SaaS is fast becoming the de-facto delivery model for most of the enterprise applications today, with increasing use of PaaS & IaaS infrastructure in the cloud for building these apps. When an enterprise customer trusts these SaaS apps with their data, the digital gold of today, these apps, and the underlying cloud infrastructure, are acting as banks of the modern world - keeping that enterprise's digital assets in their safe custody for use by enterprise's employees and partners.

When we rent a safety deposit box in any real bank vault, we get our own key to unlock it. And this key is needed along-with banker's key to access the contents. How would we feel if the bank manager could access our locker any time using their own key alone, without our permission, or even our knowledge? Will we rent a locker from such a bank? Yet, this is how almost all the digital banks of cloud services operate today - acting as custodians of our data, kept locked with the banker's key alone. And to top it all, the bank manager, that we need to trust with safekeeping of our locker key, itself relies on a trusted doorman (the authentication service) for checking our identity before releasing the locker key to us. And this trusted doorman could have vulnerabilities of its own, e.g. it can be fooled (hacked) or bribed (insider attack).

Even more so, with the proliferation of APIs, the bank manager can issue a key to another partner bank altogether (other SaaS services) based on our one-click approval. This allows the other bank's manager to access our locker any time in future. With so many keys to our locker in circulation, any of which can access our contents without our knowledge, and security of each relying on multiple trusted middlemen with their own vulnerabilities, is it really secure at all? Is it a surprise then that breaches keep happening using an uncountable number of techniques to trick these trusted bank managers (e.g. recent github breach https://thehackernews.com/2022/04/github-says-hackers-breach-dozens-of.html) or their doormen who check IDs (e.g. recent Okta breach https://siliconangle.com/2022/04/09/ripple-effects-okta-security-breach-worse-think/)?

It’s high time we start demanding that cloud services give control of our digital assets back to us, at least the sensitive or high-value assets. We discuss a simple mechanism using which the developers of such enterprise applications, built on top of any cloud service, can not only keep our data safe and under our control - similar to a bank locker, but also allow equally safe access through partner APIs. This is done by taking the Apple Keychain model of data security, and generalizing it such that access policies go with the data where-ever it may travel. Note that Apple Keychain itself holds some of our most sensitive data (e.g. passwords, credit-card numbers), and yet even Apple cannot access any of it (nor have we heard of a single hack/breach in Keychain so far). Keychain fixes the core issue with today's standard model that relies on separate authentication and authorization layers, both of which need to be trusted for enforcing access control. It does that by tying access-policy directly into encryption of data, and we show how any developer can use the same techniques for any enterprise app.