Protect Your Data With Self-Managed Keys (BYOK) Enhancements

In today’s rapidly evolving data security landscape, it’s critical for organizations to secure their services, particularly in the face of rising cyber threats. Robust security measures for streaming data are vital to safeguard against breaches and losses, and help to maintain trust among customers and partners, while ensuring compliance with regulatory requirements.

Initially, cloud service providers controlled much of data security, including the management of encryption keys. Organizations had to trust providers to safeguard their sensitive data, often with limited visibility and control over encryption methods and key management protocols. This sparked concerns about data sovereignty and security. As organizations sought more robust methods to protect their data, the emergence of Bring-Your-Own-Key (BYOK) paved the way for greater autonomy.

At Confluent, we are dedicated to providing top-tier security and encryption to our users. That’s why we’re excited to announce the general availability of BYOK for Enterprise clusters on AWS and External Key Managers (EKM) for Dedicated clusters on GCP. These additions grant our users greater control over their encryption and data management.

Secure data at rest using your own encryption keys with BYOK on Enterprise clusters

With self-managed keys, customers can encrypt data at rest with their own managed keys, giving them greater control. That’s why we introduced BYOK to Dedicated clusters on AWS, Azure, and Google Cloud. BYOK enhances data security by allowing customers to protect against physical disk access, and seamlessly manage data access by revoking a key when necessary, such as in the face of a security breach.

In 2023, we introduced Enterprise clusters, an Apache Kafka® solution tailored for organizations requiring autoscaling with elastic billing, private networking features, and the ability to support workloads of varying throughput and latencies. Today, we’re excited to extend support for BYOK to Enterprise clusters, so that customers can take advantage of the cost savings and scalability of this serverless cluster type, while maintaining their security and compliance profile–never having to choose between the two.

This BYOK enhancement broadens the scope of encryption control across a wider range of cluster types. Data-at-rest encryption with customer management is often a must-have capability, and frequently serves as an obstacle to adoption and expansion, especially for customers with strong InfoSec standards.

With the implementation of BYOK encryption, customers can now achieve a greater degree of confidence over their data-at-rest access, which is especially useful for government access, sensitive data, or other compliance requirements, like GDPR.

Leverage granular encryption controls on Enterprise clusters

In order to provide the control of self-managed keys (BYOK), while simultaneously preserving the benefits of an autoscaling service like Enterprise clusters, we’ve utilized multiple encryption methods to protect your data at rest.

How does it work? Your persisted data is always encrypted when stored at rest. For temporary storage, we utilize Confluent-managed encryption keys to protect your data at rest. When the data is moved to infinite storage, we use envelope encryption, where your self-managed encryption key protects the data encryption keys. This approach ensures strong security and compliance, while preserving the performance of the Enterprise service.

Ready to get started with BYOK?

Self-managed encryption keys for clusters can be easily enabled when provisioning a new Dedicated or Enterprise cluster via the UI, CLI, API, or Terraform.

Create the Enterprise cluster with encryption key

Begin by setting up the Confluent CLI and ensuring you have the right permissions before running the following commands:

For users primarily working in the Confluent Cloud user interface, we also provide a simple, step-by-step guided provisioning with which to follow along.

1. Select Enterprise and assign AWS as the cloud provider, along with the appropriate “region” and “uptime SLA.”

   1. Ensure the region of the Enterprise cluster corresponds with the region of the encryption key in AWS.

2. Set up PrivateLink.

   1. Create the configuration to determine the ingress and/or egress output.

3. Add your encryption key and update the key policy to enable it for cluster creation.

4. Review the details and click “Launch cluster.”

Encrypt your data using External Key Managers (EKM)

External Key Manager (EKM) support via Google Cloud for Dedicated clusters is also now generally available. This capability enables customers to encrypt data at rest using root encryption keys managed externally to Google Cloud’s native key-management solution, such as in Thales or Fortanix. This addition ensures customers maintain full control over their keys, catering to data sovereignty and regulatory requirements (GDPR, DORA, etc.). With EKM support, Confluent provides greater flexibility and security for regulated industries like financial services and healthcare, where advanced encryption key control is essential.

Get started today!

To encrypt your data at rest in Confluent using a key managed in a third-party service, start by creating and managing your encryption keys in an External Key Manager supported by Google Cloud. Simply follow the instructions provided by the External Key Manager and Google Cloud EKM to grant your Google Cloud project access to the key.

Once set up, the externally managed key can then be seamlessly applied to encrypt data at rest in Confluent, when provisioning a new Google Cloud Dedicated cluster via the UI, CLI, API, or Terraform. Read the docs to learn more.

What’s next?

Confluent’s integration of BYOK for Enterprise clusters and support for EKMs marks a significant stride towards fortifying our security infrastructure. These enhancements reinforce our commitment to data protection, while giving our customers unprecedented control and visibility over their data security strategies. Stay tuned for more upcoming security feature enhancements and offerings!

If you’re new to Confluent and haven’t already, sign up for a free trial of Confluent Cloud and create your first cluster, to explore new topics and create streaming pipelines and applications. New sign ups receive $400 to spend within Confluent Cloud during their first 30 days. Use the code CCBLOG60 for an additional $60 of free usage.*

Apache®, Apache Kafka®, and Kafka® are registered trademarks of the Apache Software Foundation.