HSMs: Facilitating Key Management in a Hybrid Cloud Environment January 22, 2020 Sharon Ginga | Senior Technical Product Marketing Manager More About This Author > Organizations are actively working to prevent data breaches by encrypting their sensitive information. Encryption isn’t a foolproof security measure, however. If attackers get control of an organization’s encryption keys, for instance, they can use them to decrypt its data and thereby steal its plaintext contents. Fortunately, organizations can bolster their implementations of encryption by practicing good key management. A standard means for managing their keys is to use a hardware security module (HSM) to protect their encryption keys against tampering across their entire lifecycle. That being said, organizations need to keep additional considerations in mind if they’re looking to extend their key management efforts across their cloud environments. I will begin by examining the overall benefits of HSMs as examined through a variety of use cases. I’ll then discuss the growing need for HSMs to meet organizations’ key management needs in hybrid cloud environments and how Thales in particular leads the way in offering HSMs to customers across hybrid, cloud and on-premises environments. Use Cases of Hardware Security Modules According to the TechTarget Network, HSMs are used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases (taken from whatis). Three of the leading use cases for employing an HSM that we’ll focus on below are root of trust, public key infrastructure, and code signing. Root of Trust Within a cryptographic system that uses asymmetric cryptography, there is typically a Root of Trust (ROT) that can generally be trusted. (Not all systems are created equally, so this trust isn’t predetermined.) ROT is most often protected by a hardened hardware module like an HSM. This type of technology performs a cryptographic system’s vital functions, which include using keys to encrypt and decrypt data as well as generate and verify digital signatures and sign certificates used by people and devices. All of this takes place within a secure environment. Consequently, the computer ecosystem can trust the keys and cryptographic data received from the HSM, as that module and its information are technically inaccessible from outside of that ecosystem. Public Key Infrastructure All of the hardware, software, policies, and processes that play a part in the lifecycle of digital certifications and public keys together constitute the Public Key Infrastructure (PKI). PKI lays the foundation for implementing digital signatures and encryption across large groupings of users. An integral part to realizing PKI, certificate authorities (CAs) issue certificates that help verify users’ identities. Malicious actors realize this, which is why they commonly target CAs using sophisticated attacks. In response, all public CAs leverage HSMs to ensure PKI integrity and to protect their most precious asset, the root private key. Code Signing The third use case for HSMs, code signing, helps users and organizations alike verify the identity of a software publisher and confirm that their software products are the same as when they were published based upon their digital signatures. Software publishers can obtain a commercial publishing certificate from a CA to help secure users’ trust. To this end, applicants can use a solution like an HSM to keep their private keys used for their digital signatures safe. Difficulties Introduced by the Rise of the Hybrid Cloud Today, it’s becoming increasingly difficult for organizations to deploy HSMs across their entire environments due to the rise of the hybrid cloud. According to Thales’s own research, more than four-fifths (84 percent) of organizations are now adopting a multi-cloud strategy. They’re doing so to: 1) meet the needs of multiple applications and teams in the cloud; 2) mitigate the risk of locking into a deal with a single cloud provider; and, 3) leverage pricing. In doing so, many organizations seek to bolster their IT agility across the hybrid cloud while improving their level of security and control over their cloud-based assets. Security challenges are prevalent in the hybrid cloud. According to (ISC)2, two-thirds of organizations feel that traditional security solutions either don’t work in the cloud or have limited functionality. That’s a problem, as more than half of organizations cited compatibility with their on-premises infrastructure as their most important consideration for embracing the hybrid cloud. Simultaneously, 60 percent of organizations said that their security teams couldn’t keep up with cloud business initiatives, thus limiting their ability to keep the organization safe going forward. The Need for a Hybrid Multi-Cloud HSM The challenges described above don’t absolve organizations of the responsibility for securing their data and encryption keys. With that said, organizations would be wise to look for HSMs that take the cloud, or multiple clouds and hybrid environments into consideration. Many of the leading cloud-based HSMs provide the same cryptographic functions as an on-premises solution, for instance, yet they’re delivered by their providers in an “as-a-service” model. This type of offering lets organizations rely on professionals to set up and help maintain an HSM in the event that they lack the internal expertise to deploy this technology on-premises. All the while, organizations can enjoy better security, a simpler pricing model, redundancy, availability and other benefits of using an HSM that’s based in the cloud. Purchasing an HSM, whether it’s on-premises or as a service in the cloud, comes down to making a choice, of course. That’s why organizations need to do their research and find a trusted provider. With the growth of HSMs, it’s becoming more and more difficult for organizations to find trusted providers that meets their business needs, especially in the burgeoning cloud HSM market. David Tapper, vice president of IDC’s Outsourcing and Managed Cloud Services program, is well aware of this growing problem. As quoted in a recent press release: The managed cloud services market is creating fundamental changes in the outsourcing industry involving the entrance of new providers, partnership ecosystems, investment requirements and opportunities, though also bringing with it some critical challenges to players shifting from a world of non-cloud (legacy) outsourcing to managed cloud services. Fortunately, organizations need not look too far to find a cloud-based HSM provider. That’s because Thales continues to stand above others in the industry, both as a market leader, providing its proven Luna general purpose HSMs and payShield payment HSMs, as well as its Data Protection On Demand (DPoD) solution, its latest data protection as a service offering. Back in 2017, the company launched DPoD, a one-stop marketplace of cloud-based HSM, key management, and encryption solutions. Thales delivers each service through a simple, intuitive, web-based interface, thereby guaranteeing ease-of-use for its customers. Its experienced security professionals manage this interface, which is hosted on highly robust and scalable architecture. This enables Thales’s cloud security solutions to scale to meet any customer’s needs, including those with on-premises, public cloud, hybrid or multi-cloud environments. Additionally, Thales provides seamless key migration between its Luna HSM and its DPoD cloud HSM service to support its customers hybrid, multi-cloud environments. Such an offering helps to meet the needs of customers regardless of where their data resides by enabling all third party HSM integrations and offering common SDK and API support. This hybrid offering provides high availability group access between on-premises Luna HSM devices and DPoD cloud HSM services. The solution also helps to distribute workloads between on-premises and cloud-based environments, and to maintain a real-time, cloud-based backup of an organization’s cryptographic objects. To find out more, sign up for DPoD cloud HSM services.