Is BYOK the key to secure cloud computing?

Grazed from CIO. Author: Mary Branscombe.

Thanks to Edward Snowden’s revelations about the NSA, the comprehensive hacking of Sony, and on-going legal battles over whether email stored in the cloud belongs to the people sending it or the service hosting it, more and more cloud services have moved to encrypt data. Some are going even further, offering Bring Your Own Key (BYOK) options, where the user holds the encryption keys for their own cloud data.

Google Compute Engine started offering a preview service for encrypting both data and compute with your own keys this summer, and Amazon offers both soft key management and the much pricier (and slower to set up) Cloud HSM service for EC2 and S3 instances, where your keys live in dedicated Hardware Security Modules in Amazon’s cloud. Adobe Creative Cloud now supports customer-managed data encryption keys to protect content synced to Creative Cloud accounts…

Microsoft’s Key Vault is intended to be a single, audited, versioned, secure vault that integrates with Azure Active Directory for authentication. Key Vault allows you to store passwords, configuration details, API keys, certificates, connection strings, signing keys, SSL keys and encryption keys for Azure Rights Management, SQL Server TDE, Azure Storage, Azure Disk Encryption, for your own .NET applications on Azure, and for encrypting VMs using EMC’s CloudLink Secure VM. Keys in Key Vault can be stored either as soft keys that are encrypted at rest by a system key in an HSM or loaded directly into a Microsoft HSM (in a chosen geographic region) from your own HSM, so you can create keys on premise and transfer them to Key Vault…

Read more from the source @ http://www.cio.com/article/2986308/cloud-security/is-byok-the-key-to-secure-cloud-computing.html