Hardware Security Modules generally reside within a deep security zone in an organisation’s private data centre. In almost all cybersecurity solutions, HSMs play the pinnacle role for securing highly sensitive keys and cryptographic operations.
With the ever increasing cloud adoption almost every component of a cybersecurity solution has moved to the Cloud, except for the HSMs. This is because of the security concerns of senior security management within organisations and the complexities around the nature of how applications utilise HSMs.
- The most common questions and concerns when moving to Cloud based HSMs are:
- Who manages Cloud based HSMs and who has access to the keys in the Cloud HSMs?
- Can my application stack utilise the Cloud HSMs without relying on Cloud provider native services?
- My organisation mandate Multi-Cloud policy, which Cloud HSMs offering supports that?
- Can my applications meet the same performance SLA requirements after moving to Cloud based HSMs?
- What if we continue with On-Prem HSMs, moving just application stack to Cloud?
Furthermore, there are alternative options to Cloud HSMs:
- Instead of a Cloud HSM, can’t we use a Cloud Provider KMS (Key Management System)?
- What about Crypto-as-a-Service offerings?
- Can we leverage a Secrets Management system (i.e., Vault system) instead?
Each customer use case is unique
— Rasika Arachchige
These are genuine queries that Salt SMEs have experienced whilst talking to many senior security managers of leading organisations. Unfortunately, there is no one size fits for all Cloud HSM solutions. Each customer user case is unique and their requirements are different.
Looking at the Cloud HSM options out in the market, we can easily categorise them into a few main areas. Whilst each cloud provider has their own competing Cloud HSM offerings, the following categories are commonly available.
- Dedicated Cloud Provider hosted HSMs – These are proper HSMs hosted within the Cloud Provider Data Centres. Administration tasks are supported either by the Cloud Provider or end user as self-managed. Application access interfaces differ between Cloud Providers.
- Cloud Provider native KMS – These Cloud Provider proprietary Key Management Systems (KMS) are tightly integrated with native service offerings by the provider. Mostly with HSM based backend protection however, these KMS services are multi tenanted.
- Dedicated Cloud HSM offerings by independent vendors – These offerings are from independent vendors (Inc. HSM vendors), where dedicated HSMs are hosted either within major Cloud Provider data centres or in near proximity.
Although the aforementioned Cloud HSM offerings are readily available there are many important areas requiring serious consideration before choosing the right offering.
- Do I need to retain administration control over my Cloud HSM cluster or is a fully managed offering appropriate?
- Does the Cloud HSM offering support my organisation’s application architecture vision, i.e., Multi-cloud, Container based, load/scaling requirements, etc.
- What are my application compliance requirements, i.e., compliance by governance bodies, data sovereignty, key/data remanence, access segregation, etc.
- Disaster recovery requirements, i.e., DR to on-prem or to another Cloud Provider, etc.
- Avoiding vendor lock-in situations.
Salt HSM SMEs are broadly knowledgeable around the areas that need serious consideration and are also aware of the common concerns that organisations are facing. Their industry certified hands-on experienced SMEs regularly help top organisations within APAC and UK regions migrate to Cloud based HSMs.
Each customer use case is unique hence, careful and extensive analysis is required at multiple levels. During the Salt consultancy process SMEs engage with various stakeholders within the organisation, ranging from Security Architects all the way through to the Operational teams who manage the day to day tasks. And when the time comes for implementation the hands-on Salt SMEs will be there to help.
We’d be happy to talk further with you about it – Rasika