Are You A SaaS Provider with Customers Demanding "Bring Your Own Key," "Hold your own key," or More?

zak pellecchia fortanix
Zak Pellechia
Published:Jan 5, 2024
Reading Time:3min
byok hyok

Active collaboration is the backbone behind the art of delivering successful SaaS services. However, most SaaS providers work with third parties to spin their magic—and behind this thriving collaboration lies the lurking risk of third-party data leaks. Take for instance the recent Facebook-Cambridge Analytica data leak and the third-party leak of Morgan Stanley data that incurred a $60 million fine.

However, if or when a leak happens, somehow, despite all the legal wording and contracts, the first party that owns or created the data is still being held liable. If you are a SaaS provider increasingly looking for greater control over the data and keys, then capabilities like Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) can mitigate some of these risks.

How Fortanix Helps?

Fortanix offers a REST API First, Multi-tenant Hyperscale KMS/HSM, creating the ability for a third party to resell or use the first party's existing Fortanix account to provide customers with their own SaaS KMS to support data sharing needs. Each customer will be able to integrate with their own SSO and 2FA tools. This solution provides different management options based on the business need and customer requirement, as listed below. But the real benefit is that the API calls to Fortanix never change, no matter which options your customer wants support for.

  • Managed KMS/HSM -FIPS 140-2 Level 3 support-For customers who don’t want to manage it themselves, it's managed by a third party.
  • Managed KMS/HMS + Bring Your Own Key (BYOK) - FIPS 140-2 Level 3 support. For customers who don’t want to manage it themselves but want to upload their own key material in a secure portal, managed by a third party.
  • Secure KMS/HSM + HOLD/Manage your own Keys - FIPS 140-2 Level 3 support for customers who want to control or enable/disable their own key to revoke access to data.
  • Secure KMS/HSM + BYOK + HOLD/Manage your own Keys - FIPS 140-2 Level 3 support for customers who want to control or enable/disable their own imported key to revoke access to data.
  • Tokenization of data - This adds another layer of security by ensuring that Sensitive Data is NEVER in the clear but allows third parties to use non-sensitive data to run AI/ML and other analytics on the data.

“No Code” change deployment options for AWS and GCP

Some of these options may require code changes, but there are also NO-CODE changes that can be implemented in minutes if you’re utilizing AWS and GCP today.

  • Dedicated Account/Project per Customer - Each customer gets a dedicated account with dedicated services. Fortanix offers two options: using Cloud Data Control (A unified interface for consistent data management across hybrid multicloud) to manage all keys remotely OR a more secure option using a KMS Wrapping key that maps 1 to 1 to a GCP/AWS KMS Key. When the customer disables the Fortanix key, the key in AWS/GCP KMS is left inaccessible, and that cannot be reverted from inside AWS or GCP.
  • Dedicated Services per Customer - One account/project with multiple customers, each with their own database, S3 bucket, and other services. Like option 1, Fortanix can implement this with a KMS Wrapping key that maps 1 to 1 to a GCP/AWS KMS Key. When the customer disables the Fortanix key, the key in AWS/GCP KMS is left inaccessible and cannot be reverted from inside AWS or GCP.

For AWS/GCP/Azure services with mixed customer data, Fortanix also provides Tokenization as an additional security layer, but this will require code changes.

Fortanix has been working with some of the leading brands across the globe to help minimize expensive data breaches and accelerate regulatory compliance with a data-first approach to cybersecurity. Reach out to us at sales@fortanix.com

Share this post: