HYOK or BYOK Encryption? A Critical Decision for Cloud Migrations & Multi-Cloud Strategy

21 Apr, 2020
3 min read

Cloud Migration Challenges

Probably the single biggest barrier to a more rapid adoption of Cloud Hosted Database as a Service (DBaaS) is data privacy and security.  For any organization collecting, processing, analyzing and retaining sensitive or regulated information, data privacy can quickly become a show-stopper.  Adoption of cloud services involving Personally Identifiable Information (PII), Private Health Information (PHI), valuable Intellectual Property (IP), other sensitive Non-Public Information (NPI) or any other government or industry regulated data usually requires a completely different trust model.

Organizations accustomed to traditional methods of protecting and controlling access to data where they managed all aspects of data security require a paradigm shift in their thinking about data privacy.  The introduction of outsourced IT Operations and Managed Services years ago and now cloud migrations require a shift from managing all aspects of router, firewall, server and workstation configurations to managing data security through contractual agreements

Data security and privacy compliance is increasingly detached from infrastructure

Now with the rapid transition to Everything as a Service (SaaS, DBaaS, IaaS, etc.), managing data security becomes even more abstracted.  Any cloud adoption strategy needs to take into consideration that the organization may only be left with control over a User’s Identity, the Data itself and the Application(s) used to access the data.  This demands a data-centric approach that is application, database and hosting location agnostic.  The same data protection, fine-grained access controls, accountability, and audit trail need to be maintained even though the data may be hosted almost anywhere and accessed from almost anywhere.  Enabling full Data Mobility without compromising data security is an essential component of any Cloud Migration Strategy.

The New Reality

Cloud hosting providers along with the databases and applications that run on cloud hosted infrastructure virtually all do a great job of providing as good or better traditional security controls as their prospective customers enjoy today on-premise but this is not enough.  Data privacy regulations mandate the organizations that collect the data remain responsible for its privacy and protection regardless of any contractual agreements or outsourcing arrangements.

Organizations remain accountable even when they have almost no direct control over any of the infrastructure processing the data.  Real-time detection of anomalous data access activity and User Behavior Analytics (UBA) are needed to compensate for the loss of traditional Data Loss Prevention (DLP) functionality including in-house server, network event and end-point protection solutions.

The Solution

The only way for organizations to retain full control when transitioning to the Cloud is through Anonymization of data or rendering enough sensitive data fields inaccessible when in the Cloud and only accessible again when coming back on-premise or back within their span of control.  This is where the Hold Your Own Key (HYOK) concept becomes essential.  Encrypting data prior to sending to it the Cloud and only decrypting once back on-premise is the only way to satisfy any more conservative trust models.

It is also not realistic to encrypt or tokenize ALL sensitive data fields as this would render the data virtually unusable for analytics purposes.  Column level encryption or tokenization must be applied selectively to only the most sensitive fields.  Fields like SSN or credit card Primary Account Numbers (PAN) are excellent candidates.  They can still satisfy 95% of the business processes that need them while remaining in their protected form.  This includes use as a Unique Primary Index (UPI) key, secondary identifier, Foreign/Private Key Pairs for joins, etc. as long as referential integrity is maintained.  This demands a single, centrally managed solution that works consistently across platforms with the protection and access controls following the data.

Enough additional fields or columns need to be encrypted only to achieve adequate Anonymization or De-Identification of the records for any particular cloud-hosted data set.  All other sensitive data fields must still require strict “need-to-know” fine-grained access controls but are simply not practical to encrypt or tokenize for many performance, operational and business reasons. This often means encrypting only 2% to 10% of sensitive or regulated data fields while still applying strict, consistently applied, policy-based access controls on all sensitive or regulated data.

Major Cloud Services providers all provide good data center security but that is not enough

Few would dispute the physical and network security controls provided by all the leading Cloud Services and data hosting providers are as good or better than their customer’s own data center operations.  However, for most organizations their new Cloud Hosting Trust Model requires the key(s) used for encryption not be shared outside their organization.  Full disk encryption, file-level or tablespace encryption or Bring Your Own Key (BYOK) based Column level encryption do not meet these more stringent data protection requirements.

These do not satisfy that fundamental trust model requirement of sharing only encrypted data (not the keys).  The Hold Your Own Key (HYOK) concept is the desired trust model for any smart Data Controllers when their data flows to a Cloud Service Provider if they want to retain full control over access to their data regardless of where it is stored or processed.

HYOK is the KEY to Cloud Data Security and Data Governance

Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure.  HYOK enables companies to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data.



Cloud Service provider encryption solutions cannot strike the required balance.  Disk, file, tablespace or even Column level encryption solutions still mean the Cloud Provider controls the keys!  This protects against an intruder walking out of the data center with a disk drive but not any normal access channels to the data.  Cloud Services provided solutions including Bring Your Own Key (BYOK) designs are not acceptable to organizations in any highly regulated industries or processing particularly sensitive data.

HYOK encryption enhances the security of data within all Database as a Service (DBaaS) environments by ensuring that sensitive data remains encrypted in the cloud at all times (without exposing encryption keys or sensitive data).  The optimal balance is achieved when HYOK is combined with other data governance and fine-grained access controls including geo-fencing, row filtering, logical deletion, dynamic masking, real-time sensitive activity monitoring, classification and user behavior analytics.

You can outsource everything but common sense and security

SecuPi enables fine-grained access control, data-at-rest protection with Hold Your Own Key (HYOK) – segregating keys from the compute.  This satisfies challenging data privacy regulations (GDPR/CCPA) and full accountability for all access to sensitive data without changes to Applications or the underlying Data Repository.  SecuPi provides scalability, easy implementation and transparent encrypt/decrypt function between Applications and the cloud-hosted Database while also delivering market-leading fine-grained access control, User Behavior Analytics and fully configurable Database Activity Monitoring (DAM).

Data encryption, decryption, dynamic masking, filtering, geo-fencing or data obfuscation operations are all managed by policy from a single central Policy Server enforced consistently across all environments.  Only authorized users are granted the right to access protected data elements in the clear.

SecuPi is the preferred data security partner for Snowflake and a top tier security solution partner for Microsoft Azure and Amazon AWS validating SecuPi’s ability to easily solve these most challenging data privacy compliance requirements faced by any prospective Cloud Services customer. SecuPi is frequently the enabler of expanded use of Cloud Services and Hosting where sensitive or regulated data is involved and compliance with GDPR, CCPA, HIPAA and more are required.

The author, Les McMonagle (CISSP, CISA, ITIL) is Chief Security Strategist at SecuPi and has over 25 years experience in information security, data privacy and regulatory compliance helping some of the largest and most complex organizations select appropriate data security technology solutions.

Contact: Les@SecuPi.com – or – Sales@SecuPi.com

Want to see our product in action? Join us for a Demo!
Apply for this Job

    Or send your resume at text@secupi.com
    Thank for you applying
    We will be in touch shortly.