TalksAWS re:Invent 2025 - BYOK: The Key to Meeting Enterprise SaaS Security Demands (ISV405)

AWS re:Invent 2025 - BYOK: The Key to Meeting Enterprise SaaS Security Demands (ISV405)

Securing Customer Data with Bring Your Own Key (BYOK) in SaaS Applications

Importance of Customer-Controlled Encryption Keys

  • Customers expect their data to be protected by keys they control, not just encrypted data
  • This is a critical requirement for enterprises adopting SaaS solutions
  • Provides customers with transparency, control, and compliance assurances over their data

Overcoming the "Big Red Button" Challenge

  • Customers want the ability to immediately disable access to their data if needed
  • Logging and auditing of key usage is essential to provide this visibility and control

AWS Key Management Service (KMS) as a Foundation

  • KMS provides a flexible, scalable, and secure key management service
  • Offers FIPS 140-3 Level 3 validated hardware security modules (HSMs)
  • Integrates with AWS services to enable customer-controlled encryption

Key Sharing and Delegation Models

  1. Cross-Account Key Sharing: Customers grant the SaaS provider access to use their KMS keys

    • Requires carefully scoped permissions (e.g. encrypt, decrypt, generate data key)
    • Avoids the need for the SaaS provider to manage keys directly

  2. Data Key Broker Pattern:

    • SaaS provider creates a key hierarchy, using the customer's KMS key to protect data keys
    • Allows for fine-grained control, key rotation, and multi-tenancy

Encryption SDKs for SaaS Providers

  • AWS provides open-source encryption SDKs for popular languages (Java, Python, etc.)
  • Handles key management, envelope encryption, and multi-region resilience
  • Supports both KMS-based keys and custom key providers

Handling Multi-Tenant Data and Key Lifecycle

  • Caching data keys to improve performance, while ensuring key revocation visibility
  • Implementing key rotation policies to meet customer compliance requirements
  • Balancing performance, availability, and security when using customer-managed keys

Emerging Encryption Techniques

  • Homomorphic encryption for enabling search on encrypted data
  • Deterministic encryption for limited key spaces (e.g. social security numbers)
  • Tradeoffs between functionality, performance, and security must be carefully considered

Business Impact and Adoption

  • Customer-controlled encryption is becoming a table-stakes requirement for enterprise SaaS
  • Enables SaaS providers to meet stringent data sovereignty, compliance, and security demands
  • Strengthens customer trust and reduces barriers to adoption for risk-averse organizations

Key Takeaways

  • Providing customers control over their encryption keys is critical for enterprise SaaS adoption
  • AWS KMS offers a flexible, secure, and scalable foundation for implementing BYOK
  • SaaS providers can leverage AWS encryption SDKs to simplify key management and multi-tenancy
  • Emerging encryption techniques like homomorphic encryption offer new capabilities, but require careful evaluation
  • Implementing BYOK strengthens customer trust and reduces barriers to adoption for risk-averse organizations

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.