Securing the public cloud with HSM as a service
- By Ambuj Kumar
- May 09, 2018
With data breaches on the rise, agencies are looking to proven data encryption solutions to keep their information secure in cloud. However, encryption has not achieved its full potential, partly because of limitations in a public cloud setting.
Many encryption challenges can be traced to the management of encryption keys, and this is certainly true in the cloud. If attackers get access to keys, that’s as good as getting access to the sensitive data, leaving agencies between a rock and hard place. If they don’t use encryption, they have sensitive data exposed on their infrastructure that hackers can exploit. On the other hand, if agencies use encryption, now they must secure the keys and make sure they never fall into the hands of attackers. This is where hardware security modules come into play.
HSMs are custom-built appliances with strong digital and physical security. Even if attackers get remote or even physical access to the HSM, the keys stored inside the HSM remain protected. Additionally, HSMs offer high-speed encryption and decryption offloading functionality and easily integrate with various databases and other digital assets that need encryption.
While HSMs have worked well for on-premise deployment, there are several reasons why their use has lagged far behind in public clouds. First, HSMs may require physical management. This presents a big operational hurdle, often leaving organizations with no choice but to operate HSMs in reduced security mode, potentially negating some of the benefits of using such a solution in the first place.
Second, HSMs are often restricted to one public cloud. Once a key is securely stored inside an HSM, it may never be exported from the HSM. Organizations not willing to be held hostage to any one public cloud don’t like this restriction. Many agencies need flexibility to migrate their applications from one cloud to another as their needs evolve.
Third, most of the public cloud components such as compute cycles, networking and storage are offered on a pay-as-you-go model, which benefits agencies with seasonal workloads that can purchase capacity for the peak business season without paying for it during the rest of the year. HSMs, however, often require a large upfront investment, often in the range of hundreds of thousands of dollars.
Fourth, HSMs were architected many years ago when cloud computing was still evolving. As a result, they may lack features such as multi-tenancy, centralized control and web-based user interfaces. This deters users who may not be familiar with custom legacy tools.
Unlocking the true potential of encryption for protecting data in the public cloud therefore requires a new version of HSMs that mitigates these shortcomings. HSM-as-a-service makes it easy to adopt a cross-cloud encryption strategy.
While many security vendors have long realized the potential business value of HSMaaS, they couldn’t deliver on it because the building blocks were not easily available. Relying only on physical tamper switches such as traditional HSMs always required a manual oversight and in turn introduced the operational headache associated with HSMs.
However, Intel Software Guard Extension -- a new set of instruction code from Intel -- makes it possible to offer certain privacy and security guarantees even in a remote cloud environment. Intel SGX allows applications to run with encrypted memory without trusting the main operating system. A properly written application secured by Intel SGX may offer vastly superior security properties, making Intel SGX an ideal platform to enhance HSMaaS offerings.
HSMaaS has the right characteristics to benefit modern cloud infrastructure. It can scale elastically from few keys to trillions of keys, from just a few operations per second to billions of transactions per second, without any active intervention from the organizations using it. Moreover, HSMaaS can be remotely managed and used with flexible access control policies that can be integrated with on-premises or cloud-native identity solutions.
HSMaaS can be offered with a pay-as-you-go business model, making it easy for agencies to evaluate and slowly adopt the solution. Because the service can be priced based either on service tiers or by the number of transactions, the pricing model is consistent with the vast majority of other infrastructure security solutions.
Making HSMaaS cloud-ready is not a simple feat. Encryption affects basic availability of businesses. An online business, for example, cannot thrive if its customers are unable to purchase merchandise on its website because of problems with the site's encryption provider. Thus, HSMaaS must be able to offer robust and responsive service even in the presence of occasional but inevitable hardware failures.
HSMaaS should be accessible from all major public clouds. Often times, certain modes of operations with HSMaaS require shuffling data back and forth between the local compute engine and the HSMaaS. The networking architecture connecting the HSMaaS to various cloud interconnect points should use reliable network pipes that offer deterministic connectivity across the globe.
While traditional HSMs may have proved difficult in the public cloud, today there are HSMaaS solutions that offer all the desired security and management properties at cloud scale with six nines (99.9999 percent) of availability.
Encryption is a powerful tool. Delivering it easily across distributed infrastructure can be very effective in preventing data breaches. Solutions such HSMaaS democratize access to encryption and allow even the largest organizations to secure their public cloud workloads with all the conveniences of software-as-a-service offerings. Now, there are no excuses for not using encryption in cloud.
Ambuj Kumar is the co-founder and CEO at Fortanix.