Bring-Your-Own-Keys: Bringing Trust into SaaS

Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company.  SecureDB’s Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes – from startups to Fortune 500.  Learn more about SecureDB at https://securedb.co/.

– Ledger West, Associate Partner, MACH37


Over the last few years, a wide variety of internal functions of business – HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.

However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.

The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys – Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company’s access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.

Why BYOK is Important?

The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only ‘encrypt’ and ‘decrypt’ permissions and not ‘key-rotate’, ‘key-delete’ permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.

When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.

Bring Trust into SaaS
At SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.

Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.

BYOK-Bring-Your-Owk-Keys-For-Cloud-SaaS-Platform-SecureDB-Data-Encryption

Source: https://www.flickr.com/photos/1116926
34@N04/11406956076

Consider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company’s data – in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider’s database, your company data is compromised just as everyone else’s.

Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.

Write this into contract
Before a company hands over the data to SaaS companies, it is in the company’s best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.

We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.

CISO’s Don’t Want Your Analytical Tools

In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of our traditional Prevent, Detect and Respond strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.

In his piece, Anup correctly indicts the purveyors of Detection tools, who:

[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with.

Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.

As the industry and our customers move forward toward Identification and Control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.

Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.

Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be pissed.

At the end of the day, I believe that even large company CISO’s really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.

To us, solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care, are going to be winners. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.

At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for Identification and Control.  We believe these solutions will allow us to avoid the mistakes of the Detection vendors, finally getting it right this time.