Bring your own encryption
 | This article needs additional citations for verification. (April 2015) |
Bring your own encryption (BYOE)— sometimes mistakenly equated with bring your own key (BYOK)—refers to a cloud computing security marketing model that purports to help cloud service customers obtain privacy from their cloud service provider by using their own encryption software and managing their own encryption keys.[1] BYOE is a conceptual model where a customer uses their own encryption software, external to the cloud service provider, as data flows in and out of the cloud application they are using, with the result that the customer's plaintext data is never in transmitted to, processed, or stored by the cloud service provider. This model also gives the customer the control of encryption keys used to encrypt and decrypt the customer's data, satisfying a requirement that is sometimes imposed (or is perceived to be imposed) by industry regulators[2], government policy[3], or internal business policy.
The BYOE model has potential weaknesses and major drawbacks for some types of cloud computing. If a cloud service provider can be assumed to have very large computing capability it could, were it legally obligated to do so or if it determined its best interests were served, attempt to use its computing power to break a customer's encryption. Although doing so may be computationally infeasible today if the customer's encryption implementation is well-designed and follows best practices, a cloud service provider could make a copy of encrypted data and store it indefinitely. If, in the future, a flaw is found in the encryption algorithm used by the customer, the cloud service provider could use that flaw to potentially recover the plaintext. Another possibility is that a cloud service provider deploys quantum computers in the future that are capable of breaking encryption algorithms used today. While these threats are likely a low probability in nations with a strong judiciary, privacy laws, and free press, it is difficult to predict the direction that national security and criminal law will take, and nations without these democratic institutions and privacy rights might consider the threat more seriously.
A major downside to BYOE is that it prevents cloud service providers from computing over a customer's data, thus rendering inoperable all features that rely upon this computing model. With Software as a Service (SaaS) most features will require the ability for the cloud service provider to compute over the customer's data (simple examples are virus and malware scanning, executing content-based rules for routing email, and search) and therefore BYOE will render SaaS applications largely or completely useless. PaaS and IaaS services may be impacted very heavily or not at all depending on the set of features desired by the customer that function only with plaintext. The potential exists to overcome this dynamic with evolution in computing models, the most promising of which is computing using trusted execution environment (sometimes referred to as Confidential Computing). Other potential mitigations could include encryption models that allow computation over ciphertext such as homomorphic encryption. These newer computing models that may preserve privacy while allowing the use of cloud application features (that today require plaintext processing) are still in their infancy. It is unknown if or when these newer technologies will fulfill their ambitions and achieve widespread adoption.
See also[]
References[]
- ^ "Bring Your Own Encryption (BYOE)". cpl.thalesgroup.com. Retrieved 2022-02-15.
- ^ "Monetary Authority of Singapore - Cloud Advisory" (PDF). Monetary Authority of Singapore. Archived (PDF) from the original on 2021-06-01. Retrieved February 17, 2022.
- ^ "DISA Cloud Security Requirements Guide". public.cyber.mil. Retrieved 2022-02-15.
- Cloud computing
- Cloud infrastructure
- Cryptography
- Data protection