Definition: HSM as a Service is a cloud-based HSM service. It enables the user to generate encryption keys and store them securely, whilst removing the requirement to carry-out maintenance tasks such as set-up, evaluation and upgrades, or the requirement to manage the HSM on-premise, which can result in significant costs and operational overheads for employees and organizations.
HSM as a Service explained
Hardware Security Modules are an important part of an organization's critical infrastructure as they help customers meet regulatory or certification requirements.
Varied configurations of HSM as a Service are possible.They may be provided as fully or partially shared or dedicated HSMs. Management functions like key management could be part of the service solution or might be done by the customer in the customer’s data center, as part of an extended HSM service or in a different cloud. To generate a more secure level of multi-tenancy (“strong multi-tenancy”), they can be provided as tenants in containerized HSM, FIPS 140-2 level 3 protected per tenant. Such containers provide individual policies and firmware per tenant and offer the scalability advantages of the cloud.
The security, compliance and reliability of the provided HSM service may vary significantly and depends on the:
- module protection level which is defined in FIPS 140-2
- level of protection in the offered infrastructure (network and perimeter protection, logical tenant separation, encryption in transit, firewalls, DDoS protection, physical protection of the accommodating building
- whether it is backed by a back-up service at a different location
- security and HR procedures implemented by the hoster
- monitoring and system health verification procedures such a regular vulnerability testing, automated penetration testing
- compliance to industry-grade regulations and standards
- the area of jurisdiction where the service is hosted (and whether this area is the same as the location of the customer)
Utimaco is able to provide HSM solutions that are PCI-HSM compliant as well as FIPS 140-2 compliant. Utimaco offers remote HSMs as well as HSM-as-a-service infrastructure following stringent infrastructure security standards and certification procedures.
Aside from the locally deployed (on-premise) HSM approach, numerous cloud service providers and HSM device manufacturers provide Hardware Security Module "as a Service" or managed services. It is important to note, however, that the usage of these managed or cloud services provides general-purpose HSM devices that may be beneficial for integration with PCI DSS environments but are not suitable for use in PCI PIN, PCI P2PE, or PCI 3DS environments. Utimaco’s MYHSM provides fully managed cloud-based HSM (HSM-as-a-Service) in a PCI PIN-compliant banking-grade environment.