If anyone has successfully used Bring Your Own Key (BYOK) in the cloud:  Which Hardware Security Module (HSM) or key management method did you use, and with which cloud service provider(s) (CSP)?  Any advice to an organization considering this option?

CloudSecurity & GRC
3.4k viewscircle icon21 Upvotescircle icon3 Comments
Sort by:
CTO for Digital & IT in Healthcare and Biotech2 years ago

We have looked into doing this with Azure, AWS, Salesforce and Google Workspace using technology from Thales called Ciphertrust (and specifically Ciphertrust Cloud Key Manager), though we didn't actually move forward due to shifting priorities and budgets. The technology itself works fine, but do be aware that the pricing approach can be tricky if you have very large numbers of AWS accounts / Azure subscriptions / GCP projects to deal with.

I think the main thing when dealing with BYOK is to ensure that everyone is clear about what you are and are not buying in terms of security. Most people are convinced that BYOK is a magical means to protect against all sorts of threats. Sure, it's a useful thing from a compliance perspective if you need to tick a box saying "we are encrypting with keys we manage ourselves", but in terms of real added security value beyond what you get with the native cloud encryption (without BYOK) there just isn't much. All those cloud vendors have robust encryption platforms, and if you're concerned that the platforms have some kind of government-agency backdoor in them, BYOK won't really help, and it's much the same for Hold Your Own Key (HYOK). 

Lightbulb on2 circle icon2 Replies
no title2 years ago

Many thanks Jeremy!

no title8 months ago

Hey... We have successfully implemented BYOK for multiple cloud providers. We are an OEM for HSM and KMS along with offering for BYOK solution. You may want to visit www.jisasoftech.com

Content you might like

What is the one business pain point / challenge that you regularly face, that you wish AI had solved it? (The problem could be a time consuming, routine task that is frustrating to handle. It may happen daily / weekly / monthly, and you may lose many hours on it which results in delays / added cost)

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Proven outcomes – Documented success stories and measurable KPIs37%

Implementation confidence – Detailed plan, risk mitigation, and resource readiness47%

Total cost – Clear TCO, price protections, and exit terms37%

Innovation & future readiness – Ability to scale, adapt, and support emerging needs15%

Vendor relationship strength – Cultural fit, governance model, and executive commitment13%

View Results

What topics would you like to learn more about / be most likely to attend a webinar on?

Ransomware / Malware / Phishing35%

Privacy27%

Cloud Security58%

Network Security33%

Zero Trust vs. VPN32%

Remote Workforce Security27%

Seamless User Experience16%

Legal and Regulatory Compliance7%

View Results

Has anyone been successful in implementing a FinOps Cost Optimization policy to turn down idle cloud instances during off hours (nights/weekends)?  DId you start with non-prod environments?  How are you handling logging/monitoring alerts during that time?

Read More Comments

Seeking advice on integrating embedded AI agents into Workday/SAP/etc. How do you handle integration across HRIS, ATS, and LMS? Do you rely on vendor-native tools or build your own in-house registries?