Revelations of government snooping and pressure on cloud providers to provide customer data to authorities have led to new developments in the way encryption is applied with those ready for the Bring Your Own Encryption (BYOE) phase.
The problem came about because the providers did the encryption of the data, but also held the encryption keys. That meant that customer data was protected from everyone else, except from the provider itself.
Of course, the option for customers to encrypt their data before sending it to the cloud for storage has always existed, but makes it more difficult to use the data for cloud-based applications.
A recent twist to the encryption saga is BYOE, also known as BYOK (Bring Your Own Key). How well does this answer concerns about data privacy in the cloud?
The principle of Bring Your Own Encryption is simple. Customers use their own encryption software in the cloud itself and hold their own encryption keys.
The software runs as another virtual machine next to the business application the customer has chosen to host in the cloud. The business application sends all its data to the encryption application, which then encrypts the data before storing it in cloud storage.
This solves the problem of protecting your data in a third-party, multi-tenant environment from everyone including your service provider, but introduces a few challenges of its own.
The biggest hurdle is encryption key management. Customers using BYOE must ensure they have proper procedures of their own to keep keys safe, yet retrievable by their own authorised personnel. If they lose their keys, their encrypted data becomes permanently unavailable, and nobody can help them.
Other obstacles include restrictions on the kind of hosted applications for which this will work (SaaS typically will not) and performance (fast key retrieval for collaborative interaction using say Google Apps and Google Drive).
Some experts suggest being selective about BYOE and only applying it where data privacy levels really justify it. In general, however, you should know what you’re doing and/or work with a reputable encryption solution vendor to get the BYOE benefit without the bother.