Bring Your Own Key: The next big thing?

Cloud filing cabinet storage

Enterprise Rights Management (ERM) systems have always been strong on security, and by necessity have pretty much relied upon the use of Public Key Infrastructure (PKI) and certificates for user identification, digital signatures for document integrity and encryption for document confidentiality.

If, then, crypto is king as far as any ERM is concerned, the master keys that underpin that security framework are the Gods. Traditionally these are kept safe in on-premise hardware security modules (HSMs) that allow them to managed securely. Think of an HSM as a high-performance cryptographic device which is designed to generate, safeguard and manage sensitive key material. If all this sounds somewhat complex, then you are bang on the money: it is.

Start expanding your document collaboration outside of the organisation and that complexity explodes. The cloud, while being an obvious solution to the external flexibility of ERM does nothing to ease the security challenges. Hardly surprising then that your average enterprise has been slow to jump aboard the cloud-based rights management train. Microsoft hopes to change all that with the Azure-based Azure RMS service that allows user authentication, authorisation and policy enforcement to happen in the cloud for universal accessibility.

The more security-savvy of Cloud Pro readers are now probably already coughing quite loudly and muttering about multi-tenancy in the cloud and the trust relationship post-PRISM for starters. The thought of storing your encryption master keys, which Microsoft refers to as tenant keys, in the cloud would be enough to finish the Azure RMS conversation for many.

Which is where things actually start getting interesting. The deployment of Thales' nShield hardware security modules (HSMs) by Microsoft within the context of additional security for Windows Azure RMS, could potentially be bigger news than it seems. The notion of an anywhere/anyone/multi-format collaborative service is nothing new, and as I've said moving rights management into the cloud is an obvious step as enterprises become increasingly dispersed out of commercial necessity and traditional 'inside-the-enterprise' rights infrastructures start to look dated and cumbersome.

The shift to cloud-based model is both evolutionary (in terms of accessibility and usability) but also revolutionary (in terms of securing the data concerned). Yes, the idea of hardware security modules (HSMs) as implemented by Microsoft is hardly ground-breaking (Amazon has something similar with the AWS CloudHSM) and it's pretty much a given that when it comes to a security-oriented cloud such as this then confidence is the key. But how do you ensure that a business has complete confidence when it comes to custody and visibility of the cryptographic keys to this data kingdom? That's where the BYOK concept comes into play.

Richard Walters, CTO of web application security company SaaSID, sees the BYOK announcement as a "logical step on from the idea proposed a few years ago that suggested the creation of secure vaults, within multi-tenant environments, which the cloud vendor does not have access to."

So how does it work in the real world? Using an on-premise HSM, the enterprise generates and transfers its own encryption master key (the critical Tenant Key) to the Thales HSMs within Windows Azure. This combination of old and new, inside and out, data protection via on-premises and in-cloud HSMs is key to keeping in complete control of sensitive data while transforming the value proposition of traditional rights management systems.

In the PRISM-aware environment that enterprises are operating in, the issue of retaining control is paramount. Furthermore, the ability to be able to release keys to providers on a 'need to use' basis as well as revoke them on demand is a powerful resource that should not be underestimated.

Microsoft itself is incapable of accessing the in-cloud HSM, but by creating a zero knowledge environment such as this (it can use the key, but doesn't have direct access to it) the cloud-HSM becomes a trusted agent which can protect the keys from other tenants, attackers and even the cloud service provider itself.

Most of the IT security experts I spoke to, such as Dr. Hongwen Zhang who as well as being CEO of Wedge Networks is a member of the CloudEthernet Forum responsible for spearheading its security initiative, are encouraged by the Thales/Microsoft development. However, there are other issues facing companies when it comes to asset protection in the cloud that are shared by the industry.

Zhang, for example, worries that security quite often goes against convenience. "Collaboration among web services is a key aspect of cloud computing. It is time for the key players establish a standard on cloud data encryption so that security and interoperability can both be achieved," he warns.

Standards aside, while agreeing that customer-side key management is a core enabler for cloud information protection, Paige Leidig, senior vice president at CipherCloud, points out that other factors are also necessary such as "using the strongest encryption, which currently is the AES 256-bit standard and implementing other controls, such as tokenisation, data loss prevention, malware detection and activities auditing."

The migration of information to the cloud has certainly created multiple security, compliance and residency challenges for enterprises. Such challenges require a global approach to cloud information protection, encryption and key management and they collectively represent just one piece in the holistic security puzzle.

It's a great big piece of that puzzle courtesy of PRISM. Once your tenant key is in the system it's safe from prying eyes, and not just Microsoft ones.

Dan Plastina from the Microsoft program group responsible for Azure RMS, has gone on the record to state that the key cannot be leaked or exported, that there are no debug logs or memory dumps and, importantly, if Microsoft gets subpoenaed it still cannot give your key to anyone.

That's not quite all it seems as it could be possible for cloud-stored documents to be decrypted if a warrant-holding officer of the law demanded it as the in-cloud HSM allows Microsoft to use the tenant key without actually having direct access to it so cannot 'hand it over'.

The big difference here being that if this happened then it wouldn't take an Edward Snowden to blow any whistles in order for you to know; a log is written every time the key is used and if you revoked the key then access would stop until you sent another.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at