Working in the security industry we are regularly in conversations about how BYOK (Bring Your Own Key) can help solve security concerns around data confidentiality, compliance, protection from espionage, and much more.

However, it is most often the case that BYOK does not and cannot solve the problems that people are led or misled to believe it does.

This post is an attempt to address some of these misunderstandings.

First, we need to establish the vocabulary; BYOK is short for Bring Your Own Key, which means the customer provides a data encryption key to the service provider, and the service provider then holds and uses this key for some security function in relation to providing service to the customer.

Already here now that we talk about it, it should be clear that there are a great many problems this scheme does not solve, as the service provider holds a copy of the key.

Another key acronym in security is MFA, or Multi-Factor Authentication. MFA requires that the customer does not just log in using a username and password, but that at least one more factor is provided, which could be a time-based code the user can read from a device only the user possesses. In a sense, this is unrelated to BYOK, but as we shall see, MFA is often the actual working solution to problems believed to be addressed by BYOK.

With that out of the way, let’s look at a few common myths of what BYOK brings to the table then go through why this is not actually the case:

Myth #1: BYOK protects my data in case my account gets compromised.

That would be lovely, but this is not the case at all. First of all, the data encryption key is online all the time. This is a necessary condition for the service to be available and online because what good would your cloud service be if data wasn’t accessible? So, your key is online and now your account gets compromised. An attacker successfully poses as you, so naturally, all data is available to the attacker just as it would be to you, BYOK or not.

Myth #2: In case of compromise, revoking my key renders data unreadable.

This is wishful thinking, unfortunately, and for reasons, you may not expect. As is the case on commonly available BYOK platforms (AWS to name one) the key you bring is not even used for the actual data encryption! Since the service provider cannot trust that a customer can competently generate a strong key, the service provider will use their own key for the actual data encryption.

This key though may then be encrypted with another key, and then finally this package can be encrypted with the actual customer-supplied key. What this means is that the customer has some degree of control over one of the keys used in the encryption of a ‘key package’ which may be used in concert with the encrypted data during a bulk transfer between regions for example. But this is a very niche use. In day-to-day operations, on the most well-established BYOK-enabled platforms in the world today, the customer-supplied key plays NO role in data encryption of the customer data.

The customer can lose the key, revoke the key, modify the key, get the key stolen, have the key tampered with, or all of the above, leaving the day-to-day operations of the service absolutely and completely unaffected because the customer-supplied key plays no role in day-to-day operations. This is not a ‘dirty secret’ in any way; this is well documented in publicly available descriptions of these systems.

The only realistic protection against account compromise is MFA. You can only do so much to make it more difficult for an attacker to compromise your account. That’s why you need to realize that when your account is compromised, someone can actually pose as you, and do what you can do. Cryptography cannot help you at this point.

Myth #3: If the service provider is compromised, I can revoke the key.

By now we know your key isn’t used for actual data encryption. But for argument’s sake, let’s play along and pretend it actually is (but it really isn’t). This means the service provider is encrypting data using the customer-supplied key to which they hold a copy, otherwise, they couldn’t use it.

Now, what happens if the service provider is compromised? Let’s say that either an attacker gains full control of the service provider platform or the government under which the provider operates seizes their systems. Well, the key is being used by the service provider for data encryption and decryption, so obviously the key is available there in one form or another. In other words; what the customer does with their copy of the key has no bearing on the copy that is available and in the hands of the service provider or whomever now controls their platform.

Realistic protections here are along the lines of choosing the region in which the service is provided carefully and ensuring the service provider implements a mature information security management system.

As was said famously by renowned cryptographer Bruce Schneier, ‘If you believe cryptography solves your problem, then either you do not understand your problem or you do not understand cryptography.”

There is a lot of truth in this statement. It does not mean that cryptography does not play an important role in solving security challenges, but it does underline that simple encryption in isolation does not solve the challenges we are facing.

BYOK is no silver bullet. In fact, it is very often not even helpful. Further, if the employment of BYOK delays initiatives to seriously implement MFA or other effective security mechanisms, then BYOK may be outright harmful to the overall security posture of your organization.

I hope this short write-up helps bring clarity to an area of information security that is too often not discussed in detail or even widely understood.

The very mention of data governance and compliance can send shivers down the spines of corporate IT professionals, particularly for those who recognize they aren’t ready to handle a major data breach or other situation that compromises mission-critical data.

The increased focus on data compliance creates even more headaches as state and federal regulations are constantly changing, adding more pressure to comply as a means to avoid a regulatory audit and the unpredictability of a public relations nightmare.

So, why is regulatory compliance so important?

The answers can vary from company to company but protecting mission-critical data is not only necessary for business continuity, failure to comply can lead to financial and legal exposure such as lawsuits, fines, settlements, certification losses, and data breaches. Some estimates say compliance failures cost businesses nearly $1.5 billion annually and growing.

If you believe data compliance won’t adversely affect your company, look at these real-world examples of what can happen:

• Target Corporation agreed to an $18.5 million settlement with 47 states for its 2013 holiday data breach where cybercriminals stole $40 million in credit and debit records.
• Uber’s sub-par handling of its 2016 data breach that impacted 57 million rider and driver accounts cost the company almost $150 million.
• Equifax lost over $575 million in 2017 when it failed to fix a critical vulnerability that compromised the financial and personal information of over 150 million individuals.
• Marriott International received a $124 million fine from the General Data Protection Agency in 2018 when a cyber incident dating back to 2014 containing over 338 million guest records came to light.

The Solution? Deploy a Third-Party Cloud Backup Service

For companies committed to minimizing or avoiding these risks, it pays to be nimble and prepared particularly since data backup and recovery are so inextricably linked to compliance. Think, for example, how difficult it would be to pass an audit with missing data. 

So, who is ultimately responsible for data backup and recovery? If you believe it’s your cloud service provider, think again.  You may be surprised to learn that most SaaS vendors don’t automatically back up data for long periods and lack critical, built-in security measures to protect data. While they may be able to back up some of your data during a breach incident, most lack the ability to quickly and easily recover your data and make it immediately accessible. 

That’s why third-party backup and recovery services like Keepit are your best bet to ensure business continuity, stay in compliance, and keep costs predictable. 

Part of what makes Keepit’s backup and recovery solution so effective is how we deploy blockchain technology, which makes it possible to achieve data immutability to meet increasing compliance standards without having costs skyrocket. 

Blockchain has gained market familiarity and acceptance in the cryptocurrency industry like Bitcoin and Ethereum because its hashing technology helps improve transparency and data security around distributed transactions.  

One of blockchain’s drawbacks with cryptocurrency, however, is authentication, which is slow and resource demanding. Keepit’s solution, on the other hand, features all the benefits of blockchain technology but is fast and doesn’t consume expensive resources. This, in turn, makes achieving compliance much easier and more convenient. 

How to Increase Your Focus on Compliance
So, what’s the fastest and most cost-effective third-party data protection your company can deploy? Enter the Keepit cloud. 

Because it is built on secure, blockchain-verified technology, Keepit ensures data remains immutable and tamperproof – always.  This is important for compliance because with immutable data and metadata, it’s possible to document and recover not just all data but all data processing, further ensuring that auditors have full visibility to everything that has impacted the data. 

Learn more about how Keepit can help your company quickly recover from any data loss event – even ransomware attacks – to keep your company’s data always secure, always available, and always compliant with the latest regulations.
Keepit is a dedicated backup and recovery service providing your company with secure cloud data backup for the core SaaS applications, including Microsoft 365, Salesforce, and Google Workspace. 

Ransomware attacks are on the rise — in the first half of 2021, the average amount paid by organizations to perpetrators of was $570,000, an increase of 171% over the previous year. (1)

Last year also saw a 93% increase in the overall number of ransomware attacks (2) – a trend that is only likely to continue. While such attacks were once limited to outlandish movie plots, they’ve become an all-too-real problem for organizations of all sizes. In fact, when it comes to ransomware attacks, it’s more likely to be a question of when, not if.

Our concern at Keepit is that the regularity of ransomware attacks may lead to them eventually being dismissed as just a cost of doing business. But by choosing to pay the ransoms demanded, companies are powering a vicious cycle where the proceeds fuel increased cybercrime. (And paying a ransom does not guarantee getting your data back, as documented in the report ‘The Long Road Ahead to Ransomware Preparedness’ from ESG)

It’s vital for the sake of commerce – and for society – that companies, governments, and law enforcement agencies come together to find long-term solutions to ransomware attacks.

In the short-term, we encourage companies to invest in a third-party backup and recovery service to minimize the threat posed by encrypted malware. The more secure your data is—and the quicker you’re able to recover it—the less worried you need to be about ransomware attacks.

At best, an attack won’t affect business continuity – it’ll just be a nuisance rather than a crisis. If you know your data is safe, you don’t have to pay the bad guys’ ransom. Problem solved.

Summing Up 

The disruptive power of ransomware attacks in 2022

An increasingly common threat, ransomware attacks are forecast to cost victims around $265 billion annually by 2031. (3) With conventional data recovery times often taking weeks or even months, the disruption to companies can be catastrophic in terms of financial costs to your business. But the damage goes beyond the bottom line. Additional impacts of ransomware attacks in 2022 are likely to include:

• Intellectual property cost – temporary or permanent loss of sensitive or proprietary information can be enormously damaging. 
• Business continuity – disruption is frustrating and costly as companies struggle to restore data and operations 
• Reputational cost – a ransomware attack can damage customer perception of the company and impact digital trust. 

Why Keepit is the answer

Keepit backs up to an independent cloud, separate from your SaaS vendor’s environment, which means your data can be accessed completely independent from SaaS application availability. True backup—immutable and tamperproof on a separate logical infrastructure — is your answer to ransomware attacks. 

 

For more details about Keepit’s dedicated SaaS data protection, read about our security on our website 

References

1. Research from Palo Alto suggests the average ransom in the first half of 2021 is $570,000 USD, an increase of 171% over the year prior; see Average Ransomware Payment Hits $570,000 in H1 2021 [Dark Reading] 
2. Research from Check Point reports that ransomware incidents increased 93% year over year; see Ransomware attacks increase dramatically during 2021 [Computer Weekly] 
3. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/

The top 3 misconceptions made by Google Workspace admins

If you’re wondering, “is my data truly protected by relying only Google Workspace’s default backup and recovery solution,” then you’re in the right place. Cloud applications, like Google Workspace, are an integral part of our daily life – we push data to the cloud constantly. I do it when I send an email on Gmail, share a document with coworkers via Drive, or add my mother-in-law’s birthday to my Google Calendar (better not forget it again!).

But is relying on Google’s default data protection enough? What are the main misconceptions when it comes to Google Workspace data backup and recovery?

Misconception #1: Relying on Google Workspace’s default data protection is enough

If you think Google apps is a secure platform, you’re right: Google platform is a secure, resilient, and reliable solution, and protecting data is their top priority.

As much as Google will likely never lose the data you are storing on their platform, they do not cover you if the data loss happens from your side. Google’s default data protection does not protect you against human error, malicious actions, ransomware and hackers, and synchronization errors. You are responsible for ensuring the necessary protection of your data.

Based on an Enterprise Strategy Group (ESG) survey, only 13% of the businesses surveyed understood that protecting their SaaS data is their responsibility, not the responsibility of the SaaS vendor.

According to ESG SaaS data protection research, 45% of organizations using SaaS attribute data losses they’ve experienced to deletion, whether accidental or malicious. When this happens with Google Workspace, Google is not able to identify if the deletion was intentional or not. The data will be deleted and totally unrecoverable once past Google Workspace trash bin’s retention time, a mere 30-days later.

You need a solid backup and recovery solution for your Google Workspace.

Misconception #2: I don’t need a third-party backup and recovery solution, I have Google Vault

As a subscribed user to certain editions of Google Workspace, you have access to Google’s retention and eDiscovery tool: Google Vault. With Vault, you can retain, hold, search, and export some users’ Google Workspace data.

Yet, Google Vault is not a backup tool. To this frequently asked question, “Is Vault a data backup or archive tool?” Google itself answers, “No. Vault isn’t designed to be a backup or archive tool.”

Based on Google’s own support website, here are reasons why you shouldn’t use Google Vault for backups:

• Vault exports aren’t designed for large-scale or high-volume data backups. You can export data for a limited number of accounts and only for one Google service at a time. Vault also doesn’t allow many parallel exports or scheduling automatic exports.
• Vault exports are prepared for legal discovery purposes, not efficient data processing. Vault can’t create differential backups or deduplicate data. For example, a Drive export includes all items the searched account has access to. When many accounts have access to the same items, they’re exported for each account, resulting in lots of duplicated data.
• Vault doesn’t support all Google services. Vault can export data only from supported Google services. Vault doesn’t support services such as Calendar for instance.
• Restoring data from Vault export files is hard. Vault doesn’t have any automated recovery tools.

Google Vault is not designed to recover lost or corrupted data and it cannot perform a which is a critical feature of any third-party backup and recovery tool.

Additionally, Google Vault does not keep ex-users’ data. For example, if an employee departs from your company and, as the admin, you delete his user Google Workspace account, all his data saved within their Vault will be also deleted. To save those data, it would require you to transfer all the employee’s data out of the Vault before deleting the account.

Misconception #3: A third-party tool can only help with backup data

By now, you know that backing up your Google Workspace data is your responsibility, not Google’s. It’s a common misconception that third-party backup solutions are a cost center purely performing secure backup and allowing for data recovery. These are the fundamentals, but there’s much more to it:

Benefit #1 – Cost savings

Budget constraints are making it harder than ever to implement new IT initiatives for IT Managers – They need to do more with less and maximize available resources.

Of course, deploying a backup and recovery solution for your SaaS applications comes with a cost, yet there are important (and substantial) cost-savings opportunities.

The first is through reduced SaaS licensing fees. Based on a recent Total Economic Impact report done by Forrester, companies save on months of SaaS licensing fees for employees who leave the organization – or around 10% of the work force per year. This number can be much higher if organizations use a lot of temporary staff or contractors. Having all historical data available simplifies data management and employee onboarding and offboarding.

The second is reduced auditing and legal costs. In the same TEI report, one of the organizations surveyed shared that seven days of auditor and lawyer costs are avoided each year by having SaaS data availability.

Benefit #2 – Regulatory compliance

Handling sensitive data is subject to stringent record retention and data reproduction requirements for all public records. With a proper backup and recovery solution, you can expect to:

• Gain access to fast information discovery
• Easy retention policy management
• Additional rights to ensure compliance with applicable outsourcing regulatory requirements (e.g., extended audit rights, chain-sourcing approval rights).

In addition, data center facilities leveraged to store the data have high physical security standards and certifications (ISO 27001, SOC-2, ISAE 3402, PCI/DSS, HIPAA). It is important that you ask your vendor what they offer regarding regulatory compliance and data center certifications when investigating which tool to deploy.

Benefit #3 – Real disaster recovery

Third-party backup and recovery solutions must (not should) allow you to perform disaster recovery. The shortlist of important points to look for when selecting your solution:

• Data availability: Get access to all your data, at any time, from anywhere. A proper backup solution provides you with unlimited storage, is cloud-based so you can always access your data, and it should reside on its own cloud for enhanced security and control.
• Hot storage of data: Get your data on demand
• Quick restore options for data: Restore fast, regardless of if it’s a single email or an entire point-in-time backup for your organization
• On-the-go backup status monitor: Get updated with a mobile admin app

Keepit Backup and Recovery for Google Workspace

Keepit for Google Workspace is the world’s only independent cloud dedicated to backup and recovery. It is easy to use and keeps your Google Workspace data highly secure, always available, and instantly restorable.

Keep your data available 24/7 with automatic backup and unlimited storage
Quickly find and restore data, whether you want to restore one single email or an entire snapshot for your organization.

Easy to set up, easy to use, easy to scale
Keepit is a set-and-forget installation that is easy to use: No training needed. You can integrate it with your existing system thanks to our API-first approach. No hidden fees, no surprises, and 24/7 support.

Choose the World’s only independent cloud for immutable data
Security is in our DNA. Once your data is backed up with Keepit, it is made immutable and undeletable thanks to blockchain-verified technology. It is a priority for us to provide you with excellent reliability, great backup and restore performance, instant access to individual files, multi-factor authentication, and data encryption at rest and in transit.

Learn more on our Google Workspace backup and recovery

What is eDiscovery?

Electronic discovery (sometimes known as eDiscovery, e-discovery) is one of those terms that means slightly different things in different contexts. 

For example, in legal spheres, eDiscovery involves identifying, preserving, collecting, processing, reviewing, and analyzing electronically stored information (ESI). The term also shows up in digital forensics, which focuses on identifying, preserving, collecting, analyzing, and reporting on digital information—clearly very similar, but not quite equivalent. 

In general, eDiscovery is the electronic aspect of identifying, collecting, and producing electronically stored information, such as emails, documents, databases, audio, and video files, and also includes metadata such as time-date stamps, file properties, and author and recipient information. In other words—regardless of the specific driving need—eDiscovery refers to finding and retrieving electronically stored ‘stuff’. 

Sounds easy enough, right? But as anyone who’s performed eDiscovery knows, today’s information-enabled organizations produce an awful lot of that stuff. In fact, the tendency for every single action we take to produce a digital trail led public-interest technologist Bruce Schneier to observe that “data is the exhaust of the information age” [Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, pg. 4].

Consequently, the sheer volume of electronically stored information makes eDiscovery a logistical challenge. Now, add in the time-specific nature of many requests—as in, needing to retrieve a file or record as it existed at a certain time on a certain date, a certain number of years ago—and the challenge becomes even greater. 

Beyond backup: enabling quick and simple eDiscovery

While the retention utilities included with software-as-a-service (SaaS) applications and cloud services may be adequate for retrieving something that’s a few weeks old, they certainly aren’t intended to provide—nor are they capable of providing—a substitute for long-term backup and the use cases it enables, including disaster recovery and eDiscovery.

To be resilient in the face of outages, compromises, and misconfigurations (or simply to find a crucial piece of information), your organization needs to be able to search and access SaaS and cloud data quickly and easily. Imagine the difference between a recovery mission aided by coordinates and a map versus a vague notion that someone is somewhere. 

Fortunately, with the right backup solution in place, eDiscovery really can be a breeze. Let’s look at a real-world example. 

ALPLA’s experience

With around 22,000 employees across 45 countries, ALPLA is one of the world’s leading manufacturers of high-quality plastic packaging.

The company’s rapid global expansion and cloud migration required an agile Microsoft 365 backup and recovery solution that could meet ALPLA’s need for 10-year data retention, and Keepit is proud to fulfill this need.

With other solutions, finding the right data to restore can be a tedious task, especially when very little information is provided by users—but Keepit’s unique and intelligent search features make it easy. In the words of Stefan Toefferl, Senior Data Center Engineer at ALPLA: “Keepit provides search filters that make eDiscovery simple, allowing us to quickly find and restore an exact file.”

One of the features most valued by ALPLA is the option to share a secure link to download a file, quickly getting the data back to the users. It’s features like this Public Links (40-second demo video) that makes Keepit more than just an ordinary backup and that helps our customers to become more efficient in their daily IT operations. Read more about the ALPLA customer case here.

Risk management in the digital age

The nature of backup and restoration is that you often don’t know when something might be needed: unexpected audits, legal discovery, cybersecurity incidents, or even an employee needing to recover something that they deleted years ago—these can all happen at any time.

That’s why truly managing risk requires a third-party backup solution that: 

• Protects users and groups by providing snapshot-based restoration and timeline-based comparative analysis 
• Preserves roles and permissions, with change tracking and straightforward comparisons 
• Enables compliance and eDiscovery, for instance by capturing audit and sign-in logs, supporting log analysis, ensuring long-term retention, and enabling restoration to another site 
• Accommodates growth into policies and devices by preserving device information and conditional access policies 

To help enterprises avoid disruption due to lost or inaccessible SaaS data, Keepit has architected a dedicated, vendor-neutral SaaS data backup solution that is resilient, secure, and easy to use.

You can see Keepit in action on our YouTube channel, or head to our services page to learn more about what we offer.