Meet us in Las Vegas at Zscaler’s ZenithLive June 10-13

Presenting the 2024 Champions in Security Honorees

OpenSearch Partner Highlight: BYOK for B2B SaaS Operators using OpenSearch

We recently learnt that a number of our prospects were running their B2B SaaS platform on top of Elasticsearch. Nearly all of them asked if we also support AWS OpenSearch. Many of them are running older versions of Elasticsearch and are evaluating if they should upgrade to a more recent version or migrate to OpenSearch to stick to Apache license. This is about to play out in large scale in the upcoming months. SaaS companies operate on their customers’ data, and they have to take all the precautions within their reach to protect that data.

In our previous OpenSearch Partner blog, we reviewed all the great security features that are part of AWS OpenSearch (inter-node TLS, authentication, RBACs, Audit logging and OSD multi-tenancy) and a high level overview of Portal26’s data-in-use encryption plugin for OpenSearch.

Portal26 plugin for AWS OpenSearch can be installed on your OpenSearch cluster in a few minutes. Once installed, it encrypts the designated fields in selected indices before OpenSearch indexes the data, while preserving all its awesome search capabilities. You can designate which fields in your index need to be protected and how it will be released in search results.

This blog addresses an important need for B2B SaaS providers who is already running on an OpenSearch backend or strongly considering it: BYOK (Bring Your Own Key).


You are a B2B SaaS provider. You have filled out that long security questionnaire as part of the presales process. You have faced questions like:

  1. How do you protect my data?
  2. Can your devops staff see my data?

You may point to encryption built into the storage layer – like AWS S3’s SSE-S3 or EBS volume encryption. These encryption solutions protect the data from being viewed by AWS datacenter employees, not your devops team.

Your enterprise prospects know this as well. Especially the ones from regulated industries such as banking, finance, healthcare. With ransomware attacks and data breaches on the rise, they demand more. They press you to ship your SaaS software for on-premise deployment. What do you do?

  1. Shipping SaaS software for on-premise deployment is a nightmare. SaaS Software is built to run on a very specific software stack by a team of specialists (your devops ninjas). It does not distribute well or lend itself to be run by enterprise IT. Dependencies on cloud stacks, distributed computing, cost optimizations that only work at scale – impedance mismatches start to count up. Building out the platform support matrix will bury your engineering team on low value tasks (supporting Oracle 12g, Oracle Linux version 7.1).
  2. As a SaaS vendor you enjoy several advantages: fewer release branches, agility in upgrading and patching, rich instrumentation, visibility into usage, direct line to customer challenges etc. Dollar for dollar, your SaaS revenue is 5-10x more worthy than on-prem revenue towards your company’s valuation. Shipping your software for on-prem deployment grinds away that advantage.

You’d like to be able to give definitive answers to your prospects:

  1. “We encrypt your data with the highest data protection standards (NIST FIPS 140-2).”
  2. “Our devops team cannot see your data in clear text.”
  3. “As our premium enterprise customer, you can supply and control the encryption keys. You can revoke them whenever you want.” aka BYOK – Bring Your Own Key.

However, implementing this takes massive engineering effort. And you would rather continue to invest in areas of your core competency than in specialized encryption.

Portal26 can help. Portal26 is the preeminent provider of encryption solutions protecting big data stores such as AWS S3 and search engines such as AWS OpenSearch. All Portal26 offerings come with consistently implemented BYOK capabilities giving your customers a simple and seamless key management experience. You can roll out Portal26 and secure your SaaS backend in a matter of weeks with minimal engineering effort allowing your team to focus on what they do the best – building and running your software. See my last blog for how Portal26 protects the data in your OpenSearch (link)

This document:

  • Outlines the BYOK aspects of the Portal26 encryption and
  • Presents you a solution architecture

BYOK for OpenSearch

BYOK in Portal26 for AWS OpenSearch is built further upon the existing strengths of searchable encryption. It is built using two simple premises – index specific encryption keys and ability to read those individual keys from any location.

As a SaaS operator it requires just one thing – maintain a separate search index (or a set of indices) for each customer. This is anyway a good practice from both security and maintenance stand point; it allows for independent upgrades, encryption key rotation, etc. Portal26 plugin comes with a key registry where you can register which index needs to be secured using which encryption key (i.e. which customer it belongs to) and where to read each key from. Portal26 reads the encryption keys directly from your customers keystore. Portal26 supports common key stores such as AWS Secrets Manager, Hashicorp Vault etc.

Steps to enabling data protection with BYOK for your OpenSearch based application.

  1. Install Portal26 Plugin for AWS OpenSearch
  2. Choose which fields to protect. In a typical OpenSearch index, not all documents need to be secured and searched. You choose specific fields to secure.
  3. Test out your front end application works seamlessly.
  4. Create a key registry – specify which index should use which key and provide Portal26 with the credentials (in encrypted form) to access the corresponding keystores.
  5. Start loading data and querying it.

Fig1. BYOK in Portal26 Plugin for OpenSearch

Your customers can supply their key in any key store of their choice by putting it in a simple JSON structure like this.


To disable access to their keys, they just have to turn the second attribute to true. Portal26 plugin checks the various customers’ keystores periodically (e.g. every minute) to see if any customer has revoked a key. If it finds a revoked key, it will add that information to the log and disable search and decryption on that index.

Consistency in BYOK

Unlike other point solutions, Portal26 fulfills the BYOK promise in a consistent manner across all its products. Portal26 can use the same (or same set of) customer controlled keys to encrypt customer’s data, whether it is stored in AWS S3 or AWS OpenSearch. Your enterprise SaaS customers will immediately gain control over all their data held by you, their SaaS vendor.

Portal26 handles not just the well-trodden happy path, but all the scenarios that occur with distributed key management such as network fault tolerance, key revocation and reinstatement, key rotation, usage report and dashboards.

Portal26 supports a range of keystores for the customers to work with, such as AWS Secrets Manager, Hashicorp Vault etc. so that your customers do not have to open up new cloud accounts or install anything unnatural to manage encryption keys.

About Portal26

Portal26 is a leading provider of encryption based data protection for modern big data stores. At the heart of Portal26’s encryption capability is searchable encryption which allows the data to be searched and aggregated without decryption. Find out more about our complete product portfolio or explore our OpenSearch Encryption solution in more depth.

Explore Our OpenSearch Security Solution >

Related Resources