Bring-Your-Own-Key (BYOK) has been hailed as the pinnacle of security, but is it truly optimal? This blog takes deeper look.

In the realm of cloud backup and recovery, the Bring-Your-Own-Key (BYOK) model has been hailed as the pinnacle of security. This notion has been perpetuated by respected organizations like the Cloud Security Alliance (CSA) and the National Institute of Standards and Technology (NIST), which endorse BYOK to fortify data security and mitigate risks when collaborating with cloud providers. However, does BYOK truly represent the optimal approach for safeguarding your backup data in the cloud? Let's delve into this subject and uncover why BYOK may not be as essential or advantageous as it seems for achieving secure, on-demand recovery.

The BYOK model: A two-edged sword

On the surface, BYOK appears alluring, offering customers complete authority over their encryption keys and the ability to revoke access at their discretion. However, this autonomy comes with a substantial caveat. Customers must shoulder the responsibility of managing the entire lifecycle of their encryption keys, a task that can prove both intricate and perilous. It's worth noting that even when BYOK is employed, authorized vendors, such as those in the data backup and recovery domain, retain copies and require use of these keys to facilitate backup and recovery operations of these keys, undermining the very essence of "Bring-Your-Own-Key."

Contrary to popular belief, BYOK doesn't entirely obstruct access to backup data. While it's often assumed that BYOK allows customers to suspend or revoke application access to backup data at any given moment, the reality is quite different. As previously discussed, providers maintain their copies, and true control remains elusive. In stark contrast, Quest On Demand Recovery provides the flexibility to revoke consent, delete data, or terminate subscriptions at any time.

Embracing BYOK, customers may find themselves grappling with operational overhead and the potential pitfalls of key management, including the risk of key loss, compromise, or misuse. Compatibility issues or constraints with cloud services that lack BYOK support might also pose challenges. Furthermore, the security features and standards offered by cloud providers for key management may not be accessible when BYOK is adopted.

The Quest approach: Security simplified

Quest leverages Azure Key Vault and its associated REST API to oversee encryption keys for both data in transit and data at rest in On Demand Recovery. Azure Key Vault stands as a secure and scalable service, bolstering data protection and compliance with stringent regulatory standards. This approach eliminates the customer's risk of mismanaging encryption keys, ensures seamless integration with other Azure services, and provides robust auditing and monitoring capabilities, delivering peace of mind about data security.

Why Quest built it this way

Quest has adopted this approach to offer a secure and streamlined alternative to the BYOK model. The Quest On Demand Platform adheres to internationally recognized standards such as GDPR, ISO/IEC 27001:2013, ISO/IEC 27017:2015, and ISO/IEC 27018:2019. It also successfully completes a SOC 2 Type 2 yearly examination, exemplifying its commitment to data security and compliance.

The most sensitive customer data collected and stored by On Demand pertains to the access keys for Azure Entra ID (formerly known as Azure Active Directory). This token is exclusively accessible by service accounts, rendering it inaccessible to end-users. It employs encryption within the Azure Key Vault service, with encryption and decryption processes transparently executed within On Demand. Neither Quest Software employees nor Microsoft employees have access to, or visibility of the keys used for encryption and decryption. These operations occur seamlessly between the Azure Key Vault Service and Azure Storage Tables, with keys stored in a FIPS-2 level-validated Hardware Service Module within Azure Key Vault and rotated hourly. For further information, please refer to Azure Key Vault.

These certifications, accompanied by stringent controls and third-party validations, affirm that the platform's key management, driven by Azure Key Vault, aligns with the most rigorous security standards. This eliminates the need for customers to grapple with their encryption key management, thus mitigating operational overhead and minimizing the potential risks associated with BYOK.

Reality Check!

  • BYOK adds administrative burden and risk: Customer administrators can lose, revoke, modify, get the key stolen, have the key tampered with, or all the above, adding an additional measure of risk to the organization’s stability and resiliency.
  • BYOK does not protect data from account compromise: If an attacker or state authority gains access to the customer’s account, they can access the data with the customer-supplied key, which is online and available to the service provider.
  • BYOK does not play a role in data encryption: The customer-supplied key is not used to encrypt the actual data, but only to encrypt another key that is generated by the service provider. The customer-supplied key has no effect on the day-to-day operations of the service.
  • BYOK does not prevent access to backup data: It's believed that BYOK approach allows customers to suspend or revoke application access to back up data at any moment, but that is not true as the provider requires their own copy as previously discussed. However, On Demand Recovery does allow you to revoke your consent, delete your data or close your subscription at any time.
  • BYOK does not protect data from service provider compromise: If the service provider is hacked or seized by the government, the customer-supplied key is also exposed, as it is stored and used by the service provider. The customer has no control over the copy of the key that is in the hands of the service provider or their adversaries.
  • Quest On Demand Recovery protects your data: Quest ensures your data is protected at every stage of its journey by our strict adherence to internationally recognized standards and utilization of Azure Key Vault to manage access to value resources.

Benefits of On Demand Recovery

One of the many reasons why people choose Quest On Demand Recovery is to protect their identity and enterprise applications in the hybrid or cloud AD environment. Identity and enterprise applications are essential for the security and productivity of any organization, and they can be compromised by data breaches, human errors, or malicious attacks. Quest On Demand Recovery provides a comprehensive backup and recovery solution that can quickly and securely restore Azure AD and Office 365 users, groups, attributes, and other objects. It also allows users to compare backups with live Azure AD to identify changes or deletions, and to granularly search and restore what they need. Quest On Demand Recovery offers more features and capabilities than the tools provided by Microsoft, such as the Azure AD Recycle Bin, which has limited functionality and retention period. By using Quest On Demand Recovery, users can ensure the protection of their identity and enterprise applications in the cloud and avoid downtime and negative impact on end users. To learn more about security for On Demand Recovery, be sure to read our On Demand Recovery Security Guide and On Demand Global Settings  Security Guide.

I’ll leave you with this quote to consider from one of Quest’s distinguished engineers: “The BYOK debates I have faced tend to be with compliance teams who are trying to give the impression that owning a key prevents authorities (not so much the bad guys) from accessing their content. Unfortunately, in the current technical way SaaS providers are set up and the different regional laws it is not a 100% safe assumption.”


Initially, BYOK may appear enticing due to the perceived control it grants. But those advantages are quickly overshadowed by the added administrative burden it imposes and the inherent contradiction where authorized vendors maintain copies of the key, undermining the core BYOK principle. Furthermore, BYOK's role in day-to-day operations is limited, and it does not inherently encrypt customer data on most platforms.

Quest's On Demand Platform is designed to automate key management and its merits exceed the perceived advantages of BYOK while mitigating its weaknesses. Customers can hold their trust in the platform's robust security features and adherence to globally recognized standards, offering simplicity, peace of mind, and security. Therefore, it can be argued that BYOK is not a prerequisite for secure on-demand recovery. Instead, a solution like the Quest On Demand Platform, prioritizing security, and compliance, presents a more dependable and efficient path forward.

We hope this insight has shed light on the misconceptions surrounding BYOK. If you are interested in exploring how Quest can address your cloud backup and recovery needs, read the eBook,

Blog Post CTA Image

Related Content