8

I have to admit to never having asked, or been asked, the question if it is possible to have a Hardware Security Module in a public cloud, by which I mean Google, Amazon or Azure. Has anyone found any techniques for enabling organizations to use HSMs that they fully manage?

It seems to me that the two concepts, Cloud and HSMs, are fundamentally at odds with each other - because cloud generally involves "outsourcing" or transferring the risk of operating hardware to the cloud service provider.

There is clearly a middle ground in terms of fully managed HSMs as you find in Azure and AWS:

  • Azure KeyVault: Use Key Vault and you don’t need to provision, configure, patch and maintain HSMs and key management software. Provision new vaults and keys (or import keys from your own HSMs) in minutes and centrally manage keys, secrets and policies.
  • AWS CloudHSM: AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

In addition there are some non-HSM based solutions to key management:

  • Cloud Key Management (Google): Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate and destroy AES256 encryption keys. Cloud KMS is integrated with IAM and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data which you need to store in Google Cloud Platform.
  • Various Security Appliances available in all of the cloud marketplaces.

Has anyone found any techniques for enabling organizations to use HSMs that they fully manage?

Richard Slater
  • 11,747
  • 7
  • 43
  • 82

3 Answers3

1

So having gone backwards and forward over this for a couple of weeks, Azure has confirmed to me in-person that the only way to utilise FIPS-140 Level 2 certified hardware security modules in Microsoft Azure is to use Azure Key Vault.

Richard Slater
  • 11,747
  • 7
  • 43
  • 82
1

Richard, you are right that Cloud and HSMs are two contradictory concepts.

To fulfill availability and elasticity requirements for key management and cryptographic operations a middleware is needed controlling all the hardware. This is basically done by the cloud KMS available now.

With AWS Cloud HSM, there is no fully managed availability and elasticity any longer. Instead, you can add HSMs to the cluster if needed (scalability) and if they are located in different availability zones you achieve a certain level of availability as well (but there is no guaranteed SLA as opposed to KMS). Moreover, AWS is doing backups. However, you have to trust AWS and Cavium that they never collaborate and calculate the Backup Encryption Key from the AKBK and MKBK (see page 10 of the AWS whitepaper) outside of the HSM.

When you really want to have full control over the HSM, you have to host the HSM yourself and connect it to the cloud using VPN. However, depending on the Internet connection of your data center you might suffer from low latency and your external Internet connection could be vulnerable to DoS attacks. Therefore, solutions like Utimaco CryptoServer Cloud include private connections from their data centers to your cloud. Depending on the location of the data center and the cloud region, these connections can have very low latency. Since the HSMs do not belong to any cloud service provider you are able to switch CSPs more easily since you don't have to move keys (which can be quite hard to impossible with KMS). Moreover, multi-cloud scenarios are possible. On the other hand, you have to bear all the management tasks like backups or firmware upgrades. Also, to achieve high availability you have to rent at least two of the HSMs, and scaling granularity is a full HSM only. But that's the price for being very secure by having full control over the HSM.

dannyM
  • 11
  • 1
0

I just wanted to point to you that there are solutions out there to benefit from HSM aaS dedicated. We are piloting this at Interxion (colocation provider Europe) : https://www.interxion.com/products/key-guardian/

Patrick Lastennet
  • 1