In this article, we shall explain what is a cloud-based HSM and how it differs from a “classical” non-cloud HSM and especially what implication does it means in terms of security.
What is a Cloud HSM
To understand and define what is a cloud HSM, we must start by defining what is a cloud.
To many users, cloud means often simply ‘hosted’. In fact, a cloud is usually considered as a decentralized collaborative, cooperative pool of resources.
For instant access to a resource may be distributed among several machines and “instantiated” into a dynamic node.
A Cloud HSM is a cloud-based hardware security module (HSM) – usually validated with FIPS 140-2 Level 3 standards – which allow users to easily generate and use their own encryption keys on the cloud provider they have chosen
Why Using Cloud HSMs
Hardware Security Modules (HSMs) are generally considered to be expensive and difficult to maintain. It’s therefore not surprising that an important part of HSM users is wishing to move to a cloud-based solution. Such a decision is often, motivated by the fact that it allows them to delegate complex and costly maintenance to a third party and reduce CapEx (capital expenditure).
This explains why the four largest cloud service providers – AWS, Google Cloud, IBM Cloud, and Microsoft Azure– are now offering cloud HSM services.
AWS was the first to offer cloud HSM service allowing AWS users to use HSM services inside their Amazon Virtual Private Cloud (VPC). Google followed with the Google cloud HSM, then IBM (IBM cloud HSM) and finally Microsoft (Azure dedicated HSM).
The fact that these giant cloud providers moved from their traditional area – e.g storage and computing – to a more specialized area like Hardware Security Modules can be easily explained by the will to attract more IT customers.
Users who are running sensitive applications in multiple clouds require almost certainly encryption and their security policy or security compliance probably dictates that they also need to secure those keys in an HSM.
All these cloud applications potentially require using an HSM:
Therefore it seems logical for these users to choose a cloud-based HSM.
Each cloud application represents eventually a huge attack surface and is therefore at risk of being attacked and must be seen as a serious target. Control of the encryption keys is difficult in such an environment as the cloud, hence a solution is to use a cloud HSM in order to securely manage the keys needed by the cloud applications.
Security of Cloud-based HSMs
The migration of a key management system (KMS) to the cloud involves significant risks.
While the keys are themselves protected by using a cloud-based HSM, the access to these keys may be at risk of being attacked.
The cloud HSMs – while secure dedicated hardware – are accessed by the cloud applications which are inside a multi-tenant environment and these applications can be hacked and allow fraudulently access to the HSM, eventually resulting in leaking cryptographic secrets.
Great precautions must be taken – in general – about the remote access to the cloud HSM, especially the remote loading of keys inside the HSMs and its remote administrations. This is why it may be preferable to choose a dedicated cloud HSM provider which provides a totally secure environment, still with the ability to fully interact with the other clouds ( AWS, Google Cloud, etc…)
Another Precaution is to make sure that the cloud HSM is a real HSM device and not a virtual instance running inside a virtual machine or a container for instance. The cloud HSM must also not be shared between different users (e.g must be single-tenant).
Most – if not all – big cloud provider provides a Key Management System (cloud KMS) as a way to manage cryptographic keys. Cloud KMS were historically offered before cloud HSM. However, while they have the same level of functionalities, in general, cloud HSM should be preferred to a cloud KMS solution.
A KMS is Functionally similar to the services offered by HSMs. A KMS allows clients to manage the encryption key and offers centralized management of the encryption key lifecycle with the capacity to export and import existing keys. KMS also always comes with an SDK that allows cloud applications to integrate them seamlessly.
Since KMS are built on the cloud platform itself, they offer Stability, availability and native cloud integration. Finally, they are considerably cheaper than cloud HSMs.
However, KMS stops to be interesting when considering a multi-cloud environment. The encryption techniques and requirements vary from one cloud to another, making useless for instance the API offered by these KMS. In that context, cloud HSMs win largely.
KMS are not dedicated hardware, they are shared among the cloud users ( multi-tenant), therefore having not at all the same level of security than cloud HSMs.
If we compare a fully owned operated HSM with a cloud HSM, the operated HSMs are able to support larger capacity requirements and provide immediate access to data in the context of maintenance or compliance auditing since it is onsite. But HSMs can be very expensive to purchase. Besides they require dedicated staff or consultants having expert PKI knowledge in order to implement and manage them.
A lot of organizations will never fully use an operated HSM at the maximum of its capacities, therefore a cloud HSM solution may be better suited as an alternative.
A cloud HSMs removes the burden of having 24×7 maintenance operated by staff in the context of critical missions. It allows an organization to fully concentrate on their expertise while delegating the management of the HSM to a company which has the right knowledge.
Conclusion:
Cloud HSMs may be a very rational choice for several organizations having projects in the cloud, especially with multi-cloud environments, and not willing to spend money on the acquisition and onsite maintenance of dedicated HSMs.
Acodez IT Solutions is a web design and web development company in India offering all kinds of web-related services. We are also a digital agency offering digital marketing services at affordable prices. To find out more, click here.
Looking for a good team
for your next project?
Contact us and we'll give you a preliminary free consultation on the web & mobile strategy that'd suit your needs best.
Jamsheer K, is the Tech Lead at Acodez. With his rich and hands-on experience in various technologies, his writing normally comes from his research and experience in mobile & web application development niche.
