This paper describes security best practices for protecting sensitive data in the public cloud, and explains concepts such as BYOK, HYOK, Bring Your Own Encryption (BYOE), key brokering and Root of Trust (RoT). It explains the level of data protection that can be achieved by using the cloud native encryption and key management service, and how it can be augmented by allowing customers to take more responsibility for and control over their keys.