Cloud HSM – SafeCipher

Cloud & On-Prem HSMs

Are we Diluting On-Prem PKI Security using Cloud Hardware Security Module (HSM) as a Service

(Compiled and produced by Steve Monti SafeCipher.com)

Using cloud vendors for protecting on-premises Public Key Infrastructure (PKI) keys raises valid concerns.

This perspective is grounded in the inherent trade-offs and challenges that come with cloud-based HSM services for certain use cases, particularly when dealing with sensitive on-premises PKI systems.With on-premises HSMs, organizations have complete physical and administrative control over the HSMs. This level of control is crucial for sensitive operations, like managing PKI keys, where trust and security are paramount.

Using HSM as a Service requires a significant level of trust in the cloud vendor. The vendor’s security practices, personnel, and even legal jurisdictions become critical factors.Cloud HSMs operate in a multi-tenant environment. Although providers ensure logical separation and robust security, the idea of sharing infrastructure can be a concern for high-security scenarios.

Certain regulations and policies mandate that key cryptographic operations occur within specific geographic or jurisdictional boundaries, which might not align with cloud-based solutions. I know that this is of particular importance with UK Government requirements.

Compliance with industry-specific standards can be more complex when cryptographic keys are managed off-premises. For MOD customers and certain UK government departments this is not even an option.

Cloud-based HSMs can introduce latency in cryptographic operations, which might be critical for some on-premises systems, particularly in high-throughput environments. Integrating cloud-based HSMs with existing on-premises PKI systems can add complexity, requiring robust network configurations and reliable internet connectivity. While cloud-based HSMs offer excellent disaster recovery capabilities, for some organizations, the idea of not having physical control over recovery and redundancy mechanisms can be a drawback.

In summary, while the cryptographic keys themselves are not transmitted over the network in a cloud HSM service, the data and commands related to these keys are. This distinction is crucial in understanding the security model of cloud-based HSM services like Azure Key Vault Managed HSM. The protection of data in transit and the secure management of the HSM play vital roles in maintaining the overall security of the system.

Finally, I am particularly concerned about the real problem of Harvest Now Decrypt Later (HNDL) with these cloud On-Prem TLS tunnels and the implications for this long term as I know that this problem is very little understood and mitigated for.

Contact SafeCipher for all your Vendor Neutral HSM requirements.