWS credentials in code uploaded to what was meant to be a private repository found that hackers were using those keys to run up thousands of dollars’ worth of AWS instances.