Skip to content

5 Ways Hosting An Encryption Gateway Helps During a Third-Party Breach

Reports of alleged Oracle Cloud breaches have reignited concerns about the vulnerabilities inherent in third-party data management. Hosting your encryption gateway, often referred to as "Bring Your Own Encryption" (BYOE), offers a powerful solution by significantly reducing the impact of such breaches.

This blog will explore how independent security controls, like BYOE, can address the weaknesses exploited in these attacks, using the latest Oracle incident as a case study.

While multiple independent researchers and organizations have put out information supporting its occurrence and its impact, it is important to note Oracle disputes the full extent publicly.

Read more about the Reported Oracle Breach

What Does Hosting Your Own Encryption Gateway - or Bring Your Own Encryption Mean? 

Bring Your Own Encryption (BYOE) enables organizations to encrypt their data before it ever reaches the cloud. Unlike native approaches, where the cloud provider controls encryption and sometimes key management, BYOE puts businesses in direct control of these critical functions.

With BYOE, sensitive information is secured before it leaves the network using encryption keys that remain solely in the organization’s control, ensuring that data is protected and unreadable to anyone without access to those keys (including any third-party system the encrypted data is transmitted to.
BYOE-helps-during-third-party-data-breach1

 

 
There are many practical advantages of BYOE in reducing breach impact, supporting compliance, and enabling forensic analysis - here are 5:

1. Preventing Data Usability Post-Breach

In the Oracle breach example, the attackers stole encrypted passwords, Java Key Store (JKS) files, and encryption key files. If organizations using the Oracle services had utilized a self-hosted encryption gateway:

  • The decryption keys would remain isolated from Oracle's infrastructure, mitigating the attack impact.
  • Not sharing encryption control means even if Oracle’s systems were compromised, attackers couldn’t leverage cloud provider-held keys to decrypt data.
 

2. Neutralizing Ransomware Leverage

The threat actor attempted extortion by threatening to sell/expose data.

Hosting your encryption gateway disrupts this model because:

  • Stolen encrypted data lacks value without organization-controlled keys.
  • Attackers lose leverage for ransom demands, as decryption requires breaching a completely separate, external encryption gateway.

3. Mitigating Cloud Provider Backdoors

The breaches are said to have exploited a vulnerability in Oracle’s Fusion Middleware (CVE-2021-35587). Hosting your encryption gateway can assist because:

  • It decouples encryption from the cloud provider’s patch lifecycle, reducing exposure to unpatched legacy systems.
  • Avoids centralized risks like compromised LDAP/SSO endpoints by keeping authentication mechanisms independent. Cloud encryption gateways typically have their authentication mechanisms that operate at arm's length from the cloud platform.

4. Compliance and Data Sovereignty

Oracle’s breach is reported to have impacted 140k tenants globally, highlighting shared infrastructure risks. Hosting your encryption gateway enables:

  • Granular data control to help meet regulations like ITAR, CMMC, HIPAA or GDPR.
  • Control over how securely encryption keys are managed.

5. Forensic Advantages

The investigation into the breach faces challenges due to the opaque breach disclosure. Moreover, compliance regulations like HIPAA and GDPR require audit logs to be maintained. 

With an encryption gateway, organizations have access to audit trails that are stored separately from the cloud platform:

  • Audit trails for access simplify breach impact analysis.
  • Isolated encryption logs provide clearer evidence of unauthorized decryption attempts.

Conclusion

While hosting your encryption gateway does not prevent the initial third-party breach, it can radically reduce its consequences. As the analysis shows, the Oracle attackers focused on exploitable credentials and keys stored in Oracle’s infrastructure. This highlights that managing and controlling your encryption gateway shifts this attack surface, creating a situation where attackers need to compromise multiple independent systems, aligning with the principle of defense in depth, with independent layers of security.

 


 

Contact us to learn how StratoKey can assist in protecting sensitive data from third-party breaches.

See our data solutions for Salesforce, ServiceNow, SAP Business ByDesign & S/4HANA, NetSuite, and other applications.