“If you lose your keys, all the data encrypted to the key is gone for ever,” Plastina says. “When the key is transferred from their infrastructure into our HSM, it’s done in a way we can’t see it, so if the customer comes back and says the building burned down and the HSM is gone, then all the keys are gone and that's it – game over. As the saying goes, with great power comes great responsibility. People need to be up to the task if want to get involved.”
Service-managed keys can give you the assurances of per tenant and per subscription keys, with segregation of duties and auditing, without the headache of managing keys. “But with BYOK, we're requesting customers get involved in significant way,” Plastina says. “That means setting up vaults, managing vaults; in some cases, that requires HSM-backed keys so they’re purchasing an HSM on premise, they have to run their own quorums for administrator’s smart cards and PINs, they have to save smartcards in the right place. It definitely raises the burden on them.”
Bring your own bank
If you’re considering whether bringing your own keys – which also means securing your own keys – is right for your business, the first question to ask is are you ready to become a bank, because you’ll have to run your key infrastructure with the same rigor, down to considering the travel plans of officers of the company. If you have three people authorized to use the smart card that gives access to your key, you don’t ever want to let all three of them on the same plane.
The burden of securing those keys means that although some Microsoft customers, particularly in the automotive industry, have opted for BYOK, “others say ‘we trust Microsoft is going to do the right thing’,” says Plastina. “They all start by saying ‘I want to be in control,’ but as they see the responsibility and they understand to what extreme lengths Microsoft taking this responsibility, they say ‘why don’t you just do it.’ They don't want to be the weaker link in a chain.”
Even some New York financial institutions, who initially wanted BYOK that ran against their own on-premises HSMs decided against that when they considered what could go wrong, says Rich. “An HSM could have been powered down, taking out a vast swathe of user base. They quickly got the idea that this is potentially a great denial of service attack that malicious insider or attacker performs on the company. These are our most sophisticated customers who are highly sensitive that this is a big responsibility but also a threat of potential destruction, whether that’s accidental or malicious.”
Sign up for Computerworld eNewsletters.