Brian Robertson | Principal Product Marketing Manager
More About This Author >
Brian Robertson | Principal Product Marketing Manager
More About This Author >
The Thales 2025 Data Threat Report revealed that cloud assets such as SaaS applications, cloud-based storage, and cloud infrastructure management were the greatest targets for attack. Hence, 64% of organizations cite cloud security as their most pressing security principle with secrets management being the top DevSecOps challenge.
Cloud adoption is soaring. Organizations are increasingly taking advantage of cloud computing, cloud infrastructure, and cloud platforms – often across multiple providers simultaneously. Meaning many entities now depend on cloud-native security solutions. Controls like cloud-native encryption are an essential layer of protection, but many organizations are putting themselves at risk by assuming it is “good enough” in all cases. If your data is all in a single cloud, it might be. But for organizations with data across multiple clouds? You may need to consider a unified approach.
While cloud-native encryption protects data at rest and in transit, it doesn’t prevent unauthorized access by insiders or malicious actors who are armed with legitimate cloud credentials.
Not only this, but as data sprawls across clouds, different encryption processes and the associated keys grow exponentially—all with their own way of generating, storing, rotating, backing up, recovering, revoking, and terminating the keys. This breeds inefficiencies and opens the organization to exposure caused by human error.
If a business’s encryption keys are managed by the cloud provider, is it truly in control of its data? In short, no. While Cloud storage providers (CSPs) don’t just randomly decrypt data, under laws like the US CLOUD Act, CSPs under US jurisdiction can be legally compelled to provide access to data with a warrant or customer consent, regardless of where the data is stored. This means a CSP could be obligated to decrypt customer data without necessarily initiating the decryption themselves.
A Clear Separation of Duties
It is necessary to uphold the foundational principles of least privilege access, zero trust, and separation of duties to safeguard data. This encompasses the imposition of separation of duty upon entities that handle and store data and those that provide security services. Data storage entities and encryption providers should be kept separate, a demarcation often ignored too readily.
For instance, CSPs encrypt data during transmission and before storage, but, since they also hold the cloud encryption key for stored data, they have direct data access for any data that resides on their servers. CSPs may access data for various reasons, including service maintenance, ensuring security, and complying with legal requests; this opens the potential for risk, and for businesses that own that data, this provides little assurance since trust is completely in the hands of cloud storage providers.
Shared Responsibility Does Not Mean Shared Cybersecurity
Cloud service providers follow a shared responsibility model, but the data security buck stops with the business.
The default CSP data protection approach, in which CSPs manage data protection for their customers, includes the generation and management of keys, and the use of these keys for encrypting the user data stored by the provider. Many CSPs offer this to their customers through mature solutions that can meet a slew of low-assurance data security compliance requirements.
This is a viable solution for businesses that either handle relatively little sensitive data, are budget-constrained, use a single cloud vendor for all data storage, or do not have mature security policies or the resources to manage activities against those policies. In these cases, cloud-native encryption can be the right fit for them.
Data Encryption and Key Custodianship
For companies in highly regulated industries or those that handle a lot of confidential or proprietary information, checking a box for basic security capabilities and relying on minimal features is not good enough. All products and services must be assessed against real requirements and threats.
To establish a comprehensive, unified approach to security across all distributed environments, security teams need to address key questions within each of the primary security areas:
Data encryption:
- Who is responsible for protection—the organization, the CSP, or, if one is being used, a managed security service provider (MSSP)?
- Are protection mechanisms implemented at the application level or infrastructure level?
- How is encryption managed both upstream and downstream from the cloud environment?
Key custodianship:
- Where are the encryption keys stored—in the CSP’s key vault or within a centralized enterprise key management system controlled by the customer (either on-premises or in the MSSP’s cloud)?
- How secure are these key storage platforms?
Access control:
- Who defines and enforces access control policies—the customer or the CSP?
- Are the CSP’s identities utilized, or does the customer employ their own single sign-on mechanisms?
- Under what circumstances is MFA required?
- Are context-based adaptive access policies continuously assessing risk conditions and enforcing authentication when necessary?
Leaving the Key Under the Mat
Encrypting data without managing the keys can be compared to locking the door and leaving the key under the mat—encryption is only as secure as its key management. If a cloud provider controls both the encrypted data and the encryption keys, then a threat actor who gains access to the provider’s system may be able to gain access to the keys and decrypt sensitive data.
Security teams charged with securing workloads, apps, and data sets across cloud environments must address specific objectives. Sensitive data must always be kept confidential and secure, regardless of whether it is on-premises, in the cloud, or in transit, which takes persistent controls that protect assets even once hardware or virtual resources have been decommissioned or if the CSP has been subpoenaed for whatever reason.
Cloud Key Management Crash Test: BYOK vs HYOK
Simply put, encryption keys protect the future of a business. When selecting the best approach for managing their encryption keys, businesses should consider the following options.
- Bring Your Own Key (BYOK): Businesses generate and manage their own encryption keys while using cloud-native encryption.
- Hold Your Own Key (HYOK): Encryption keys are stored externally, ensuring complete customer control.
BYOK is provided by some CSPs and allows customers to generate their own keys and then import said keys into the Key Management System (KMS) managed by the CSP in real-time. Clients can also choose to rotate these keys and give the CSP the new versions. With this approach, customers can enforce strong entropy and policy rules in terms of key generation and rotation that may address regulatory compliance requirements. The caveat is that once these keys are handed to CSP, the key management and storage is done by the CSP.
For greater control, some businesses opt for the HYOK approach if offered by the provider. This approach provides the first genuine separation of duties between the customer and the CSP. This approach sees the CSP handling encryption and decryption of the business’s data, but it does not manage the keys. These are generated and managed by the business, directly or through an independent third party like a key broker.
The CSP asks for access to these keys when it needs to manage encryption and decryption operations. However, once this is done, and the keys are no longer required, the CSP erases them from its cache, so they are never persisted by the CSP. The customer can opt to host the keys in a KMS in its own data center or use a separate cloud service.
The following comparison table summarizes the key similarities and differences between BYOK and HYOK.
| BYOK (Bring Your Own Key) | HYOK (Hold Your Own Key) | |
| Key Generation | Customer generates the encryption keys | Customer generates the encryption keys |
| Key Storage | Keys are imported into the CSP-managed Key Management System (KMS) | Keys are stored externally (customer data center or third-party KMS) |
| Key Control | Shared control – customer creates and rotates, CSP stores and manages the keys | Full customer control – CSP has no persistent access to keys |
| Separation of Duties | Limited – CSP manages keys after import | Strong – CSP only requests temporary access to keys for operations, then purges them |
| CSP Role in Key Lifecycle | CSP handles key storage and management | CSP only uses keys temporarily for encryption/decryption; does not manage them |
| Compliance Benefits | Enables policy enforcement and entropy rules, supports compliance | Provides stronger compliance posture through full customer control and separation of duties |
| Suitable For | Organizations with moderate control requirements and cloud-native needs | Organizations needing maximum control, such as highly regulated industries |
The Effectiveness of External Key Management Systems
External Key Management Systems allow businesses to store keys separately from the cloud provider, imposing a more robust separation of duties. A dedicated KMS ensures compliance by keeping keys outside cloud provider control, enforcing granular access policies, and enabling auditing and logging.
External KMS comes with a slew of advantages, including:
- Reduced reliance on cloud providers by externalizing keys.
- Strengthened security by enforcing separation of duties.
- Enhanced compliance by aligning with requirements for data sovereignty.
- Protection against insider threats and cloud-side vulnerabilities.
- Ensured business continuity by allowing multi-cloud portability.
However, the beauty behind external KMS is that these systems do not introduce unnecessary complexity or inefficiencies.
Automation & API Integration: Modern external key management solutions natively integrate with cloud-native services via APIs, enabling organizations to automate key life cycle management without compromising performance or scalability.
No Interference with DevOps Pipelines: Cloud-native workflows can be maintained by developers as is, without settling for worst-in-class encryption practices, so security doesn't impede agility, speed, or innovation.
Cross-Cloud Mobility: With centralized management of keys, organizations can securely move workloads between cloud providers, free from vendor lock-in, while having consistent security policies across environments.
More Security with Less Complexity: External key management is deployed correctly, bolsters encryption, compliance, and control without creating operational drag, and offers clear protection of sensitive information.
Addressing Compliance and Regulatory Gaps
Security is one consideration—compliance is another driver of advanced encryption and KMS. Regulatory frameworks like GDPR, DORA, PCI-DSS, and HIPAA impose strict encryption controls that exceed what cloud-native tools provide. In addition, data sovereignty is a requirement that cannot be met if a cloud provider has full control over encryption keys.
Data privacy regulations, including the GDPR and the CCPA, set stringent compliance requirements and impose severe penalties for breaches that expose consumer data. Countries worldwide are introducing their own data sovereignty laws, tightening the compliance landscape further.
Regarding cross-border data flows, the EU-U.S. Data Privacy Framework (DPF) mandates participating organizations to implement robust security measures to protect personal data from loss, misuse, and unauthorized access. Therefore, organizations are expected to adopt appropriate safeguards, including proper key management practices, to ensure control over data protection.
As a result, Gartner predicts that more than 60% of organizations will use KMS by 2027 to augment or replace native Cloud Service Providers (CSP) key management due to increased impacts of global data residency and privacy compliance.
Guaranteeing Data Security in the Cloud
To provide true data security in the cloud, businesses must transcend default cloud-native encryption and take control of their encryption keys. The use of third-party key management solutions and the enforcement of separation of duties are at the forefront of providing cybersecurity, compliance, and data sovereignty in an increasingly cloud-dependent world.