Alibaba Cloud Now Supports Data at Rest Encryption with Bring Your Own Key (BYOK)
At the cloud product layer, data security is mainly embodied in products’ security features, such as end-to-end data encryption, backup, and verification of cloud products. Among these, end-to-end data encryption is a best practice in the field of data encryption protection. End-to-end data encryption provides advanced data encryption capabilities on transmission links (i.e. data-in-motion), compute nodes (i.e. data-in-use), and storage nodes (i.e. data-at-rest). For encryption in storage nodes, cloud services can be integrated with Alibaba Cloud’s Key Management Service (KMS) to offer data-at-rest encryption with Customer Managed Keys.
Alibaba Cloud now lets you bring your own keys (BYOK) to KMS. Users can upload key materials securely (BYOK) to KMS, and use that to secure their cloud assets in services that are integrated in KMS. This feature, together with products like VPN Gateway and SGX protected ECS servers, help to provide users with comprehensive end-to-end data encryption.
What Is BYOK Encryption?
A BYOK model allows you to generate your own encryption keys materials and to upload the self-generated keys to your Key Management Service (KMS) on the cloud, thus giving you full control over the lifecycle of the uploaded keys. This provides your organization with continuous ownership and better control of how data are encrypted. BYOK is ideal for organizations who already have their own hardware security module (HSM) or key management system (KMS), and would like to have full control of how the keys are being generated.
Some users, especially smaller businesses, may be prefer having a cloud provider managing all aspects of data encryption for information stored on the cloud, and they can generate their own customer master key (CMK) on Alibaba Cloud’s KMS and have control over the lifecycle of the CMKs in a similar fashion as keys being uploaded via the BYOK function. Medium and large businesses, especially for those with complex organizational structures and who are subject to strict regulations on data privacy requirements, can benefit from using BYOK services.
Introducing Alibaba Cloud BYOK
Alibaba Cloud now supports both “Bring Your Own Key” (BYOK) and customer managed keys, helping you protect highly sensitive workloads while giving you greater control over the lifecycle and durability of your keys. Alibaba Cloud BYOK is a security feature that protects customers’ data-at-rest by providing encryption controls and transparency to customers, on top of the holistic data protection for in-transit and in-compute already provided on our cloud architecture. The new BYOK feature now supports Alibaba Cloud Elastic Compute Service (ECS) Cloud Disks, Object Storage Service (OSS) and ApsaraDB for RDS instances.
Note: At the time of writing, the BYOK function for ECS cloud disks is only available in Singapore, HK, and Shanghai regions. The BYOK feature supports RDS for MySQL versions 5.6 and 5.7, and is still in beta release.
An OSS Example: How to Use Alibaba Cloud BYOK?
Protecting static data with server-side encryption (SSE) means that when data is stored to a disk in a data center, the data is encrypted at the object level and is automatically decrypted when the data is accessed. Users only need to verify that the request has access. Currently, Alibaba Cloud OSS supports the following server-side encryption methods:
- Server-side encryption fully managed by OSS (SSE-OSS): In this method, OSS uses AES256 to encrypt each object with an individual key. The individual keys are then encrypted by a customer master key (CMK) that is updated periodically for higher security. This method applies to encrypt or decrypt bulk data.
- Server-side encryption using the default managed CMK (SSE-KMS): In this method, OSS generates an individual key to encrypt each object by using the CMK. This method is cost-effective because you do not need to send user data to the KMS service side through networks for encryption and decryption.
Note: You cannot apply two different types of server-side encryption to the same object at the same time.
For server-side encryption using a CMK (SSE-KMS), a CMK can be generated in the following methods:
- Using the default CMK managed by KMS.
- Use a CMK specified by the user.
- Use the BYOK material of the user as the CMK.
The following table shows the logic of SSE-KMS.
Server-side encryption using a CMK specified by the user (SSE-KMS): In this method, OSS generates an individual key to encrypt each object by using the specified CMK. You can use the BYOK material of the user as the CMK.
You can import your BYOK material into KMS as the CMK as follows:
- Create a CMK without key material.
- Import the key material from an external source.
To learn more about BYOK on OSS, visit https://www.alibabacloud.com/help/doc-detail/31871.html