At the cloud product layer, data security is mainly embodied in products' security features, such as end-to-end data encryption, backup, and verification of cloud products. Among these, end-to-end data encryption is a best practice in the field of data encryption protection. End-to-end data encryption provides advanced data encryption capabilities on transmission links (i.e. data-in-motion), compute nodes (i.e. data-in-use), and storage nodes (i.e. data-at-rest). For encryption in storage nodes, cloud services can be integrated with Alibaba Cloud's Key Management Service (KMS) to offer data-at-rest encryption with Customer Managed Keys.
Alibaba Cloud now lets you bring your own keys (BYOK) to KMS. Users can upload key materials securely (BYOK) to KMS, and use that to secure their cloud assets in services that are integrated in KMS. This feature, together with products like VPN Gateway and SGX protected ECS servers, help to provide users with comprehensive end-to-end data encryption.
What Is BYOK Encryption?
A BYOK model allows you to generate your own encryption keys materials and to upload the self-generated keys to your Key Management Service (KMS) on the cloud, thus giving you full control over the lifecycle of the uploaded keys. This provides your organization with continuous ownership and better control of how data are encrypted. BYOK is ideal for organizations who already have their own hardware security module (HSM) or key management system (KMS), and would like to have full control of how the keys are being generated.
Some users, especially smaller businesses, may be prefer having a cloud provider managing all aspects of data encryption for information stored on the cloud, and they can generate their own customer master key (CMK) on Alibaba Cloud's KMS and have control over the lifecycle of the CMKs in a similar fashion as keys being uploaded via the BYOK function. Medium and large businesses, especially for those with complex organizational structures and who are subject to strict regulations on data privacy requirements, can benefit from using BYOK services.
Introducing Alibaba Cloud BYOK
Alibaba Cloud now supports both "Bring Your Own Key" (BYOK) and customer managed keys, helping you protect highly sensitive workloads while giving you greater control over the lifecycle and durability of your keys. Alibaba Cloud BYOK is a security feature that protects customers' data-at-rest by providing encryption controls and transparency to customers, on top of the holistic data protection for in-transit and in-compute already provided on our cloud architecture. The new BYOK feature now supports Alibaba Cloud Elastic Compute Service (ECS) Cloud Disks, Object Storage Service (OSS) and ApsaraDB for RDS instances.
Note: At the time of writing, the BYOK function for ECS cloud disks is only available in Singapore, HK, and Shanghai regions. The BYOK feature supports RDS for MySQL versions 5.6 and 5.7, and is still in beta release.
An OSS Example: How to Use Alibaba Cloud BYOK?
Protecting static data with server-side encryption (SSE) means that when data is stored to a disk in a data center, the data is encrypted at the object level and is automatically decrypted when the data is accessed. Users only need to verify that the request has access. Currently, Alibaba Cloud OSS supports the following server-side encryption methods:
Note: You cannot apply two different types of server-side encryption to the same object at the same time.
For server-side encryption using a CMK (SSE-KMS), a CMK can be generated in the following methods:
The following table shows the logic of SSE-KMS.
Server-side encryption using a CMK specified by the user (SSE-KMS): In this method, OSS generates an individual key to encrypt each object by using the specified CMK. You can use the BYOK material of the user as the CMK.
You can import your BYOK material into KMS as the CMK as follows:
To learn more about BYOK on OSS, visit https://www.alibabacloud.com/help/doc-detail/31871.html
Alibaba Clouder - July 3, 2019
Alibaba Clouder - May 29, 2019
Alibaba Clouder - May 28, 2019
Alibaba Clouder - May 30, 2019
Alibaba Clouder - March 30, 2021
Alibaba Cloud MaxCompute - March 2, 2020
An industry-standard hardware security module (HSMs) deployed on Alibaba Cloud.Learn More
This comprehensive one-stop solution helps you unify data assets, create, and manage data intelligence within your organization to empower innovation.Learn More
This solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.Learn More
Create, delete and manage encryption keys with Alibaba Cloud Key Management ServiceLearn More
More Posts by Alibaba Clouder