Secure the Cloud With RESTful APIS for HSMs as a Service
As organizations collect, process, and store increasing amounts of data, and move more services to the public cloud, securing that data and the secret credentials that control access to the data has never been more important. Integrating cryptography throughout their IT ecosystem is essential for robust security. However, this integration adds complexity, particularly in the management of keys and the implementation of cryptographic algorithms. Both must be done carefully following industry best practices and well-documented processes.
Securing the keys underpinning any cryptographic implementation is critical to the success of systems protecting sensitive data. Hardware security modules (HSMs) have long been seen as the only method considered secure and reliable by IT professionals for this task. HSMs provide security for data in use, in transit, and at rest by securing sensitive encryption, signing keys, and other associated cryptographic operations.
HSMs and the Cloud
The transition to the cloud has arguably been the most significant recent trend impacting cryptographic security (possibly superseded by AI and post-quantum cryptography, but those are topics for another day and another blog post). The added complexities of transitioning to, and operating in, cloud environments amplify the importance of implementing a Zero Trust approach. This foundation of trust, based on elements such as key material or cryptographic processes, is entirely within an organization's own control.
Historically, using an on-premises HSM was the only reliable option available to organizations. Today, new requirements have created demand for more flexible solutions to secure an organization’s cryptographic environment. The answer to this demand has been the introduction of hosted or managed HSM services, such as nShield as a Service Direct or similar services from other vendors. These services provide access to HSMs hosted by the service provider, removing the need for the service to have HSMs deployed locally.
While this approach meets the needs of many organizations, cloud-native approaches have initiated new requirements, meaning innovative solutions are required.
The Need for REST
On-premises HSMs are traditionally accessed using APIs such as PKCS#11, CNG, CAPI, or other proprietary protocols. While these protocols have been effective in on-premises or lift-and-shift environments, as applications are developed using cloud-native technologies a solution is required that balances the security capabilities of HSMs with a more flexible and web-friendly approach.
Representational State Transfer Application Programming Interfaces, also known as RESTful APIs, offer significant benefits to developers looking to enable the applications they develop to communicate with each other. RESTful APIs provide simplicity and security by delivering reliance through a common standard (HTTPS), making them fast, lightweight, and ideal for cloud environments. They offer scalability, achieved independently from clients and servers, enabling developers and operators to separately manipulate multiple environments and facilitate DevOps and the continuous integration/delivery (Cl/CD) process.
Because of these benefits, the use of RESTful APIs has grown significantly among developers in recent years, especially for cloud-native applications. When it comes to building in security to those cloud-native applications, easy access to cryptographic resources is also critical for developers. Applications needing to invoke the services of hardware security modules (HSMs) for encryption and cryptographic key management can benefit in the same way from RESTful APIs to provide:
- Abstraction of the application domain from the HSM domain, allowing independent scaling
- Ease of integration without the need to maintain state or be aware of HSM details
- Direct cloud-based access to HSM services via simple API endpoints, thus eliminating the need for any client software
New generations of HSM-as-a-service solutions such as Entrust’s nShield as a Service Web are entering the market to address the needs of application developers, security engineers, and architects who need to implement security for the applications they develop.
nSaaS Web: Flexible and cloud-friendly access to cryptographic resources
Compliance Standards Met by nSaaS Web
Leveraging RESTFul APIs to access HSMs also allows for easy compliance to a range of standards. The encryption keys are still protected by HSMs certified to NIST’s FIPS 140-2, and the cryptographic operations are still performed within the HSM boundary. Further, Entrust nShield as a Service Web uses mutual TLS to authenticate and secure the connection from the application.
Evolving security challenges have increased the importance of adopting a Zero Trust approach to organizational security. The use of cryptography and HSMs plays a key role in the successful implementation of your elevated security. With the shift to the cloud, it’s critical that organizations consider the different ways HSMs can be incorporated into their security mix. Although on-premises HSMs are suitable in certain situations, HSM-as-a-service offerings can offer significant benefits. With the introduction of nShield as a Service Web, those same benefits can be realized within a cloud-native environment.
Find out more about nShield as a Service or nShield as a Service Web, or connect with one of our HSM experts to discuss adding RESTful APIs to your cryptographic toolbox.