Remember, BYOK isn't the only key-related security responsibility you might be taking on soon. Windows 10 includes the new Device Guard option to limit PCs to only running signed applications that either come from the Windows Store or have been signed, by an ISV or by an enterprise themselves, using keys that chain up the Microsoft certificate authority. ISVs and Microsoft can sign apps that any enterprise can run; but those kinds of organizations already have processes for protecting high value keys.
The signing keys enterprises get are more limited and produce signed apps that you can only run in your own domain. But that still means that an attacker who compromises your signing keys can produce malware that your most secure devices will trust.
If you're using Device Guard to configure code integrity for your PCs, Microsoft's Chris Hallum points out that "it's really important that the accesses are held by trusted people, that you’re using two-factor authentication and that only a limited number of senior people in your organisation who you trust have access.”
In 2007, hackers stole the keys that Nokia used to digitally sign apps for its Symbian OS and blackmailed the company into handing over millions of euros in an attempt to get them.
If you aren’t prepared to deal with everything from fire to blackmail as a potential denial of service attack on your IT infrastructure and company data, you may not be ready to bring your own keys. Recently, a bug in the plugin GitHub created for Visual Studio 2015 mean that a developer who embedded his AWS credentials in code uploaded to what was meant to be a private repository found that hackers were using those keys to run up thousands of dollars’ worth of AWS instances.
Sign up for CIO Asia eNewsletters.