Key management is no one’s idea of a fun time.
If you are not familiar with the term, then this involves the secure handling of cryptographic keys which encrypt sensitive data to make sure they are handled correctly. Everything from key generation, key communication, key storage, key destruction, etc., comes under the umbrella of key management.
Another critical element of this process is Hardware Security Modules (HSMs), which are physically secured devices that generate keys within a strictly controlled environment. These devices are subject to strict regulatory requirements and have to be handled with care under controls like dual custody, physical access controls, and so on.
This is not even considering the cost of buying an HSM, which is quite expensive ( and do not forget a backup HSM for your DR site ! ). You also have to factor in regulatory standards like PCI PIN, which have to be complied with to use HSMs in financial institutions.
Given all of these requirements, you can see why companies would want to eliminate as much of this hassle as possible and move to a simpler model.
This is where Cloud HSMs come in
What is a Cloud HSM
As the name implies, Cloud HSM is a cloud version of a physical on-prem HSM. It delivers the same functionality, except that the cloud provider handles all the physical security controls and those pesky standards.
All the complexity is abstracted away from the customer.
Some of the key benefits you get are:
Offloading the physical requirements and costs around HSMs onto the provider.
Moving towards an OPEX budget model, which is more appealing to management.
Better business continuity as the cloud provider is responsible for transparently managing backup and DR versions of the Cloud HSMs.
Better security as the cloud provider can provide you compliance reports for mandates like PCI PIN, FIPS 140-2, etc.
Improved productivity as the security team can focus on more value-added tasks instead of managing the overhead of HSMs.
Key things to keep in mind
Despite all these benefits, many companies get jittery about losing control of their HSMs. The cloud operates on a shared responsibility model, and thus the cloud provider becomes responsible for handling the physical requirements.
This can become a stumbling block for many companies as their cybersecurity team will not want to lose control of these devices.
These concerns can easily be alleviated by the following:
Set up sessions with the Cloud HSM provider and your cybersecurity teams so they can ask questions about their security concerns and get them answered.
Make the team understand the value add that the cloud provider will bring. Cloud providers have budgets to spare for securing Cloud HSMs and can hire industry experts, which your company cannot manage. They are also happy to share certifications on PCI PIN and FIPS 140-2, which can give additional assurance to your teams.
Create the understanding that a trade-off will always exist in security, whether it is on-prem or on the cloud. These risks have to be identified and tracked, so the team has an idea of what their current risk posture is
Cloud HSMs are the future of key management
Whether a company decides to go with or avoid a Cloud HSM boils down to a straightforward question that every cybersecurity team asks :
Is the Cloud HSM as secure as on-prem?
The simple answer to that is a resounding YES with some caveats:
The customer has to understand the shared responsibility model, where the customer has the responsibility for security in the cloud while the provider will handle the security of the cloud. In Cloud HSM terms, this comes down to the understanding that governance procedures around keys are still the customer’s responsibility, along with the HSM security settings they are allowed to configure.
For Cloud HSMs to be successfully adopted by any company, there needs to be a mindset shift that needs to happen. Once cybersecurity teams see the value add that Cloud HSMs bring to the table and the risks they mitigate, they will become the biggest proponents of this newer and improved model.
Comments