Hardware Security Modul and cloud seem to be incompatible opposites. We associate cloud with the attribute „insecure“. In contrast, HSMs are supposed to be highly secure. So how can we secure HSM in the cloud? Securosys' CEO Robert Rogenmoser explains what to watch out for if you consider such a service.
The most secure solution for storing encryption keys are Hardware Security Modules (HSM). They are a trust anchor. HSM generate trusted certificates and key and store them securely. The advantages are their high performance and their ability to protect any content from unauthorized access.
Since private keys correspond to the identity of the owner they must be stored in an HSM. The HSM should be controlled by the owner meaning HSMs need to be operated in the owner's own data center.
But what if the organization or enterprise does not have the resources or experts to operate its own HSM? What if it cannot or doesn't want to do so for other reasons? In such cases a HSM as a service could be the appropriate solution. Logically this service, i.e. the HSM would be in the cloud.
HSM IN THE CLOUD - AN OXYMORON?
Is this not an oxymoron, having an HSM with the highest security possible in the insecure cloud? – This question can't be simply answered with a yes or a no. It depends on the setup, deployment, and operation of the service.
Following we show you a few points to consider when evaluating an HSM in the cloud service:
Is the service always fully available? The service must consist of multiple HSM. The private keys must be stored in more than one HSM at different location to ensure geo-redundancy. The service must continue in case of DoS attacks.
Is the access well protected? The HSM has to be protected from illicit access via firewalls and proxys.
Is the increased latency in a tolerable range? Applications using keys stored keys in the HSM are not within the same datacenter anymore. They are connected through the internet. This increases latency from microseconds to milliseconds.
Are you in control of policies respectively the security officer roles? It's very convenient but delicate to delegate security. You should not give up control of security settings. An enterprise must have the possibility to carry out security officer functions. The security policy of the HSM service must definitively be in line with the enterprise's governance and security policies.
Do I know my service provider and his terms and conditions? Can I trust him? Who has access to my keys? Terms and conditions of the service are of great importance: Data should be stored in Switzerland because of the high legal certainty compared to other countries. In addition, it must be guaranteed, that the enterprise has exclusive access to its keys. The service provider must only manage the HSM and have no access to the keys. The terms and conditions shall not contain any unreasonable bindings so that the enterprise can move out and take along its keys at any time. For example, if it decides to operate HSM on-premise instead of the cloud.