Are you considering moving business critical firmware to the cloud while maintaining compliance with the likes of GDPR, eIDAS, PCI DSS etc.?
If some of the above questions apply to you and you’ve done your research, then you probably know that keeping your encryption keys separate is one of the main best practices to protect your data and operations in the cloud from unauthorized access. The separation of the keys also ensures confidentiality, integrity and authenticity of your critical data.
If you want your keys to be kept in a hardware security module (HSM) that you can manage yourself, you need a platform which is flexible, scalable and secure, as well as easy to manage and monitor.
Utimaco offers a technology platform that is the basis for a number of products which are specifically optimized for private, public and hybrid cloud applications, payment applications or a combination of the above.
The Utimaco CryptoServer as network-attached appliance is a 19”, 2U HSM platform, delivered as a FIPS 140-2 Level 3 (Se-Series Gen2) or FIPS 140-2 Level 4 for physical security Level 3 overall (CSe-Series) certified device. It comes equipped with dual field exchangeable power supplies in a hot-hot layout and redundant Ethernet ports guarantee a high availability. Additionally, as a platform, it comes with different product deployments: PaymentServer, TimestampServer, CryptoServer SDK and SecurityServer. These are just a few examples of industry-specific functionality packages that Utimaco offers.
Depending on the cloud deployment scenario you are looking to implement, let’s consider how the key features mentioned above can help overcome the deployment-specific challenges related to security:
Public cloud is nothing more than publicly available hardware and software resources shared by multiple parties and managed by a third-party provider. It is obvious that although a public cloud might be an optimal solution in terms of scalability and high availability, security should play an important role in your decision-making process, also. This point is particularly relevant because in a public cloud setting resources are shared and often beyond the geographical boundaries of the clients’ legal framework. This is exactly why HSMs can play a major role in achieving information assurance in such deployments.
Regardless if you choose to co-locate your HSM or place it in the cloud: encrypted and mutually authenticated channels, remote two-factor authentication capabilities and integrated monitoring are just a few of the features you need your HSM to support to make sure your sensitive data is under your sole control. Going one step further, by using the CryptoServer SDK, you can even protect the entire application – including custom IP – rather than only the sensitive data and keys.
Private clouds might be setup completely within the boundaries of your own organization, or can be extended to use resources provided solely for your needs by third-party providers. Centralizing management of computational requirements can be a major benefit for any organization but, at the same time, it can also quickly become a burden for the security personnel assigned with the task of managing and monitoring the available cryptographic resources. It is exactly there where a flexible HSM platform supporting multiple APIs, cryptographic algorithms and key lengths can serve the most in centrally managing cryptographic requirements for the various applications in your IT landscape.
Moreover, the ability to offer multiple client connections which can operate in parallel and independent from each other – and each with its unique key storage configuration capabilities – maximizes flexibility without at the same time sacrificing the simplicity of setup and monitoring.
Although initially understood as a combination of public and private cloud, hybrid cloud has become something more than that in the meantime. Hybrid cloud refers to the combination of multiple products provided by different parties and hosted at different locations. Thus, in a hybrid cloud scenario, a client can choose best of breed products and services offered by different public and private cloud providers. The downside of this approach is the increased complexity in securing your infrastructure. This is where a single platform armed with different firmware packages serving the different needs can be a major benefit.
Multiple client connections, clustering, configurable authentication mechanisms, client-specific key stores, encrypted communication channels and integrated monitoring are just a few of the key features that can help you maximize security and prove compliance (GDPR, PCI DSS, PCI HSM, etc.), regardless if you decide to place your HSMs in the cloud or on premises.
There is no longer doubt about the benefits of moving infrastructure and processes to the cloud. Increased flexibility, scalability and availability are just a few of the key features the cloud can offer. However, an increase in the complexity of security requirements comes along with the increase in flexibility. Although many of the cloud providers nowadays offer built-in security features, it is highly recommended on the one side to keep data and cryptographic keys separately, and on the other side to make sure that you and only you are in control of your cryptographic keys. It is exactly for this purpose that a flexible HSM platform can serve you the most.
Are you ready to test our HSM capabilities in the cloud? First, register here to download our fully functional simulator, which has the exact same configuration and usage as a cloud-based HSM, and when you want to target the cloud HSM, just change the configured IP addresses! If you have any additional questions, feel free to get in touch with our support team.