Apple Lets Consumers BYOK; Is Your Cloud Provider Following Suit?

By Ameesh Divatia, CEO and co-founder | January 10, 2023

Consumers are used to having their messages encrypted end-to-end so that only those with whom they are communicating can see their messages. But, what about their pictures and documents that are stored in the mobile service provider’s environment? Now, Apple has launched its Advanced Data Protection feature for iCloud’s 850 million users and their 1.8 billion connected devices. Apple’s new opt-in offering will provide consumers with end-to-end encryption for their assets and not just messages, ensuring that only the owner of that iCloud account can access that data, giving them unprecedented control. In the event of a breach or insider threat, Apple users’ data will remain safely encrypted, with keys that they control — even law enforcement officers with a warrant won’t be able to access iMessage archives, photo galleries, or anything backed up to iCloud.

This move comes as Apple implements a suite of other modern security measures, including offering users the ability to verify their identity in iMessage and to use hardware keys such as YubiKeys for two-factor authentication. Security professionals have campaigned for Apple to implement the feature—which is analogous to Bring Your Own Key (BYOK) encryption in the enterprise space—after a host of iCloud breaches have leaked the unencrypted private data of politicians, celebrities, and private citizens. Apple announced that it sees the feature as central to its mission of protecting users’ privacy. The company also stated that as data threats become more sophisticated, the security options made available to consumers must keep pace.

Additionally, Apple’s implementation of end-to-end encryption sends a strong message that it prioritizes customers’ right to privacy and security.

Encryption Key Control is Non-negotiable

By offering end-to-end encryption to nearly a billion users, Apple sets a precedent for the industry at large. If Apple is relinquishing control over encryption keys for consumers, it should also be non-negotiable for enterprise-grade cloud providers to do the same. Data breaches can be highly damaging and embarrassing for individuals. The same is true for companies, many of which are legally obligated to comply with an ever-evolving field of data privacy regulations

BYOK and the stricter Hold Your Own Key (HYOK) security models allow organizations to maintain ownership of their data assets without owning the cloud infrastructure they are using. Both models create a fail-safe mechanism so that if data is stolen, it causes no damage since it is encrypted. These methods prevent the cloud service provider from being able to access the data. While users in a BYOK model generate and submit their keys to the cloud, the HYOK model operates differently. Keys remain in the possession of the user at all times and data is encrypted prior to being sent to the cloud. These models allow organizations to securely move to cloud platforms and continue to maintain the utility of their data by embracing  privacy-preserving analytics capabilities.

A Call to Arms for Cloud Service Providers

Apple’s actions are a ‘call to arms’ to Cloud Service Providers (CSPs), urging enterprise customers to move their sensitive data to the cloud. These enterprises will demand a similar level of control to ensure that the providers can never gain access to that data by encrypting that data. Such solutions exist and give the providers the ability to allow their customers to implement their end of the Shared Responsibility Model.

How Baffle’s BYOK Service Can Help

With Baffle’s Data Protection Service, cloud service providers can allow their enterprise customers to store and use data in cloud environments while securing it with a BYOK or HYOK model. It works seamlessly across multiple cloud environments without requiring application and architectural changes or dedicated instances. SaaS providers can easily implement the Baffle’s key virtualization layer, which integrates with hardware security modules (HSMs), cloud key managers, and security managers to source customer-owned keys. This key integration can be integrated into cloud-native services with no redesigns or application code changes.To learn more about Baffle’s support for BYOK and HYOK models, schedule a live demo today.