HYOK is the KEY to Cloud Migrations

24 Feb, 2020
5 min read

Each technology, product or solution claims to solve world hunger and satisfy all data privacy compliance requirements, or at least keep your sensitive or regulated data more secure:

Encryption at Rest, Encryption in Transit, Encryption in Use, Full Disk Encryption, File Encryption, Tablespace Encryption, Bring Your Own Key (BYOK), Hold Your Own Key (HYOK), Symmetric Keys, Asymmetric Keys, Hardware Security Modules (HSM), Homomorphic encryption, Pailier, Secure Multi-Party Computation (SMPC), Tokenization, Masking, Obfuscation . . . The list goes on…

Encryption is only one tool in the toolbox and should only be used where and when appropriate. Smart people will use encryption technology how and where it makes the most sense in combination with other data protection and privacy controls to achieve the ultimate objective, the correct balance between data use, access and privacy. What best fits the desired trust model?

Database level encryption or tokenization requires sharing the key(s)

Well implemented encryption renders data virtually inaccessible to unauthorized eyes as long as the key(s) are secure. The big question then becomes who controls the key(s), where and when the data needs to be encrypted, decrypted or made available in the clear to support the reason the data was originally shared, provided or collected.  Data in its encrypted form is predominantly unusable for the intended purpose unless decrypted and made available in the clear for authorized applications, users or processes. Only exact matches and joins can be performed on encrypted data and only as long as the same key is used, and referential integrity is maintained.  Approaches to the contrary are complex to implement, seriously constrained operationally and will suffer significant performance impacts at scale.

Decide and agree on the required trust model first

First, decide on the desired trust model.

  • Who has the Data Subject entrusted their data to?
  • Which Data Processor will the Data Controller trust to process data on their behalf?
  • Who is responsible for the Data Subjects to honor the commitment to protecting their data and honoring the stated privacy policy?
  • Where will encryption and decryption occur?
  • Where will the encryption keys be generated, stored and utilized?
  • What specific contractual or regulatory compliance requirements must be met?

Where the encryption keys reside and who has access to them is the key! If you control the key, you control access to the data, but only to data you encrypt or tokenize. What about controlling access to all the other data elements where column level encryption is impractical or not an option?

Second, you need to decide how and where to leverage encryption technology to support the desired trust model. For many use cases, the design choices are obvious, for others, it becomes a complex risk management and legal or contractual compliance decision. Nobody disputes the benefits of encrypting data in-transit when traversing an untrusted network or using slower but more appropriate asymmetric encryption (Public/Private key pairs) to securely share the symmetric keys used to actually encrypt Personally Identifiable Information (PII) at rest or in transit. HSM’s can be used to generate and help manage the encryption keys to further enhance the reliability and trustworthiness of the solution.

Leveraging Cloud Services often changes the fundamental trust model

Third, reaping the financial benefits of Cloud Computing often requires rethinking the trust model, redesigning data protection and encryption and realigning key management and sharing. Encryption, tokenization, masking and obfuscation solutions alone cannot solve this problem.

Fine-grained independent access control and accountability need to be applied along with encryption to protect data and meet privacy commitments for cloud deployments. Data mobility demands centrally managed, consistently applied access controls combined with column level encryption or tokenization to selectively protect data in transit, at rest and in use.  It is the latter that presents the greatest challenge.  Data must be unprotected at some point to enable most data analytics or processing. That protection cannot rely exclusively on encryption (especially when the keys cannot be shared) and cannot require completely redesigning proprietary, platform-specific, RBAC and View layer security every time the business wants to use a different data analytics application or migrate to a more cost effective data repository or hosting platform.

Most Cloud Services firms all provide good data center security but that is not enough

Fourth, few would dispute the physical and network security controls provided by all the leading Cloud Services and data hosting providers are as good or better than their customer’s own data center operations. However, for many organizations, their trust model requires the key(s) used for encryption not be shared outside their organization. Cloud provider offerings of full disk, OS or database or column level encryption breaks most trust models because the Data Processor is literally being entrusted with the keys to the kingdom. Many have also responded with Bring Your Own Key (BYOK) solutions where the Data Controller provides the key used to encrypt their data. Unfortunately, this also does not satisfy that fundamental trust model requirement of sharing only encrypted data (not the keys).  The Hold Your Own Key (HYOK) concept is the desired trust model for any smart Data Controllers when their data flows to a Cloud Service Provider if they want to retain full control over access to their data.

Companies demand data mobility while consistently controlling access to sensitive data

Finally, the only way to properly manage risk, maintain privacy, realize financial benefits of moving to the cloud and achieve true data mobility while still using the data for its intended purpose is through a comprehensive, centrally managed, consistently applied data access control layer that enables policy-based rules to follow the data regardless of platform, on-premise or cloud.  Data layer, UDF based protection cannot satisfy this requirement because you cannot encrypt every sensitive column, sharing keys across platforms increases the risk of a data breach and the hosting provider(s) must have access to the key(s). Cloud migrations require applying different rules regarding the appropriate use of encryption and associated key management. Organizations collecting and processing sensitive regulated data will need to rethink their trust model and are embracing the HYOK model.

Outsource everything but common sense and security


Migrating to the cloud can introduce a lot of risk when trust model changes are required and be expensive to implement before realizing any financial benefits. Data migrations traditionally involve a lot of security controls design, development, testing and implementation work every time a new cloud provider, hosting platform or application is used to access the data. Carefully consider who ultimately has access to encryption keys and the ability to decrypt protected data. Ensure you have the right trust model and it is being fully supported by your new Privacy-by-Design Cloud Services architecture.


SecuPi offers a one-stop-shop providing all of the following to fit almost any required trust model:

  • Data-Centric Audit & Protection (DCAP) w/o changes to Databases or Applications
  • Discover and Map Sensitive Data Lineage and Data Flows Automatically
  • Full support for Hold Your Own Key (HYOK) and retain exclusive ability to decrypt
  • Format Preserving Encrypt, Tokenize, Mask, Anonymize as/where required
  • Centrally managed, policy-based, Attribute Based Access Control (ABAC)
  • Tamper-Proof Audit Trail and real-time User Behavior Analytics (UBA)
  • Independent, fully configurable, Database Activity Monitoring (DAM)
  • Customer Consent Management and Right To Be Forgotten (RTBF)
  • Data Centric, Data Loss Prevention (DLP) and detection
  • Active Real-Time Alerting and Blocking of Unauthorized Access to Regulated Data
  • Platform Independent Row Level Security (RLS) and Column Level Security (CLS)
  • Data Mobility – Data access policy automatically follows the data across platforms
  • Seamless integration with other security tools (encrypt, SIEM, Active Directory)
  • Control data access at User Request, Data Request, Data Response, User Response

The author, Les McMonagle (CISSP, CISA, ITIL) is Chief Security Strategist at SecuPi and has over 25 years experience in information security, data privacy and regulatory compliance helping some of the largest and most complex organizations select appropriate data security technology solutions.

Contact: Les@SecuPi.com – or – Sales@SecuPi.com

Want to see our product in action? Join us for a Demo!
Apply for this Job

    Or send your resume at text@secupi.com
    Thank for you applying
    We will be in touch shortly.