This paper describes security best practices for protecting sensitive data in the public cloud and explains concepts such as BYOK, HYOK, key brokering, and Root of Trust (RoT). It explains the level of data protection that can be achieved by using the cloud native encryption and key management service and how these can be augmented by allowing customers to take more responsibility for and control over their keys.