Some businesses believe they need BYOK to comply with legal requirements to have keys under their supervision. There are a range of interpretations of what that actually means in different jurisdictions; “we believe we're meeting the spirit and intent of those laws,” says Plastina. A service like Key Vault can make it easier to keep keys in specific geographies, especially for smaller companies who don’t have physical infrastructure in all the territories they do business in.
However, there are still some businesses that want the option to bring their own keys – or even to host them in an HSM that they run. In many ways, hosting your own keys contradicts the reason many companies are adopting cloud services; for the speed, simplicity and cost savings of not running their own infrastructure to provide those services. If you want to keep acceptable performance and service levels, you’re going to need significant infrastructure.
“Those customers would be required to run a highly availability fault-tolerant data center distributed service to issue keys,” Plastina warns. It's not a service that Microsoft offers today, but he says it’s important for industries like banking – who already have the processes and expertise to secure keys, as well as the experience in vetting employees.
BYOK and Office 365
You don’t have to bring and manage your own keys to get more control and transparency, says Paul Rich from Microsoft’s Office 365 team. BYOK isn’t the only way to get around the tension between having no control over encryption and losing most of the benefits of a cloud service by encrypting your data before putting it into the service.
“If you encrypt data before it goes into the service it can't be reasoned over, so simple table stakes stuff like spam and virus detection can't be done, and the higher level features like legal holds, and Delve document discovery and so on all require access to the content people are putting in. CIOs understand that and they want the functionality of those features when they come to the cloud. What they’re asking is ‘how can we allow you to do that reasoning with the machines that the service is comprised of but not have your people looking at our data?’”
The alternative is the new Office Lockbox. “The idea is that people at the cloud service don’t have access to your content. You can be assured of zero human access by Microsoft to your content. If there is a support reason we would need access, we ask for permission and until we get that, humans running the service wouldn’t be able to able to access it.” Customers get transparency and visibility, says Rich; they can see what access requests are coming in, control who in the business is approving those and get logs what activity took place while the content was accessible.
Sign up for CIO Asia eNewsletters.