With BYOK recently in Early Access for Atlassian, more and more companies are enabling this feature. This post is an introduction for admins who don't have experience with key management or AWS. Fingers crossed it will be available soonš¤
Overview of SAAS Key Management
It's Q1, budgets have opened up for the year and your teams have started looking at new tools to improve how they work. They've decided on a major SAAS platform and started the process to procure the app. Inevitably, your security team begins to review the request and is concerned about the data that employees will share within the app, putting too much trust in the vendor and their cloud. The whole project comes to a screeching halt and the business is frustrated.
The above scenario is an extremely common occurrence in today's corporate environment. The IT/Security team is left grappling with meeting the business and user experience needs, while not allowing critical information to get in the wrong hands. SAAS apps inherently have more risk because you have to trust that the vendor has a robust security posture and is encrypting the data you put in it. On top of that, you have to trust that they are securing the encryption keys used to do so. It's like getting a storage unit and then giving the keys to your lock to the front desk person and relying on them to keep it safe and never enter your unit without permission. It's a lot of trust, and the constant data breaches in the headlines have shown that it's not a good way to operate.
To solve this, there is a new standard popping up among major SAAS companies like Salesforce, Slack (now part of Salesforce), Atlassian, Box, Asana, Miro/Mural, etc. This new standard allows companies to manage their own encryption keys, preventing the risk of the keys being stolen and preventing the vendor from accessing your data at will. This is known as Bring Your Own Key (BYOK), or Enterprise Key Management (EKM).
Note: An Enterprise tier plan for each app is most likely required to use this feature
Amazon Web Services (AWS) offers its own key management product, called AWS Key Management Service (KMS), which allows you to generate keys for other products. In this article, we'll explore what AWS KMS is, how it works, and how you can set it up to use with your company's SaaS applications.
What is AWS KMS?
AWS KMS is Amazon's service for generating, storing, and administering encryption keys. AWS KMS uses AES-256 as its encryption standard, which is considered to be one of the most secure encryption algorithms available. This service is often used to protect data and applications that are hosted in your own AWS environment.
If you want a deeper dive, here's a great overview of AWS KMS and how Slack uses the technology to encrypt data today:
What is BYOK?
Bring Your Own Key (BYOK) is a security feature that enables customers of SAAS applications to use their own encryption keys to protect their data in the vendor's cloud.
Typically SAAS vendors would encrypt your data themselves. If they host their application in AWS, it's likely that they use AWS KMS on their own and store your keys on their side. Theoretically, this can be a risk as the SAAS vendor can use the keys to access your data as they please. BYOK allows you to provide your own keys to encrypt the servers in their AWS account, reducing this risk since you are responsible for controlling who can access the data and how the keys are stored.
Using BYOK can help meet regulatory requirements, as some industries require that certain data be encrypted using keys that are managed and controlled by the customer. BYOK can also help mitigate the risk of data breaches, as even if a cloud provider's infrastructure is compromised, the attacker would not have access to your encryption keys.
