Luiz - Fotolia


How a cloud-based HSM can boost enterprise security with enough effort

There are both security benefits and risks to using a cloud-based HSM in an enterprise. Expert Dave Shackelford discusses the arguments for and against cloud HSMs.

SoftLayer recently released a product called Cloud HSM for secure key management in the cloud. AWS has a similar...

offering, known as CloudHSM, and Microsoft Azure customers can use Azure Key Vault. Key management is an important part of security, but cloud storage could bring new security problems, with many questions around access to the hardware security module platforms, open or exposed interfaces and APIs, and more. Before using a cloud-based HSM, customers of cloud service providers should understand the benefits and risks that go along with key storage in the cloud. In addition, not all cloud HSM offerings are as secure as others.

The benefits of cloud-based HSMs

There are many benefits to using a HSM, cloud-based or not. These systems are usually designed to meet rigorous government and regulatory standards like FIPS 140-2, and often have strong access controls and role-based privilege models, purpose-built hardware for rapid cryptographic operations and physical tamper resistance and flexible API options for access.

If this sounds too good to be true, it just may be; HSM platforms are notoriously difficult to install and configure, require significant management and operational overhead and are often extremely expensive. HSMs in the cloud are usually expensive, too, but have less configuration and overhead since the cloud provider maintains the physical appliance in its data centers.

HSMs in the cloud are usually expensive, too, but have less configuration and overhead since the cloud provider maintains the physical appliance in their data centers.

Regardless of the negatives, using a HSM is the most practically secure way to store cryptographic keys and manage their lifecycle, and that applies to the cloud, too. The use of a cloud HSM is now standard practice for any highly regulated organization employing cloud services, and cloud providers that don't offer these tools and capabilities will likely lose business from government, financial and healthcare clients that require strong protective controls for all key material.

The only real alternatives to using a cloud-based HSM is to architect applications and infrastructure in the cloud to make use of encryption keys hosted in-house -- ideally within HSM platforms -- and this is simply too unwieldy and impractical for organizations focused on performance and scalability.

The drawbacks of a cloud-based HSM

The major downsides to a cloud-based HSM are threefold. First, it adds significant cost to a cloud deployment, and for organizations looking to save money by using the cloud this may seem less palatable. Second, managing HSM operations and lifecycle requires dedicated resources and integration efforts, so operational capacity could prove to be an issue. Third, and perhaps most importantly from a security perspective, security teams will need to evaluate how the keys are generated and stored within the HSM. Additionally, some providers of HSM platforms and services afford tenants the ability to generate their own keys off-premises, and then import them into the cloud HSM -- often called Bring Your Own Key, or BYOK cryptographic services.

Ideally, any cloud-based HSM will allow tenants to upload and synchronize keys from an internal HSM or other tool set, and will also offer a rich set of APIs and orchestration tools that facilitate rapid scaling and automated deployment workflows. Additionally, a direct connection from an in-house HSM to a cloud-based HSM may be ideal from a security standpoint, since there is never the possibility of a cloud provider staff member seeing the key data at all. However, this also means that the cloud provider can't offer recovery capabilities in the case that the master keys are lost or corrupted; any organizations considering a BYOK option should keep in mind that all of the key generation and lifecycle management will also now fall on their shoulders.

With most major cloud providers offering HSM tools and services in their infrastructure as a service and platform as a service cloud environments, it's likely that use of these systems will grow in the near future. As with most security controls, however, a cloud HSM is not a panacea, requiring significant planning, implementation and process implementation to fully realize security benefits.

Next Steps

Learn more about AWS CloudHSM

Find out if you really need an HSM to protect your data

Discover whether key aliases affect cloud encryption key management

Dig Deeper on Public Cloud Computing Security