Cloud Key Management

BYOK and Key management - Call 4 Review!!!

  • 1.  BYOK and Key management - Call 4 Review!!!

    Posted Jan 18, 2023 07:13:00 AM
      |   view attached
    Dear Members,

    The clarity required with use of BYOK and key management was a topic we briefly discussed during one of our 2022 working group call.

    Now, the security architecture team at Nomura have prepared a draft vendor BYOK guidance to share with our WG and request our feedback.
    Please see - Draft Vendor BYOK Solution Guidance.pdf attached to this post.

    Below follows also an extract of the current cloud governance principles relating to Encryption.
    With BYOK selected as mandatory several years ago, around 80% of vendor SaaS providers do not support BYOK.

    For SaaS applications, the following is non-negotiable when it comes to the vendor and would need to be attested before contractual approval and service onboarding:

    • Encryption:
      • Data in transit and data at rest encryption a must
      • "Bring Your Own Key"  BYOK mechanisms requiring The organization generated key mandatory
      • All private/master encryption keys must be kept on The organization's premises

    Any questions you might have, please don't hesitate to ask.

    Warm regards,
    Marina

    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------

    Attachment(s)