I’ve been part of the Cloud Security Alliance (CSA) Cloud Key Management working group for 3+ years. We try to meet up virtually every two weeks, skillfully facilitated by our CSA staff member Marina Bregkou. The working group is formed from a dozen or so people, some who attend regularly and some who drop in and out. It can sometimes be tricky for us trying to make time in our calendars while still trying to do our day jobs; however, the mix of backgrounds, experience, and characters that make up our group keep us engaged and enthusiastic.

We’ve been working on a paper for many months, discussing hardware security modules (HSMs) and, in particular, their as-a-service manifestation (HSMaaS). If you’re not familiar with HSMs and their cloud-based as-a-service relatives, here’s an introduction to HSMs.

The CSA approach is to always remain vendor agnostic so no one contributor can shift the content of the paper to promote or discuss specific product or vendor solutions. However, that doesn’t stop us from sharing our experience and insight.

I’m sure like other CSA working groups, of which there are 20 or more, the major milestone is when we get to the point where we publish a paper. It is the culmination of weeks of contribution, discussion, cogitation, and deliberation. Recently we published HSM-as-a-Service Use Cases, Considerations, and Best Practices, which tackles the following topics:

  • The definition and architecture of an HSM
  • The current and future state of the HSMaaS market
  • Industry, compliance, and risk use cases for the HSMaaS model
  • The importance of clearly defined responsibilities in the HSMaaS model
  • Security considerations for HSMs
  • Key management considerations unique to HSMaaS
  • Important considerations when setting up governance for HSMs
  • HSM vendor selection best practices

We hope it will be a useful, impartial reference for cloud service customers, whose industry, compliance, security, or risk drivers necessitate increased control over HSMs and key-management operations.

Once you’ve read the CSA paper and decide you want to use a trusted HSM-as-a-Service provider with 25+ years’ experience and global coverage, I suggest you check out Entrust nShield as a Service.