A Technical Overview of HYOK and RLE with Baffle DPS
As adoption of Hold Your Own Key (HYOK) and Bring Your Own Key (BYOK) continues to increase, we’ve encountered more questions around how our Baffle Data Protection Services (DPS) implementation actually works. This blog will cover some of the main components of how we enable an HYOK model for multi-tenant SaaS providers and shared data stores. The same methods can be applied to address GDPR compliance requirements or scenarios where there are disparate owners of data. We recently published a white paper that covers this topic in more detail which can be downloaded here.
To give some context for readers who may not be as familiar with these use cases, HYOK and BYOK provide a method to support a customer-owned or customer-controlled encryption key, which can be used to protect their data in a given provider’s application or infrastructure. Several infrastructure-as-a-service (IaaS) and SaaS providers over methods for customers to generate and/or provide encryption key material that is owned by the customer and used within a cloud environment. The main benefit that BYOK and HYOK approaches can offer an organization is control over the key, which when revoked, can restrict access to data. Below are some additional resources on HYOK and BYOK:
- Bring Your Own Key for Azure Information Protection
- Select the Right Key Management as a Service to Mitigate Data Security and Privacy Risk in the Cloud (Gartner Subscription Required)
- AWS KMS Custom Key Stores
The above methods and other approaches generally are fine for single instance and single tenant scenarios. But, data is also often distributed and used by several disparate organizations, and in SaaS environments, the data stores often co-mingle data in multi-tenant environments. In operating environments such as these, a single key from a single organization will not address the needs of the many, and this is precisely where a solution such as Baffle DPS can help.
There are three main capabilities in Baffle DPS that facilitate a seamless HYOK / BYOK implementation for scaled multi-tenant solutions. First, DPS implements a key virtualization layer (KVL) that allows the software to integrate with multiple key management solutions via industry standard protocols. The solution supports Key Management Interoperability Protocol (KMIP), PKCS #11 for integration with hardware security modules (HSMs) and REST API support for many cloud key managers and secrets managers.
Second, Baffle implements a two-tier hierarchy for key management, also commonly referred to as envelope encryption. This method uses a master key (MK) that can be owned by the customer to encrypt data encryption keys (DEKs). Using this method allows customers to rotate and/or revoke their MK, the latter operation will effectively invalidate DEKs and render data useless in an environment.
Thirds, Baffle supports disparate key owners and the ability to map owners to row level data in a multi-tenant environment. This method lets operates source multiple disparate keys (from separate tenants or entities or geographical jurisdictions or nation states) and apply those to encrypt the actual data values in a multi-tenant data store at the row level.
The Baffle implementation requires no code or architecture changes and performance overhead is minimal. Baffle DPS can be auto-scaled and has been measured at one to two milliseconds of overhead for encrypted traffic in environments with several billion records.
So, in summary, if your organization has concerns over its data held in other providers or you are the provider and your clients are expressing concerns, there is an easier path to satisfy the security and compliance requirements without a lot of pain and changes to your applications and infrastructure.
Download the white paper here.
See our different data protection modes here.