Why you should host your own Encryption Gateway

As of 2022, over 60% of corporate data was stored in the cloud, this number is growing. Most organizations rely on cloud service providers (CSPs) like Microsoft Azure, Amazon Web Services (AWS), or Google Cloud Services (GCS), as well as various cloud Software as a Service (SaaS) providers for critical operations including, Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Human Resource (HR) systems, customer support, ticketing, document management and productivity tools - to name but a few. This shift to cloud-based solutions has brought unprecedented convenience and scalability, but it has also introduced new challenges in data security and privacy.

With organizations increasing the exposure of data to these providers, securing data that is sensitive and regulated during collection, processing, and storage has become a fundamental security and regulatory consideration. Encryption, both in transit and at rest, has emerged as a ubiquitous security method to this end. However, not all encryption approaches are equal.

The Core Question: Who Controls the Encryption Process?

Organizations face a critical question: whose encryption service should they use and why? CSPs offer encryption services for data stored with their private or public cloud, and increasingly SaaS providers are extending their product offering to include encryption. It is important to note that these encryption systems are not hosted by the client organization.

Alternative arms length approaches exist, one such being: self-hosting an encryption gateway. Choosing between using a CSP or SaaS provider's encryption processes or self-hosting an encryption gateway hinges upon understanding your regulatory and security needs within the context of how each approach works.

While each method has its merits, for organizations dealing with highly sensitive or regulated data, the answer may lie in self-hosting an encryption gateway. This blog aims to demystify integrated CSP and SaaS encryption approaches and provide reasons why self-hosting an encryption gateway may be the optimal solution when you cannot compromise on security for convenience.

Understanding Encryption

Encryption is the process of converting plaintext data into an unreadable format called ciphertext. Ciphertext can be decrypted back to plaintext by authorized parties using an encryption key. Encryption serves as a critical component of data security, particularly in cloud computing environments. By encrypting data, organizations can protect their sensitive information from unauthorized access and potential breaches.

Want to dive deeper into encryption? Head to our blog: Cloud Encryption Explained.

What is an Encryption Gateway?

An encryption gateway is a security layer that sits between an organization's users and external cloud services or applications. It acts as a protective barrier, encrypting sensitive data before it leaves the organization's environment destined for the cloud. The data is seamlessly decrypted as it passes back through the gateway when authorized users need to access it.

Cloud Service Provider-Managed Encryption: Convenience with Trade-offs

The fundamental differences between hosting an encryption gateway and utilizing the encryption services of CSPs and SaaS providers lies in where the encryption and decryption of data takes place; who has access to the encryption keys and who has control of the encryption process. While cloud providers offer encryption services designed to simplify security for their customers, this convenience comes with significant trade-offs because of these differences.

Cloud provider encryption systems are undoubtedly convenient. However, this convenience is a double-edged sword. The cloud provider potentially maintains access to the encryption keys, and at the very least, the plaintext data. This access occurs because the encryption process happens after the data has left the customer's environment, exposing sensitive information in plain text to the SaaS provider.

For organizations dealing with highly sensitive or regulated data, this approach is often unsuitable. The lack of control over the encryption process and the potential for unauthorized access to plaintext data can pose significant security and compliance risks.



These services are provided by CSPs and SaaS providers in good faith to provide a level of protection. However, when a cloud service or SaaS provider controls the encryption process they have the ability to decrypt encrypted data into plaintext. Security risks become apparent in this process.

These risks primarily involve data sovereignty, residency, and privacy concerns. In some scenarios, SaaS providers' unrestricted access to sensitive information may violate cross-border data transfer regulations or breach access restrictions on regulated data. A common example of this occurs when technical support is provided by offshore employees of the SaaS vendor, potentially exposing sensitive data to individuals in external countries.

Reduced Oversight and Control

When organizations relinquish direct management of encryption system architecture and key management to cloud service providers, they face significant challenges in demonstrating regulatory compliance. This lack of control can hinder the implementation and verification of critical security measures, such as the principles of least privilege and separation of duty.

These essential controls, emphasized by NIST Special Publication 800-53, are crucial for mitigating unauthorized access and misuse of cryptographic keys. However, when relying on cloud provider-managed systems, organizations may find these controls conflicting with the provider's operational practices and difficult to monitor effectively.

To address concerns about bundled key management and encryption systems, many providers offer Bring Your Own Key (BYOK) options. While BYOK aims to create a separation between the provider's encryption processes and the customer's encryption keys, it often provides a false sense of security and control.

In reality, BYOK and external Key Management may not fully address the underlying issues of oversight and control that organizations face when outsourcing their encryption management.

The BYOK Illusion: A False Sense of Control

Cloud Service and SaaS providers are aware of the growing demand for key separation as part of encryption system offerings. Yet, BYOK still suffers from two fundamental problems. The first being that the SaaS provider either has directly handled the keys, or if in the case of external key management, they still have access to the encryption/decryption of the plain text data, even if not storing the keys in the SaaS platform. This access to the plain text data is where the limitations of this capability are stark.

Defining the terms:

•  BYOK: Useful where a lack of trust exists in the vendor to generate secure encryption keys. With BYOK organizations generate their encryption keys and share them with either the SaaS platform or an external key management system.
•  External Key Management: This solves the "key separation" problem of storing encryption keys along side the sensitive data in the SaaS platform. It does not however prevent the SaaS provider from being able to decrypt sensitive or regulated customer data into plain-text. It merely stores the keys separately, and provides access to either the keys or the encryption/decryption process when required.

Many SaaS BYOK systems require the uploading of the encryption keys to the SaaS providers infrastructure, with the provider still able to request access to the keys to decrypt the ciphertext to plaintext. In these cases, organizations have forfeited control over the most important aspect of data security; controlling the decryption of sensitive data.

Issues that can be present with SaaS provider BYOK solutions:

•  Key Duplication: Providers may keep copies of uploaded keys.
•  Envelope Encryption: Customer keys encrypt intermediate keys managed by the provider.
•  Transparent Encryption: Admins can access plaintext data.
•  Provider-Held Master Keys: Customers upload keys, but control resides with the provider.
•  Decryption for Processing: Applications decrypt data during use, exposing it to CSP systems.

Whilst BYOK and Key Management systems are useful and have strong security benefits, they do not prevent the SaaS provider from accessing the sensitive data in plain text. The core issue is the provider still maintains significant control over the encryption process and access to the plaintext data. This arrangement can undermine the security guarantees that customers expect from encryption and BYOK/key management.

The Risks of Relying on Cloud SaaS Providers In-built Encryption Services

Organizations want to access all of the advantages the cloud has to offer - but the benefits often come at a cost to security and introduces several risks:

Limited control over encryption process: Organizations may not have full control over decryption of sensitive data, potentially compromising data security.

Data breaches: Misconfiguration in cloud settings or weak encryption practices can expose sensitive data to unauthorized users.

Lack of visibility: Organizations may have limited insight into the encryption processes and security measures implemented by the cloud provider, making monitoring, oversight and reporting difficult.

Insider threats and unauthorized access: Employees of the CSP or SaaS provider with access to the application/service could potentially have access to sensitive data or compromise data security.

Key management issues: Poor key management practices by the provider could lead to data loss or unauthorized access or make you non-compliant with some regulations.

Shared responsibility model confusion: Organizations may mistakenly assume that the cloud provider is solely responsible for all aspects of data security, this is not the case.

Compliance challenges: Regulatory requirements for data security and privacy may be difficult to meet when relying on a third party for encryption management.

Data sovereignty concerns: Access to the encryption process (even indirectly) by CSP or SaaS provider employees in different jurisdictions may complicate compliance with data protection regulations.

Data Sovereignty and Compliance Issues

When organizations rely on CSP/SaaS encryption systems, data sovereignty issues become increasingly complex. The global distribution of data centers across multiple jurisdictions makes it challenging to ensure data remains within specific geographical boundaries. Simply using a provider's encryption system may not sufficiently protect data if the plaintext remains accessible by the foreign service.

Consider a German company using a US-based SaaS provider as a CRM. Even if they utilize the provider's encryption service, the data transfer across judicial borders may still violate GDPR requirements. This scenario creates regulatory compliance issues and exposes the data to potential access by US agencies under the US CLOUD Act. Importantly, this risk persists even if the US company stores data in a German data center.

This situation undermines core GDPR principles of data protection and privacy, making it difficult for organizations to demonstrate compliance when using non-EU based providers' encryption services, regardless of data center location. The Schrems II case, which invalidated the EU-US Privacy Shield, highlighted these concerns by demonstrating the incompatibility of US laws with EU data protection standards. This ruling extends beyond US-based companies, emphasizing the broader challenges of maintaining data sovereignty and compliance in our increasingly globalized digital economy.

Issue for Data Sovereignty Include:

Key control: In many cases, even with Bring Your Own Key (BYOK) options, the provider still maintains access (even indirectly via decryption requests) to encryption keys or intermediate keys, potentially exposing data to foreign laws and surveillance programs.

Legal compliance: Laws such as the US CLOUD Act can compel US-based providers to disclose data to US authorities, even if it's stored outside the US, conflicting with data protection laws in other regions like the EU's GDPR.

Data location uncertainty: The distributed nature of cloud architecture means users may not always know the exact location of their data including backups and archives, potentially leading to unintended violations of data sovereignty regulations.

Limited control: Organizations often relinquish direct control over data storage and processing practices when using these services, making it challenging to implement and demonstrate compliance with local data protection laws.

The Case For Hosting Your Own Encryption Gateway

For organizations prioritizing security above all else, self-hosting an encryption gateway emerges as the optimal approach for safeguarding sensitive data in cloud environments. Self-hosting an encryption gateway offers a formidable defense mechanism, creating a clear separation between your encryption system and external cloud and SaaS services.

This defense in depth approach provides organizations with complete ownership and control over their encryption system, including the critical aspects of key management, decryption of data and access control. While the prospect of self-hosting may initially seem daunting due to infrastructure considerations, especially when compared to the apparent simplicity of SaaS providers' built-in encryption, it becomes the clear choice when stringent security and data protection are non-negotiable. For organizations dealing with highly sensitive or regulated data, the additional effort is a small price to pay for the significant security and compliance benefits.

The deployment of an encryption gateway, such as StratoKey's Cloud Data Protection (CDP) gateway, within an organization's own environment is a game-changer. This crucial distinction ensures that even the SaaS provider has no access to plaintext data, dramatically reducing the risk of unauthorized access or data breaches. The operational flow of a self-hosted encryption gateway is both straightforward and highly effective. Residing within the organization's environment, it encrypts data before transmission to any SaaS provider. When authorized users require access, the gateway seamlessly (automatically) decrypts the data back to plaintext.

This approach ensures end-to-end protection (encryption) of sensitive information throughout its lifecycle, with the organization maintaining full control over encryption and decryption processes. By choosing to self-host an encryption gateway, organizations can achieve a level of data security and sovereignty that is simply not possible with provider-managed encryption services. This approach not only enhances protection against external threats but also provides the transparency and control necessary to meet stringent regulatory requirements and internal security policies.

Benefits of Self-Hosting an Encryption Gateway

Self-hosting provides several benefits that address the risks associated with using cloud service and SaaS providers' Inbuilt encryption solutions:

Full control over encryption keys: Self-hosting allows you to hold your own key (HYOK) - generate, store, and manage encryption keys within your own infrastructure or, with a trusted provider - enhancing data security through separation and reducing the risk of unauthorized access. The keys are not accessible to the provider - This can assist with regulatory compliance and sovereignty requirements.

Enhanced data protection: By managing your own encryption processes, you do not have to compromise data protection practices and you reduce the risk of data breaches due to misconfiguration in cloud settings.

Flexibility: Many SaaS delivered encryption systems have strict limits on fields, workflows and integrations. Self hosted encryption gateways are not bound by those limitations and offer a much more configurable and flexible solution.

External service support via API: Built-in encryption API to integrate external services (instead of a "point solution") with encrypted content whilst maintaining control over the encryption process.

Greater control for compliance requirements: Self-hosting enables you to meet specific regulatory requirements for data residency, sovereignty, security and privacy with specific security controls.

Increased visibility: With a self-hosted solution, you gain complete insight into encryption processes and security measures, allowing for better monitoring and auditing.

Mitigation of threats: By limiting access to encryption keys and processes to your own trusted employees, you can separate duties accordingly and reduce the risk of unauthorized access by third-party service providers.

Shared responsibility: Self-hosting mitigates the risk with a shared responsibility model, as your organization has the ability to control access and compliment/harden SaaS application security.

Reduced provider lock-in: By using your own encryption methods and processes, you maintain flexibility to migrate data between different services or providers as needed.

Improved data sovereignty: Self-hosting allows you to keep keys and encryption processes within your preferred jurisdiction, simplifying compliance with data protection regulations.

Customization and integration: Self-hosted solutions offer greater flexibility for customizing encryption processes and integrating them with existing systems and workflows, which delivers organizational scalability for data security.

Cost control: While there may be upfront costs to implement, self-hosting can be more cost-effective, especially for organizations with high usage, many users or specific requirements.

Scalability: Self-hosted solutions can be scaled to accommodate growth, as you have control over the underlying infrastructure. Moreover, when you utilize multiple Cloud Services and SaaS providers you can have a central system that can be used across products.

How to Choose the Right Encryption Approach For Your Organization

When evaluating self-hosted solutions versus CSP/SaaS encryption services, consider:

•  Cost Analysis: While initial setup costs may be higher for self-hosting, long-term expenses can be lower due to reduced reliance on large cloud services. Increasingly large SaaS providers are charging their encryption services at a premium, relying on your desire for simplicity and the deterrent of switching costs.
•  Regulatory Requirements: Different jurisdictions and industries have specific data protection laws and compliance standards. Self-hosted encryption gateways often provide greater control over data sovereignty and compliance with regulations like CMMC, ITAR, HIPAA, or GDPR, while SaaS or cloud providers' inbuilt solutions may present challenges in demonstrating compliance, especially when data crosses jurisdictional boundaries. Organizations in highly regulated sectors may prefer self-hosted solutions to ensure strict adherence to data governance frameworks and maintain full control over sensitive information.
•  Flexibility: The ability to scale the encryption services for more than a single SaaS application. The harmonization of encrypted content between different systems, and the ability to avoid artificially limiting choice around integrations, data movements between systems and data storage providers such as data lakes.

StratoKey: A Leading Cloud Data Protection Gateway Provider

For organizations looking to enhance their cloud security, StratoKey offers a powerful Cloud Data Protection Gateway that combines encryption and tokenization for popular SaaS and cloud services like NetSuite, Salesforce, Jira, Confluence, and ServiceNow (plus many more). The solution is hosted by you and lets you keep your sensitive sensitive within local environments while securely substituting and transmitting it as tokens or encrypted form to cloud services and SaaS applications.

StratoKey's provides CASB with Encryption, Monitoring, Analytics and Defensive (EMAD™) capabilities, to layer and apply defense in depth security through access controls, audit logs, and monitoring systems to ensure that only authorized personnel in a chosen locations can access sensitive data.

By leveraging StratoKey's platform, organizations can implement a comprehensive data protection and encryption strategy that does not hinder your use of cloud and SaaS applications. This approach not only enhances security but also helps organizations navigate the complexities of data governance in a global context.

Conclusion

Self-hosting an encryption gateway represents the best path for organizations prioritizing data security, compliance, and data sovereignty. By maintaining full control over encryption through hosting your own encryption gateway, organizations mitigate the risks associated with CSP and SaaS-managed systems and retain greater control over their sensitive data.

To learn more about how StratoKey can help secure your cloud environment, please contact us or download the StratoKey White Paper.