Clumio announces $75M Series D and 4X YoY growth in ARR

// 21 Mar 2024

The pros and cons of Bring Your Own Key (BYOK) with IaaS and SaaS providers: An in-depth analysis

Jacob Berry
Jacob Berry, Field CISO

With the ever-increasing adoption of SaaS, PaaS, and IaaS products, a platform security feature known as Bring Your Own Key (BYOK) has garnered attention for its ability to enhance data security and control.

Clumio’s implementation of BYOK offers a compelling case study for its usage. BYOK enables our customers to increase their security control, and gain transparency into how and when their data stored within Clumio is read.

However, as with any technology, it’s crucial to weigh the benefits against the potential drawbacks to make an informed decision about using a feature.

Note: The information presented is intended to be general and applicable advice for any SaaS platform; however, it may not apply in all situations. The analysis in this article is based on AWS systems, Key Management Services, and Encryption services. Each situation should take into account the organization’s business objectives and risk tolerance.

Understanding the BYOK dilemma

Backup data is intended to be an immutable copy that can be resilient to cyber attacks. As part of building systems with strong resilience to cyber attacks, we want to ensure that compromise of an account (or generalized unauthorized access) cannot lead to negative impacts on data integrity and availability.

When using Clumio or other SaaS solutions in the off-the-shelf configuration (i.e. electing to have the service provider manage encryption and associated keys, not using BYOK) you inherently gain an out-of-band set of management controls for your backup encryption keys. This means an attacker who has compromised or gained administrative rights in your primary data environment cannot access or affect the data stored in the SaaS platform, assuming the data is immutable by default as it is with Clumio.

If you choose to use BYOK, you do not inherit these out-of-band controls. This places a burden on the end user to carefully evaluate how the BYOK key will be managed, and what impact an attack may have if the keys’ confidentiality is compromised.

Let’s examine this in more depth starting with the advantages of BYOK, the disadvantages, and best practices to mitigate risk of key compromise when electing to use BYOK.

Advantages of BYOK in IaaS/SaaS backup models

BYOK offers two significant advantages: a clear audit trail of key usage and the ability to revoke access, rendering data unreadable.

This level of control is crucial for organizations that prioritize self-control of data access and need to meet strict compliance and regulatory requirements. With BYOK, businesses can manage encryption keys according to their policies, providing a layer of transparency that is often demanded in highly regulated industries.

With BYOK you can prove when data was read (decrypted) and compare that to expected actions of your SaaS solution. In the case of Clumio, this means you should only see decryption events when a user initiates the restore of a backup.

Audit trail for transparency of key use

Having a detailed audit trail is vital for security audits and compliance. BYOK ensures that every access and operation performed with the encryption key is logged, enabling organizations to monitor and review how data is accessed and by whom. This feature is particularly useful in detecting unauthorized access to data.

In other words, BYOK provides a mechanism to detect unauthorized access to data in a vendor’s environment. This can be used as a compensating control if storing data in a third-party environment makes your security neck hairs stand up.

Ability to revoke access

If you’re worried about a potential compromise of your SaaS provider, and therefore a perceived risk to the confidentiality of the data stored with that provider, the ability to revoke access to encryption keys ensures that sensitive data remains secure. This rapid response capability can provide a safe backstop to storing data with third parties.

Risks of BYOK within IaaS/SaaS backup

While BYOK offers enhanced control, it also introduces risks if encryption keys are not adequately protected against threats like rogue employees or advanced persistent threats (APTs). In the case of backups, the integrity of the data could be compromised if keys are deleted or mishandled, undermining the very purpose of data backups as a fail-safe in disaster recovery scenarios.

This is a good reminder that BYOK is only as useful as the user’s ability to protect the keys’ confidentiality.

Mitigating risks of BYOK

To address these concerns, organizations must adopt a comprehensive security strategy that includes the following:

  1. Develop a clear threat model to understand the potential impact of compromised accounts and compromised keys. Understand what type of attacks you are likely to face and how the attackers have operated in the past. Use threat-informed defense modeling.
  2. Identify personal accounts, credentials, and access methods that could be used to delete KMS keys. Remember, “only a few people have the ability to do this” limits risk, but isn’t a systematic approach to risk management. As they say, “Hope is not a strategy.”
  3. Follow at minimum the AWS security maturity model architecture and ensure the principle of least privilege is enforced across the organization:
  4. Create and implement a zero-trust strategy, with separate management for KMS keys used for backups to prevent compromise.
  5. For those requiring higher security, establish an out-of-band AWS organization and account, specifically for critical incident response services and KMS keys. This approach minimizes the risk of crossover controls compromising backup integrity.
    • Systems should not share a commonality of access controls such as identity providers.
    • Cross-environment roles should be limited to restrict lateral movement.
    • Include this scenario in your pen testing, or purple teaming. I highly recommend war gaming in a purple team manner if you have the resources to test the integrity of your system.
    • Limit and compartmentalize personnel who have access to revoke or access keys; if a backup administrator’s account is compromised by a third party, the damage would be limited if the compromised account has no access to key management.


The decision to adopt BYOK with any SaaS platform, including Clumio, should be made after carefully considering the balance between enhanced security control and the potential risks associated with key management.

Implementing the recommended security measures can mitigate these risks, ensuring that the integrity of backups remains secure. Ultimately, BYOK’s value lies in its ability to offer organizations greater control over their data security, but this control comes with the responsibility of rigorous key management.

Want to keep reading? Download Secure, Immutable, Air-gapped Data Protection to learn more about Clumio’s security advantages, then read our blog for instructions on how to enable BYOK in your Clumio environment.

Jacob Berry

About the author

Jacob is Clumio’s Field CISO with a background in Cyber Security and Technology, focused on helping customers build secure cloud operating environments. He has extensive experience in offense and defense security, security operations, and working across multiple verticals in both private and public sectors.