As of 2022, over 60% of corporate data was stored in the cloud, this number is growing. Most organizations rely on cloud service providers (CSPs) like Microsoft Azure, Amazon Web Services (AWS), or Google Cloud Services (GCS), as well as various cloud Software as a Service (SaaS) providers for critical operations including, Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Human Resource (HR) systems, customer support, ticketing, document management and productivity tools - to name but a few. This shift to cloud-based solutions has brought unprecedented convenience and scalability, but it has also introduced new data security and privacy challenges.
Encrypts or tokenizes data before it reaches cloud apps.
Keeps keys under your control (HYOK/BYOK).
Reduces vendor lock-in and compliance exposure.
Works with SaaS platforms like NetSuite, Salesforce, and Jira.
Enables auditability for frameworks such as CMMC, GDPR, HIPAA, and ITAR
With organizations increasing the exposure of data to these providers, securing data that is sensitive and regulated during collection, processing, and storage has become a fundamental security and regulatory consideration. Encryption, both in transit and at rest, has emerged as a ubiquitous security method to this end. However, not all encryption approaches are equal.
Organizations face a critical question: whose encryption service should they use and why? CSPs offer encryption services for data stored with their private or public cloud, and increasingly SaaS providers are extending their product offering to include encryption. It is important to note that these encryption systems are not hosted by the client organization.
Alternative arms length approaches exist, one such being: self-hosting an encryption gateway. Choosing between using a CSP or SaaS provider's encryption processes or self-hosting an encryption gateway hinges upon understanding your regulatory and security needs within the context of how each approach works.
While each method has its merits, for organizations dealing with highly sensitive or regulated data, the answer may lie in self-hosting an encryption gateway. This blog aims to demystify integrated CSP and SaaS encryption approaches and provide reasons why self-hosting an encryption gateway may be the optimal solution when you cannot compromise on security for convenience.
Encryption is the process of converting plaintext data into an unreadable format called ciphertext. Ciphertext can be decrypted back to plaintext by authorized parties using an encryption key. Encryption serves as a critical component of data security, particularly in cloud computing environments. By encrypting data, organizations can protect their sensitive information from unauthorized access and potential breaches.
Want to dive deeper into encryption? Head to our blog: Cloud Encryption Explained.
A cloud encryption gateway is a security layer that sits between an organization's users and external cloud services or applications. It acts as a protective barrier, encrypting sensitive data before it leaves the organization's environment destined for the cloud. The data is seamlessly decrypted as it passes back through the gateway when authorized users need to access it.
According to industry definitions, it:
“provides a cloud-security proxy … which performs encryption, tokenisation or both on an item-by-item basis as data flows through the proxy”.
The fundamental differences between hosting an encryption gateway and utilizing the encryption services of CSPs and SaaS providers lie in:
SaaS native encryption systems are undoubtedly convenient. However, this convenience is a double-edged sword. The provider potentially maintains access to the encryption keys, and at the very least, the plaintext data. This issue is visible in the image below, where the encryption process happens within the provider's environment, exposing sensitive information in plain text to the SaaS provider.
For organizations dealing with highly sensitive or regulated data, this approach is often unsuitable. The lack of control over the encryption process and the potential for unauthorized access to plaintext data can pose significant security and compliance risks.
These services are provided by CSPs and SaaS providers in good faith to provide a level of protection. However, when a cloud service or SaaS provider controls the encryption process, they can decrypt encrypted data into plaintext.
The security risks increase when relying on your provider's native encryption systems.
These risks primarily involve data sovereignty, residency, and privacy concerns. In some scenarios, SaaS providers' unrestricted access to sensitive information may violate cross-border data transfer regulations or breach access restrictions on regulated data. A common example of this occurs when technical support is provided by offshore employees of the SaaS vendor, potentially exposing sensitive data to individuals in external countries.
When organizations relinquish direct management of encryption system architecture and key management to their cloud service providers, they face significant challenges in demonstrating regulatory compliance. This lack of control can hinder the implementation and verification of critical security measures, such as the principles of least privilege and separation of duty.
These essential controls, emphasized by NIST Special Publication 800-53, are crucial for mitigating unauthorized access and misuse of cryptographic keys. However, when relying on cloud provider-managed systems, organizations may find these controls conflicting with the provider's operational practices and difficult to monitor effectively.
To address concerns about bundled key management and encryption systems, many providers offer Bring Your Own Key (BYOK) options. While BYOK aims to create a separation between the provider's encryption processes and the customer's encryption keys, it often provides a false sense of security and control.
In reality, BYOK and external Key Management may not fully address the underlying issues of oversight and control that organizations face when outsourcing their encryption management.
Cloud Service and SaaS providers are aware of the growing demand for key separation as part of encryption system offerings. Yet, BYOK still suffers from two fundamental problems. The first being that the SaaS provider either has directly handled the keys, or if in the case of external key management, they still have access to the encryption/decryption of the plain text data, even if not storing the keys in the SaaS platform. This access to the plain text data is where the limitations of this capability are stark.
Many SaaS BYOK systems require the uploading of the encryption keys to the SaaS providers infrastructure, with the provider still able to request access to the keys to decrypt the ciphertext to plaintext. In these cases, organizations have forfeited control over the most important aspect of data security; controlling the decryption of sensitive data.
Whilst BYOK and Key Management systems are useful and have strong security benefits, they do not prevent the SaaS provider from accessing the sensitive data in plain text. The core issue is the provider still maintains significant control over the encryption process and access to the plaintext data. This arrangement can undermine the security guarantees that customers expect from encryption and BYOK/key management.
Organizations want to access all of the advantages the cloud has to offer - but the benefits often come at a cost to security and introduces several risks:
When cloud providers manage encryption, organizations often lack visibility and authority over decryption keys and processes. This limits assurance that only authorized users can access sensitive data and increases the risk of third-party exposure.
Misconfigured security settings, shared infrastructure, and weak or outdated encryption practices can expose sensitive data. Without direct control, organizations depend entirely on the provider’s implementation quality and response time in the event of a breach.
Cloud providers rarely disclose detailed information about their encryption methods or operational controls. Limited insight makes it difficult to validate encryption strength, monitor key usage, or provide auditors with required evidence of data protection.
Employees of a Cloud Service Provider or SaaS vendor may have administrative access that extends to customer data. Even indirect access introduces insider threat risk, particularly in multi-tenant environments where separation of duties is weak.
When providers handle encryption keys, customers cannot guarantee exclusive control. Poor key rotation, insecure storage, or key reuse across tenants can lead to unauthorized access, data loss, or compliance violations. True protection requires owning and managing encryption keys independently, known as Hold Your Own Key (HYOK) or Bring Your Own Key (BYOK) models enforced through a cloud encryption gateway.
Many organizations assume the cloud provider is fully responsible for securing data. In reality, the provider protects infrastructure, while the customer must safeguard data, identities, and configurations. Misinterpreting this model creates critical security gaps and compliance risks.
Frameworks such as HIPAA, ITAR, CMMC, GDPR, and FISMA require verifiable control over encryption, key management, and access auditing. Relying on a third party for encryption can make demonstrating compliance impossible without independent validation or separate key custody.
Cloud providers often replicate or manage data across regions. If encryption or decryption occurs outside the organization’s jurisdiction, it may fall under foreign laws (e.g., the U.S. CLOUD Act) or conflict with national data protection regulations. Maintaining a locally controlled encryption gateway ensures compliance with data sovereignty mandates.
When organizations rely on CSP/SaaS naive encryption systems, data sovereignty issues become increasingly complex. The global distribution of data centers across multiple jurisdictions makes it challenging to ensure data remains within specific geographical boundaries. Simply using a provider's encryption system may not sufficiently protect data if the plaintext remains accessible by the foreign service.
Consider a German company using a US-based SaaS provider as a CRM. Even if they utilize the provider's encryption service, the data transfer across judicial borders may still violate GDPR requirements. This scenario creates regulatory compliance issues and exposes the data to potential access by US agencies under the US CLOUD Act. Importantly, this risk persists even if the US company stores data in a German data center.
This situation undermines core GDPR principles of data protection and privacy, making it difficult for organizations to demonstrate compliance when using non-EU based providers' encryption services, regardless of data center location. The Schrems II case, which invalidated the EU-US Privacy Shield, highlighted these concerns by demonstrating the incompatibility of US laws with EU data protection standards. This ruling extends beyond US-based companies, emphasizing the broader challenges of maintaining data sovereignty and compliance in our increasingly globalized digital economy.
In many cases, even with Bring Your Own Key (BYOK) options, the provider still maintains access (even indirectly via decryption requests) to encryption keys or intermediate keys, potentially exposing data to foreign laws and surveillance programs.
Laws such as the US CLOUD Act can compel US-based providers to disclose data to US authorities, even if it's stored outside the US, conflicting with data protection laws in other regions like the EU's GDPR.
The distributed nature of cloud architecture means users may not always know the exact location of their data including backups and archives, potentially leading to unintended violations of data sovereignty regulations.
Organizations often relinquish direct control over data storage and processing practices when using these services, making it challenging to implement and demonstrate compliance with local data protection laws.
For organizations prioritizing security above all else, self-hosting an encryption gateway emerges as the optimal approach for safeguarding sensitive data in cloud environments. Self-hosting an encryption gateway offers a formidable defense mechanism, creating a clear separation between your encryption system and external cloud and SaaS services.
This defense-in-depth approach provides organizations with complete ownership and control over their encryption system, including the critical aspects of key management, decryption of data and access control. While the prospect of self-hosting may initially seem daunting due to infrastructure considerations, especially when compared to the apparent simplicity of SaaS providers' built-in encryption, it becomes the clear choice when stringent security and data protection are non-negotiable. For organizations dealing with highly sensitive or regulated data, the additional effort is a small price to pay for the significant security and compliance benefits.
The deployment of an encryption gateway, such as StratoKey's Cloud Data Protection (CDP) gateway, within an organization's own environment is a game-changer. This crucial distinction ensures that even the SaaS provider has no access to plaintext data, dramatically reducing the risk of unauthorized access or data breaches. The operational flow of a self-hosted encryption gateway is both straightforward and highly effective. Residing within the organization's environment, it encrypts data before transmission to any SaaS provider. When authorized users require access, the gateway seamlessly (automatically) decrypts the data back to plaintext.
This approach ensures end-to-end protection (encryption) of sensitive information throughout its lifecycle, with the organization maintaining full control over encryption and decryption processes. By choosing to self-host an encryption gateway, organizations can achieve a level of data security and sovereignty that is simply not possible with provider-managed encryption services. This approach not only enhances protection against external threats but also provides the transparency and control necessary to meet stringent regulatory requirements and internal security policies.
Self-hosting provides several benefits that address the risks associated with using cloud service and SaaS providers' Inbuilt encryption solutions:
Self-hosting enables you to Hold Your Own Key (HYOK)—generating, storing, and managing encryption keys within your infrastructure or with a trusted security provider. This ensures complete separation between your encryption system and the SaaS provider, reducing the risk of unauthorized access. Keys remain inaccessible to third parties, supporting compliance with sovereignty and regulatory mandates.
Managing your own encryption processes eliminates reliance on provider security practices. This reduces exposure to data breaches, misconfigurations, or policy gaps inherent in shared cloud environments, ensuring end-to-end data protection.
SaaS-native encryption often limits what fields, workflows, and integrations can be protected. A self-hosted cloud encryption gateway removes these constraints, delivering configurable, application-aware protection that adapts to unique business and regulatory needs.
Self-hosted encryption gateways provide secure APIs that allow encrypted data to be shared with external systems and services without compromising key custody or process integrity. This transforms encryption into an enterprise-wide, interoperable capability rather than a point solution.
Self-hosting supports specific regulatory mandates for data residency, sovereignty, and privacy by ensuring encryption and key management remain under your organization’s direct control. This is critical for frameworks such as CMMC, HIPAA, ITAR, and GDPR.
Owning the encryption layer gives you complete insight into how and when data is encrypted, decrypted, and accessed. This transparency strengthens monitoring, audit readiness, and continuous compliance validation.
Limiting encryption key access to trusted internal teams enables strict separation of duties. This minimizes insider threats and eliminates risks posed by external service provider personnel.
Self-hosting enhances the shared responsibility model by enabling your organization to directly secure and monitor the encryption process, complementing SaaS-layer protections and closing residual security gaps.
By managing your own encryption mechanisms, you maintain control over data formats and key structures—allowing seamless migration between cloud providers and reducing long-term dependency on any single vendor.
Hosting your encryption infrastructure within your preferred jurisdiction ensures data never leaves your legal control. This simplifies compliance with regional data protection and export-control laws.
A self-hosted encryption gateway integrates directly with existing systems, authentication tools, and workflows. This flexibility supports organizational scalability and enables tailored security controls that align with enterprise processes.
While initial implementation requires investment, self-hosted encryption can lower long-term costs by reducing per-user SaaS fees, minimizing compliance penalties, and centralizing encryption management across cloud platforms.
A self-hosted architecture scales with organizational growth. It can serve as a centralized encryption platform across multiple cloud and SaaS providers, maintaining consistent policies, performance, and compliance standards enterprise-wide.
When evaluating self-hosted solutions versus CSP/SaaS encryption services, consider:
While initial setup costs may be higher for self-hosting, long-term expenses can be lower due to reduced reliance on large cloud services. Increasingly large SaaS providers are charging their encryption services at a premium, relying on your desire for simplicity and the deterrent of switching costs.
Different jurisdictions and industries have specific data protection laws and compliance standards. Self-hosted encryption gateways often provide greater control over data sovereignty and compliance with regulations like CMMC, ITAR, HIPAA, or GDPR, while SaaS or cloud providers' inbuilt solutions may present challenges in demonstrating compliance, especially when data crosses jurisdictional boundaries. Organizations in highly regulated sectors may prefer self-hosted solutions to ensure strict adherence to data governance frameworks and maintain full control over sensitive information.
The ability to scale the encryption services for more than a single SaaS application. The harmonization of encrypted content between different systems, and the ability to avoid artificially limiting choice around integrations, data movements between systems and data storage providers such as data lakes.
For organizations looking to enhance their cloud security, StratoKey offers a powerful Cloud Data Protection Gateway that combines encryption and tokenization for popular SaaS and cloud services like NetSuite, Salesforce, Jira, Confluence, and ServiceNow (plus many more).
The StratoKey solution is hosted within your own environment, keeping sensitive data local while transmitting only encrypted or tokenized values to cloud and SaaS applications.
StratoKey’s Data Protection Gateway unifies encryption, tokenization, access controls, monitoring, analytics, and policy enforcement, providing true defense-in-depth. Access, audit, and location controls ensure that only authorized users in approved regions can view or handle sensitive data.
This architecture enables organizations to maintain full data control and compliance without limiting functionality in cloud platforms. StratoKey strengthens security, supports global data governance, and allows seamless use of cloud and SaaS applications within regulated environments.
Self-hosting an encryption gateway represents the best path for organizations prioritizing data security, compliance, and data sovereignty. By maintaining full control over encryption through hosting your own encryption gateway, organizations mitigate the risks associated with CSP and SaaS native systems and retain greater control over their sensitive data.
To learn more about how StratoKey can help secure your cloud environment, please contact us or download the StratoKey White Paper.