What Is A Cloud HSM?

Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Click here to learn more.

The major public Cloud Service Providers (CSP) offer cloud HSMs as an option in their service offering. These solutions provide the convenience, resilience and flexibility you would expect from a CSP but the services are often tied to the specific public service provider and not always portable for organizations adopting multi-cloud strategies.

Like most cloud services the infrastructure is abstracted from the user so you may have a trade-off regarding ownership/residual risk with respect to the cryptographic keys and losing some of the control that you would have with an on premises HSM.

On premises HSM vendors like Entrust offer Cloud HSMs. These offer organizations the benefits of a cloud service working in unison with the CSP but with greater control of your cryptographic keys.

Entrust’s cloud HSM product is nShield as a Service. It uses dedicated FIPS 140-2 Level 3 certified nShield HSMs. The service delivers the same features and functionality as on-premises nShield HSMs, combined with the benefits of a cloud service deployment. This allows customers to fulfill their cloud first objectives and leave the maintenance of these appliances to the experts at Entrust.

The Cloud Service Provider has responsibility of the cloud, the Customer has responsibility in the cloud. 

The cloud offers organizations many benefits in terms of flexibility, scalability and convenience. When migrating applications and workloads to the cloud the security envelope has changed. The CSPs quite rightly assert that security in the cloud is not necessarily weaker than on-premises, it’s just different. In essence the threat model has changed, the residual risks have changed. With on-premises the risks are perhaps easier to identify – usually a data center with racks of physical appliances, perimeter security considerations, physical attacks, disgruntled employees, theft, disruption to utilities etc. as well as the raft of network security considerations, firewall, malware, DDOS etc. 

With the cloud service providers’, they have the responsibility for the security of their server farms, network infrastructure et al. However different threats are now at play and given the appliances are abstracted from the customer it is the controls and procedures adopted by the customer that in part informs the security of a customers’ workloads in the cloud. In fact, to date the majority of successful attacks in public cloud are due to customer misconfiguration, mistakes and mismanagement. So that’s users of the services, not the cloud service providers at fault. The cloud shared responsibility model discussed above is a useful reference to encourage customers migrating to the cloud to recognize the ownership and responsibilities when utilizing cloud based service. 

A multi-cloud strategy is where organizations choose to utilize the services of multiple CSPs. This strategy can be informed by different CSPs offering different services but also has the added value of sharing the workload and risk/resilience across multiple organizations.

CSPs provide the tools required to create cryptographic keys that you use with your application and data. However, as you would expect these tools are not the same for different CSPs. nShield as a Service can help solve that problem. Using nShield as a Service to provision your cryptographic keys you only need to be familiar using the nShield tool set applying the same procedures per CSP.

A hybrid strategy is when an organization chooses to retain an on premises presence and in addition utilize the cloud to provide extra capacity, resilience and scalability. In some cases organizations may choose or be mandated to retain high value, sensitive workloads on premises, so called data localization, and use the cloud for less sensitive workloads. nShield as a Service works seamlessly with on premises nShield HSMs supporting hybrid cloud strategies.

Bring your own key (BYOK) is an innovative concept that was initially pioneered by Entrust and Microsoft to enable public cloud users to maintain control of the cryptographic keys used in the cloud to keep their data secured. As the adoption of public cloud services exploded, BYOK is now supported across all major cloud services. BYOK enables public cloud users to generate their own high quality master key locally on-premises, and securely transfer the key to their cloud service provider (CSP) to protect their data across multi-cloud deployments.

Cloud HSM does not require an on premises HSM footprint. Cryptographic services are provisioned in the cloud while the owner retains full control of those services. Having your crypto services commissioned in the cloud gives you the maximum freedom and flexibility.

HSMs including Entrust nShield as a Service can be used to provide cryptographic services for a wide variety of applications from PKI and key management, privileged access management, containerization, database encryption and code signing to name but a few. Entrust has a substantial proven ecosystem of over 100 security solution providers. See figure below.

The partner eco-system offers the following benefits:

• Delivers value and enhanced security to end customers by hardening partner solutions with certified, hardware-based cryptography
• Mature, proven processes backed by technology expertise and global coverage ensure the strongest customer support