What is Cloud HSM?

Definition: Cloud HSM is a cloud-hosted Hardware Security Module (HSM) that enables the user to host encryption keys and perform cryptographic operations with the benefits of a cloud service deployment while leveraging the benefits of cloud service deployment and eliminating the need to host and maintain on-premises appliances.


Cloud HSM explained

Cloud hardware security modules (HSMs) can be hosted or as-a-service from the cloud:

  • Hosted HSMs are physically independent HSMs owned by a customer and operated by a cloud service provider or vendor, such as Utimaco. This solution offers a high level of physical protection against unauthorized physical access and is ideally compliant with FIPS 140-2, level 3. However, the scalability is limited to the capacity of the hosted HSM. To scale up, more physical devices need to be deployed.
  • As-a-service solution which provides a fully or partially managed shared HSMs. Management functions like key management could be part of the service solution or might be done by the customer on premise or in a different cloud.
  • As-a-service solution which provides tenants in containerized HSM, FIPS 140-2 level 3 protected per tenant. Such containers provide individual policies and firmware per tenant and provide the scalability advantages of the cloud. They are outside the cloud service provider’s (CSP) infrastructure and preserve the customer’s full control over their encryption requirements.

Services can be provided as either multi-cloud or hybrid cloud strategies. The cloud HSM can be either located within the infrastructure of protected cloud-services or at an external location. The latter brings the advantage that the HSM service can be used across the hybrid cloud, including numerous third-party clouds, as well as the customers local data centers.

Cloud HSMs allow organizations to:

  • Integrate crypto security requirements in alignment with an organization’s cloud requirements and strategy,
  • Enable a cost-effective and simplified solution for business-critical security requirements,
  • Shift from a CapEx to an OpEx financial model,
  • Meet FIPS 140-2, PCI and Common Criteria EAL4+ high assurance security and compliance mandates,
  • Enable skilled members of staff to focus on other areas of importance.

A transition to the cloud must take place within the context of sector-specific requirements and regulations as well as ensuring that the HSM complies with major regulations in security-sensitive industries. Adapting to a cloud service environment provides numerous benefits ranging from the sharing of resources, through to the provision of data and easy orchestration of services.

Important Note
Aside from the locally deployed (on-premise) HSM approach, numerous cloud service providers and HSM device manufacturers provide Hardware Security Module "as a Service" or managed services.
It is important to note, however, that the usage of these managed or cloud services provides general-purpose HSM devices that may be beneficial for integration with PCI DSS environments but are not suitable for use in PCI PIN, PCI P2PE, or PCI 3DS environments.
Utimaco’s MYHSM provides fully managed cloud-based HSM (HSM-as-a-Service) in a PCI PIN-compliant banking-grade environment.



Blog posts

Blog posts

Related products

Related products

Contact us

We look forward to answering your questions.

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.