Bring your own key (BYOK) best practices
Bring your own key (BYOK) with Clumio can increase security control and transparency in two key ways:
- Provides a clear audit trail of key use
- Provides the ability to revoke access and render data unreadable
The decision to use BYOK should be carefully considered as there are negatives as well. Backups should be treated as an "out of band" copy of data that allows for recovery in the most drastic of cyber attack situations. When using BYOK, if the key(s) is not stored in an account that provides protection against rogue employees or advanced persistent threats, the integrity of the backup could be impacted by deletion of the key.
To limit the risk of key deletion we recommend taking the following actions:
- Develop clear threat models to understand the impact of a compromise of your AWS accounts
- Understand which accounts, credentials, and other access methods would result in the ability to impact KMS keys.
- Develop an out-of-band security strategy to protect integrity of data and keys.
If the advantages of BYOK outweigh the disadvantages, Clumio recommends the following actions be taken:
Minimum recommendations
- Follow the security maturity AWS model architecture. Ensure security services are stored in a separate organizational unit (OU) with separate accounts per function.
See: https://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-accelerating-security-maturity/choosing-a-security-model.html - Ensure the principle of least privilege is enforced across the organization.
- Develop and execute an AWS zero trust strategy.
- Ensure impact to compromised credentials of business services admins, devops, infrastructure managers can not lead to compromise of backup KMS keys.
High security recommendations
- Develop an out-of-band AWS org and account method with no cross over controls to primary operating domain to store critical incident response services and KMS keys
- Provision and manage KMS keys for backups separately from production keys.
- Ensure impact to compromised credentials of business services admins, devops, infrastructure managers can not lead to compromise of backup KMS keys.
Note: When using BYOK, the integrity of backups is only as secure as your key management and security procedures.
Contact [email protected] with any questions or concerns.
Updated 9 months ago