Definition: Cloud HSM is a cloud-hosted Hardware Security Module (HSM) that enables the user to host encryption keys and perform cryptographic operations with the benefits of a cloud service deployment while leveraging the benefits of cloud service deployment and eliminating the need to host and maintain on-premises appliances.
Cloud HSM explained
Cloud hardware security modules (HSMs) can be hosted or as-a-service from the cloud:
- Hosted HSMs are physically independent HSMs owned by a customer and operated by a cloud service provider or vendor, such as Utimaco. This solution offers a high level of physical protection against unauthorized physical access and is ideally compliant with FIPS 140-2, level 3. However, the scalability is limited to the capacity of the hosted HSM. To scale up, more physical devices need to be deployed.
- As-a-service solution which provides a fully or partially managed shared HSMs. Management functions like key management could be part of the service solution or might be done by the customer on premise or in a different cloud.
- As-a-service solution which provides tenants in containerized HSM, FIPS 140-2 level 3 protected per tenant. Such containers provide individual policies and firmware per tenant and provide the scalability advantages of the cloud. They are outside the cloud service provider’s (CSP) infrastructure and preserve the customer’s full control over their encryption requirements.
Services can be provided as either multi-cloud or hybrid cloud strategies. The cloud HSM can be either located within the infrastructure of protected cloud-services or at an external location. The latter brings the advantage that the HSM service can be used across the hybrid cloud, including numerous third-party clouds, as well as the customers local data centers.
Cloud HSMs allow organizations to:
- Integrate crypto security requirements in alignment with an organization’s cloud requirements and strategy,
- Enable a cost-effective and simplified solution for business-critical security requirements,
- Shift from a CapEx to an OpEx financial model,
- Meet FIPS 140-2, PCI and Common Criteria EAL4+ high assurance security and compliance mandates,
- Enable skilled members of staff to focus on other areas of importance.
A transition to the cloud must take place within the context of sector-specific requirements and regulations as well as ensuring that the HSM complies with major regulations in security-sensitive industries. Adapting to a cloud service environment provides numerous benefits ranging from the sharing of resources, through to the provision of data and easy orchestration of services.
Important Note
Aside from the locally deployed (on-premise) HSM approach, numerous cloud service providers and HSM device manufacturers provide Hardware Security Module "as a Service" or managed services.
It is important to note, however, that the usage of these managed or cloud services provides general-purpose HSM devices that may be beneficial for integration with PCI DSS environments but are not suitable for use in PCI PIN, PCI P2PE, or PCI 3DS environments.
Utimaco’s MYHSM provides fully managed cloud-based HSM (HSM-as-a-Service) in a PCI PIN-compliant banking-grade environment.