Primary key holder | Fortanix Blog

In a drive to streamline processes and improve cost efficiency, organisations are entrusting an ever-increasing amount of sensitive data to public cloud providers. Indeed, a majority of organisations are now using multiple cloud services, with recent research from Gartner confirming that 81 per cent of public cloud users have two or more providers.

Despite the clear benefits of migrating to the cloud, organisations also face some increased risk as they lose control of how their data is secured. This is exacerbated when this sensitive information is fragmented across several different providers, because businesses have little oversight of how it is being secured and handled across all their employed environments. As such, businesses have had no option other than to trust that their cloud providers are protecting their information adequately.

Organisations can have all the advantages of using public cloud services while ensuring that their data is safe through generating and centrally managing their own encryption keys


Clearly this is far from ideal, particularly with increasing pressure from regulators concerning how the data held by third parties is protected. For example, both the GDPR and the CCPA can penalise a business for data being breached through a third party if it is not properly secured using a range of measures, including encryption. Further, under the PCI DSS regulations, firms that deal with card payments must store these details in a different cloud to the one that contains their cryptographic keys, in case of a breach.

Yet organisations can have all the advantages of using public cloud services while ensuring that their data is safe through generating and centrally managing their own encryption keys.


In an attempt to address customer concerns concerning security and control, many cloud providers offer a Bring Your Own Key (BYOK) interface, where organisations can generate and manage their own encryption keys. In reality however users are provided with little control, as the keys have to be exported into the cloud provider’s key management system (KMS). In cases where businesses use several different cloud providers, as well as on-premise environments, they will have multiple KMS to monitor, which makes oversight complex and costly, resulting in a greater security risk from untrusted cloud administrators.

To mitigate the issues of control and oversight many businesses are now offering Bring Your Own Key Management System (BYOKMS) services, which enables users to create, manage, and store their own encryption keys, off-platform.


There are many benefits to taking back control of cryptographic keys from cloud providers through BYOKMS. Firstly, organisations can store their keys in a data centre of their choice and then control who can access information, rather than leaving it in the hands of cloud providers. This also means that businesses can add extra security to exert greater control over their data, such as being able to set parameters about where and when data can be accessed, and by whom.

BYOKMS also supports a centralised system for managing cryptographic keys and certificates across all of an organisation’s IT environments, whether public, hybrid, private cloud, or on-premise. This reduces the costs, resource demands, and the complexity of keeping abreast of multiple key management systems.

Additionally, the central storage, oversight, and control of encryption used across all environments enables businesses to more easily demonstrate to regulators that they are complying with their data security demands. Indeed, firms that take card payments and are following the BYOKMS approach will be able to store these financial details in the cloud without falling foul of the PCI DSS.

Wherever a business stores sensitive data and however it is used, a system must be in place to ensure that it is protected at all times. Having complete oversight and control of encryption is the most effective way of ensuring that data is safe in all environments.

Originally published at

Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!