Customer Managed Keys (CMK): An Overview | IronCore Labs

Four reasons why you should care about CMK

Customers have been asking for "Customer Managed Keys" functionality for years, but the urgency has increased for a variety of reasons. Most notably:

Consumer privacy laws

In 2017 and 2018, 50 countries passed new privacy laws. The EU's General Data Protection Regulations (GDPR) mandates that companies keep the personally identifiable information (PII) of their customers secure and private. These companies are also responsible for this security when passing PII on to third-party vendors, such as SaaS providers. CMK brings visibility into how data is accessed and brings the ability to revoke that access.

Industry analysts and best practices

Analysts from Gartner, Forrester, and 451 Research all strongly recommend that large companies request CMK as a best practice for SaaS vendors.

Reduced risk of breach

Breaches are ever-present in the news media. Every week a new large brand is embarrassed by a data breach. The complexity of networks and interconnecting systems means a network breach is likely. Knowing this, customers want to know that their data is encrypted and that that encryption isn't transparent to anyone who happens to gain access to a system. In other words, transparent disk encryption and HTTPS are no longer sufficient for IT Vendor Management Review teams.

Top tier has delivered

After years of asking, top SaaS companies have started to offer CMK. Salesforce released their "Cache-only Key Service" in 2019. Also in 2019, Slack released their "Enterprise Key Management" feature. Box has offered CMK (under several different names) for several years now. And Microsoft offers a "Bring Your Own Key" option for its Azure Key Vault. Companies using this feature have begun to demand it from the rest of their vendors, if those vendors handle sensitive and regulated data such as PII.