Bring Your Own Key Delivers Data Protection Peace of Mind

Cloud computing has transformed how organisations do business – and how they think about security. The days of designing an IT security strategy around on-premises servers and databases are long gone. The shift to a cloud-first operating environment, along with the growing strategic value of data to businesses, necessitates a data-focused security approach.

But finding the right balance between cloud-based agility and data security is tricky for many organisations. Especially for businesses in highly regulated industries such as financial services, utilities, healthcare and those seeking compliance with more stringent data regulations such as the EU’s GDPR. After all, working with a cloud service provider (CSP) typically means entrusting that partner with encryption services to protect users’ data. This means no matter how secure the cloud environment, another organisation holds the encryption keys.  

For particularly risk-averse organisations looking to strengthen trust with customers and eliminate compliance concerns, a new solution has emerged in recent years: bring your own key (BYOK).

Why BYOK

The basic value of BYOK is simple – it allows an organisation to encrypt their data in the cloud with their own root encryption key. Then, they can allow or deny access to the underlying data by sharing (or revoking) their root key with a SaaS provider. It’s a single point of control for data access.

“With BYOK, you really have control over all of your organisation’s data,” said Tammo Buss, Workday Technical Lead at EWE, a German utility that delivers energy, telecommunications and IT services. “It’s more than just an encryption service – it’s really an encryption management service.”

EWE had a very specific reason for implementing Workday BYOK: ensuring GDPR compliance. The organisation’s data privacy officer and legal team decided that EWE needed full control over its own data in a cloud environment. A specific benefit of BYOK in EWE’s highly regulated sector, Buss noted, relates to customer data audits. 

“It’s great that we have a product in which everything is very transparent, letting us streamline security auditing and the compliance response​,” Buss said. In December 2023, EWE went live on a variety of Workday solutions including Workday BYOK.  

Beyond compliance audits, the big benefit of BYOK is total control over access to your data.

Taking Full Control

In general, BYOK can be implemented in more than one way. How an organisation manages its root encryption keys depends not only on its risk appetite and ability to manage keys in house, but on the CSP’s underlying key management service.

As one example, a CSP may have the capability to use a root encryption key generated outside its system, but it needs the customer to upload  the keys to the CSP’s servers. This approach could enable a CSP to handle some encryption management duties, such as root key rotation, on behalf of the customer, thereby ceding control of root encryption back to the service provider and away from the customer.

EWE, however, was able to retain total control of all aspects of the root encryption key because Workday BYOK allows the customer to fully own and manage that key outside of Workday. EWE set up a customer-managed key management service in AWS, which EWE’s Workday account then interfaced with.

“Through this customer-managed key approach, we were able to encrypt all our Workday data and all our tenants with our own key and have full control over it,” Buss said.  

AWS has certified that at no point can it access a customer-generated key, whether used in its key management system or in a hybrid security module – the cryptographic processing system that protects digital keys. That’s important for proving compliance during System and Organisation Control (SOC) audits, Buss highlighted. “Our legal counsel was very happy with the documentation provided.”

Greater Responsibility – and Real ROI

Workday BYOK can deliver clear value in terms of augmented data security and compliance peace of mind. But organisations considering implementing BYOK capability should think carefully about potential challenges.

Most obviously, BYOK involves assuming greater responsibilities, which may involve additional expenses. The organisation’s internal IT team may need to take on managing an AWS account, and if an external partner needs to access the root key, the team would need to handle that process. An IT provider could handle some BYOK duties, but such delegation is at odds with the main purpose of BYOK.

And if the organisation loses the master key? That’s a real problem.

“There is no backdoor,” said Gautam Roy, Principal Product Manager at Workday, who has supported EWE’s Workday account. “If the customer revokes access to the root key, Workday loses access to the data. That’s the whole premise of BYOK. We don't do key backups. We need real-time access through the root keys to access data.”

For EWE, the extra work and responsibility relative to BYOK was worth it. The organisation chose to eliminate GDPR compliance risk through a technical solution, rather than just reduce it through a data privacy contractual agreement. All European companies, and especially those in tightly regulated industries, must carefully address data privacy risks, Buss said, while remaining mindful that regulatory frameworks will keep evolving. With new EU AI regulation now on the way, organisations should prepare to be agile when it comes to data security practices.

And Workday BYOK can help in that respect. “We’re happy to have BYOK in place because when compliance requirements change, we know we’ll have technical control over our data,” Buss said. That should reduce the need to get legal teams together to update data privacy agreements with new contractual parts, he pointed out.   

So while BYOK incurs costs, it can lower the cost of future compliance-related activities, while also helping to prevent expensive data security breaches.  

“The cost of implementation and maintenance was actually quite low, from our perspective,” Buss said. “It’s easy to use and maintain, and we’ve significantly reduced data security risks.”