Own the keys, not the HSM
nShield as a Service is a subscription-based solution for generating, accessing, and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 Level 3 certified nShield Connect HSMs. The solution delivers the same functionality as on-premises HSMs and the benefits of a cloud service deployment, without the need to host and maintain the appliances.
Ready for migration or a mixed approach
Because nShield as a Service benefits from the same unique Security World architecture as on-prem nShield deployments, you can easily migrate your cryptographic operations from on-prem to the cloud or use a hybrid approach, mixing both cloud-based and on-prem nShield HSMs.
nShield as a Service Benefits
Crypto Security + Cloud Stratregy
Advance your cloud-centric strategies with FIPS 140-2 Level 3 protection for your business-critical apps and data.
Flexible and Scalable
Our Security World architecture lets you scale HSM operations and access secure crypto functionality from anywhere.
Secure Code Execution
The CodeSafe secure execution capability provides on-demand access to your organization's secure, sensitive code protected inside the HSM.
- IPsec tunnel w/ pre-shared keys
- Between customer Cloud IP space(s) and dedicated, managed nShield HSM environment
- Transparent to client hosts
- Takes entire path out of control scope
Certified Hardware Solutions
nShield as a Service is built with nShield Connect XC HSMs, which help our customers to demonstrate compliance while also giving them the assurance that their HSMs meet stringent industry standards.
nShield as a Service delivers the same features as on-premises nShield HSMs, including CodeSafe, Web Services Option Pack, and Database Option Pack.
- FIPS 140-2 Level 3
- Common Criteria Certification against EN 419 221-5 Cryptographic Module for Trust Services
Safety and Environmental Standards Compliance:
- UL, CE, FCC, RCM, Canada ICES
- RoHS2, WEEE
Data Center Certifications
Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) - Level 1
High Transaction Rates
nShield as a Service features high elliptic curve cryptography (ECC) and RSA transaction rates. ECC, one of the most efficient cryptographic algorithms, is particularly favored where high speed and lower processing power are important.
RSA Signing Performance for NIST Recommended Key Lengths
- 8600 tps
- 2025 tps
ECC Prime Curve Signing Performance for NIST Recommended Key Lengths
- 256 bit
- Up to 14,400 tps
Wide Support for APIs, Cryptographic Algorithms and Platforms
- PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI/CNG and Web Services
Supported Cryptographic Algorithms
- Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph), Secp256k1,
- Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES
- Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160
- Full Suite B implementation with fully licensed ECC including Brainpool and custom curves
nShield HSMs offers support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use ECC or South Korean algorithms, optional activation licenses are needed.
Microsoft Windows and Linux operating systems including distributions from RedHat, SUSE, and major cloud service providers running as virtual machines or in containers.
nShield as a Service is available as either a self-managed or fully-managed service.
Self-Managed and Fully-Managed Features
Customer has access to dedicated nShield Connect hardware hosted in secure data centers
The nShield Remote Administration kit lets you securely connect to and interact with your cloud-based nShield HSM(s)
Maintenance & Support
- Service monitoring
- Pre-tested upgrades/patches applied during annual or emergency maintenance windows
- 24/7 support
Features Exclusive to Fully-Managed Service
Full Management of installation
Security Officer role fulfilled by trusted Entrust personnel
- Security World creation
- HSM enrollment
- Signing ceremonies
Policy and process development
Under ISO 27001 compliant policies & procedures
All operational staff BS7858 cleared (UK data centres only)
Firmware upgrades, completed with customer consent
What our customers are saying...
We have a long history together and we’re extremely comfortable continuing to rely on Entrust solutions for the core of our business. We have used Entrust HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.
As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Entrust HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…
The Entrust nShield sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth, and quality of the product documentation gave us confidence that the solution was well though-out and supported.
Entrust provided the expertise needed to design and implement a tailored, secure VoIP solution.