Hardware Security Module (HSM) vs. Key Management Service (KMS)

Imam Sheikh
Hardware Security Module (HSM) vs. Key Management Service (KMS)

Recent cybersecurity threats from nation states, the Senate hearing in April on Facebook’s approach to data privacy and compliance directives like the European Union’s GDPR all underscore the urgent need for reliable methods of keeping sensitive or personal information safe. Addressing these concerns, threats and directives seems all the more daunting as enterprises transition data and applications from their own data centers to the cloud.

In particular, secure management of data and encryption keys across private, public, hybrid or multicloud environments presents a unique challenge. As enterprises make the transition to the cloud, encryption key management runs the risk of becoming inconsistent, as each cloud environment has its own approach to key management. Three solutions currently exist for managing encryption keys: legacy hardware security modules (HSM), key management services (KMS), and a solution that offers KMS-like simplicity with the security of HSM, sometimes described as HSM as a Service.

The cloud strategy you adopt-private, hybrid, public or multicloud-is a key factor in the decision as to which encryption key management strategy will work best for your enterprise. For best results, your key strategy should fit your long-term cloud strategy and should be applied consistently across your enterprise.

Legacy HSM for on-premises encryption key management

For years, hardware security modules have been used to securely manage encryption keys within an organization’s own data centers. These hardware appliances, which are designed and certified to be tamper-evident and intrusion-resistant, provide the highest level of physical security. Keys are stored in the HSM, while cryptographic operations are securely executed within the module.

As the de facto standard for encryption key management, HSMs provide a full complement of features and administrative functionality, including:

  • Lifecycle management: An HSM will guard encryption keys through every stage of their lifecycle, including creation, import, export, usage, rotation, destruction and auditing.
  • Centralized management: Desktop administrative tools remotely manage key lifecycles and support separation of administrative duties for added security.
  • Certification: HSMs meet FIPS 140-2 Level 3 validation criteria.
  • APIs: HSMs allow support for Public-Key Cryptography Standard (PKCS) #11, Microsoft Cryptographic Application Programming Interface (CAPI), Cryptography API Next Generation (CNG), Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE) and other APIs for integration and custom application development.

Legacy HSM limitations in cloud environments

As enterprises transition to cloud deployments and contract with multiple cloud service providers, legacy HSM limitations come to the front. Consider the following:

  • HSM choice and location: Will cloud providers allow you to use your on-premises HSMs, or will you be required to use HSMs hosted in the cloud providers’ data centers?
  • Connectivity: Will connections between on-premises HSMs and encrypted data stored in the cloud introduce unacceptable latency that impacts encryption and decryption?
  • Management tools: If you contract with multiple cloud providers, are you prepared for the inefficiency of having a different set of HSM key management tools for each provider?

To ease the transition and mitigate the challenges clients face when moving from on-premises encryption key management to encryption key management in the cloud, many cloud providers have developed key management services (KMS), which are built on the strengths of Software as a Service (SaaS).

Key management services for cloud environments

Functionally similar to the services provided by HSMs, a KMS enables clients to manage encryption keys without concerns about HSM appliance selection or provisioning. A KMS offers centralized management of the encryption key lifecycle and the ability to export and import existing keys. It also provides an SDK-software development kit-that adheres to the Application Packaging Standard (APS) for application development and integration.

There are distinct advantages to using the KMS offered by cloud providers-notably, that they build on the well-established strengths of cloud platforms:

  • Scalability: The cloud platform can easily accommodate enterprise data, processing and geographic growth.
  • Availability: Cloud providers have made significant investments in infrastructure to ensure service availability.
  • Integration: Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.
  • Bring Your Own Key (BYOK): As an added level of security, some cloud providers complement their KMS with an option of using an external HSM for storing master keys.

KMS limitations in multicloud environments

If you’re one of the organizations who contract with a single cloud provider, the KMS encryption key approach may be your best choice. However, studies such as the RightScale State of the Cloud Report indicate the majority of enterprises contract with multiple cloud providers. In a multicloud environment, the technical and economic benefits of the cloud are diminished by the complexity of requiring a different encryption key management method for each cloud environment.

Most likely, your data security team is already struggling to attain or maintain compliance with ever-increasing regulations. You need a strategy to simplify key management without adding administrative complexity. You want a consistent, centralized and secure means to manage encryption keys-ideally, one specifically designed for multicloud environments.

HSM as a Service- simple, secure and scalable

HSM as a Service is an alternative to on-premises HSM or a KMS from the cloud provider. It’s ideal for enterprises that need both HSM-grade security for key management and the consistency of a single administrative environment, regardless of where encryption keys are used. HSM as a Service, which provides HSM-grade key storage without the need for HSM appliances, is quickly implemented and easily scales to support data, processes and geographic growth.

HSM as a Service offers features and functionality equivalent to a KMS and possesses several additional capabilities to complement the strengths of cloud providers:

  • Multicloud and hybrid-cloud capabilities: Consistent, centralized control and management regardless of where the data resides.
  • BYOK Support: Can easily incorporate your existing encryption keys.
  • Cryptographic protection: Only authorized users have access to encrypted keys.
  • Certification: Can offer FIPS 140-2 Level 3 validation without the need for HSM appliances.
  • Cloud-friendly APIs: Provides support for PKCS #11, CNG, JCE, Key Management Interoperability Protocol (KMIP) and RESTful APIs for application development and integration. Sample code is also provided.
  • Security and latency: Keys are stored separate from yet proximate to data to reduce latency and provide an added level of defense against data breach.
  • Connectivity: Available via public internet with access to multiple cloud service providers and network service providers. Also available via a private backbone network across global data centers.

Encryption key management solutions: Let your long-term cloud strategy guide your choice

Choosing the optimal encryption key management strategy and means of implementation can be a straightforward process. If you run a private or hybrid cloud environment within your own data center, you already have HSMs with established encryption keys in place, and you intend to maintain that environment for the foreseeable future, it makes sense to stay the course. Similarly, if you’ve contracted with a single cloud services provider and have no long-term plans to expand beyond that sole provider, then that provider’s KMS-or, even better, their KMS underpinned by their HSMs-is an obvious choice.

As an alternative, though, consider the advantages of HSM as a Service. It can eliminate the cost and overhead of provisioning HSMs in your data center as your data and processing demands grow. In contrast to KMS, it can provide an additional level of breach defense by keeping the encryption keys separate from the encrypted data stored by your cloud provider.

If you’re among the majority of enterprises who contract with multiple cloud service providers, or if you anticipate that your private, hybrid or single provider cloud strategy will soon evolve to a multicloud strategy, then HSM as a Service is the best way to efficiently manage encryption keys across a variety of cloud platforms. The chart below provides recommendations for the best encryption key management solution based on your long-term cloud strategy:

Private or Hybrid cloud Single cloud providerMulticloud
RecommendationHSMs already provisioned in the enterprise’s data centerCloud provider’s KMS or

KMS enhanced by cloud provider’s choice of HSM

HSM as a Service
AdvantagesHSM securityEase of management (optional BYOK)Ease of management, HSM-level security, additional defense against data breaches
AlternativesHSM as a Service to eliminate the ongoing cost and overhead of provisioning HSMsHSM as a Service to maintain encryption keys separate from data for additional defense against data breaches

Explore the benefits of using SmartKey for encryption key management. SmartKey’s HSM as a Service delivery model simplifies the provisioning and control of secure key storage; SmartKey also provides encryption and tokenization services for optimal performance and to meet all compliance requirements. It’s easy to get started: Simply register for a free trial, and you’ll be on the fast track to better management of encryption keys.