Securing the public cloud with HSM as a service

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Ambuj Kumar
 

Connecting state and local government leaders

By Ambuj Kumar

|

While traditional hardware security modules may have proved difficult to deploy in the public cloud, HSMaaS solutions offer data security and management at cloud scale.

With data breaches on the rise, agencies are looking to proven data encryption solutions to keep their information secure in cloud. However, encryption has not achieved its full potential, partly because of limitations in a public cloud setting.

Many encryption challenges can be traced to the management of encryption keys, and this is certainly true in the cloud. If attackers get access to keys, that’s as good as getting access to the sensitive data, leaving agencies between a rock and hard place. If they don’t use encryption, they have sensitive data exposed on their infrastructure that hackers can exploit. On the other hand, if agencies use encryption, now they must secure the keys and make sure they never fall into the hands of attackers. This is where hardware security modules come into play.

HSMs are custom-built appliances with strong digital and physical security. Even if attackers get remote or even physical access to the HSM, the keys stored inside the HSM remain protected. Additionally, HSMs offer high-speed encryption and decryption offloading functionality and easily integrate with various databases and other digital assets that need encryption.

While HSMs have worked well for on-premise deployment, there are several reasons why their use has lagged far behind in public clouds. First, HSMs may require physical management. This presents a big operational hurdle, often leaving organizations with no choice but to operate HSMs in reduced security mode, potentially negating some of the benefits of using such a solution in the first place.

Second, HSMs are often restricted to one public cloud. Once a key is securely stored inside an HSM, it may never be exported from the HSM. Organizations not willing to be held hostage to any one public cloud don’t like this restriction. Many agencies need flexibility to migrate their applications from one cloud to another as their needs evolve.

Third, most of the public cloud components such as compute cycles, networking and storage are offered on a pay-as-you-go model, which benefits agencies with seasonal workloads that can  purchase capacity for the peak business season without paying for it during the rest of the year. HSMs, however, often require a large upfront investment, often in the range of hundreds of thousands of dollars.

Fourth, HSMs were architected many years ago when cloud computing was still evolving. As a result, they may lack features such as multi-tenancy, centralized control and web-based user interfaces. This deters users who may not be familiar with custom legacy tools.

Unlocking the true potential of encryption for protecting data in the public cloud therefore requires a new version of HSMs that mitigates these shortcomings. HSM-as-a-service makes it easy to adopt a cross-cloud encryption strategy.

While many security vendors have long realized the potential business value of HSMaaS, they couldn’t deliver on it because the building blocks were not easily available. Relying only on physical tamper switches such as traditional HSMs always required a manual oversight and in turn introduced the operational headache associated with HSMs.

However, Intel Software Guard Extension --  a new set of instruction code from Intel -- makes it possible to offer certain privacy and security guarantees even in a remote cloud environment. Intel SGX allows applications to run with encrypted memory without trusting the main operating system. A properly written application secured by Intel SGX may offer vastly superior security properties, making Intel SGX an ideal platform to enhance HSMaaS offerings.

HSMaaS has the right characteristics to benefit modern cloud infrastructure. It can scale elastically from few keys to trillions of keys, from just a few operations per second to billions of transactions per second, without any active intervention from the organizations using it. Moreover, HSMaaS can be remotely managed and used with flexible access control policies that can be integrated with on-premises or cloud-native identity solutions.

HSMaaS can be offered with a pay-as-you-go business model, making it easy for agencies to evaluate and slowly adopt the solution.  Because the service can be priced based either on service tiers or by the number of transactions, the pricing model is consistent with the vast majority of other infrastructure security solutions.

Making HSMaaS cloud-ready is not a simple feat. Encryption affects basic availability of businesses. An online business, for example, cannot thrive if its customers are unable to purchase merchandise on its website because of problems with the site's encryption provider. Thus, HSMaaS must be able to offer robust and responsive service even in the presence of occasional but inevitable hardware failures.

HSMaaS should be accessible from all major public clouds. Often times, certain modes of operations with HSMaaS require shuffling data back and forth between the local compute engine and the HSMaaS. The networking architecture connecting the HSMaaS to various cloud interconnect points should use reliable network pipes that offer deterministic connectivity across the globe.

While traditional HSMs may have proved difficult in the public cloud, today there are HSMaaS solutions that offer all the desired security and management properties at cloud scale with six nines (99.9999 percent) of availability. 

Encryption is a powerful tool. Delivering it easily across distributed infrastructure can be very effective in preventing data breaches. Solutions such HSMaaS democratize access to encryption and allow even the largest organizations to secure their public cloud workloads with all the conveniences of software-as-a-service offerings. Now, there are no excuses for not using encryption in cloud.

NEXT STORY: Senate Lawmakers Seek to Extend Waterworks Financing Program

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.