Improve Cloud Security Management with a Cloud-Based HSM

When we talk to companies around the world, a common topic of discussion is the transformational nature of cloud technologies. In a very short time, the cloud has disrupted every aspect of how IT infrastructure, resources and software are deployed and managed. While there’s near-universal agreement on the economic benefits of this, it’s not all good news: In these discussions, the conversation invariably turns toward the growing challenges of cloud security management-in particular, the management of the encryption keys that are fundamental to cloud security.

Cloud security management is top-of-mind for any enterprise charged with handling personally identifiable information (PII). These data are subject to numerous industry and government regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the new General Data Protection Regulation (GDPR) and data sovereignty requirements. Many of these regulations broaden the definition of PII and place additional requirements on the capture and use of personal data. As an ever-increasing amount of data is identified as PII, and as an ever-increasing amount of PII is stored in the cloud, the risk of a damaging data breach grows.

Encryption key management: complex in multicloud environments

Cloud providers have already incorporated security measures into their platforms and services. In many ways, cloud storage may be considered safer than on-premises data centers. However, only a small minority of enterprises work with a single cloud provider: According to the RightScale State of the Cloud Report™, the vast majority of enterprise work with multiple cloud providers to support their private, public or hybrid cloud environments. In contrast to the convenience of software deployment and scalability provided by the cloud, managing encryption keys across multiple cloud platforms is inherently complex. The reasons for this include the following:

  • Each cloud provider offers its own solution for encryption key management.
  • Encryption key management tools vary by provider.
  • The level of encryption key security varies among providers.

This complexity, coupled with a shortage of skilled security personnel, leads many enterprises to look for methods that allow them to centrally and securely manage encryption keys. You might think of this as a search for a cloud-neutral approach to encryption key management.

HSM as a Service simplifies encryption key management in multicloud environments

For encryption key management in multicloud environments, consider the benefits of HSM as a Service, which is designed to address these critical needs:

  • Security: The level of security provided by HSM as a Service is equivalent to on-prem HSM solutions, but with the ease of use of cloud services.
  • Scalability: HSM as a Service quickly and easily scales to meet local and global growth.
  • Centralized: HSM as a Service gives users a single point of management regardless of the cloud provider or providers.
  • Lifecycle management: Users control key creation, distribution, rotation, refreshment and retirement. HSM as a Service also supports Bring Your Own Key (BYOK).
  • Multicloud: HSM as a Service provides support for encryption key management in AWS, Google, Azure, IBM, Oracle, SalesForce and others in private, hybrid and public cloud environments.
  • Compliance: HSM as a Service features enterprise-level access controls and audit logging.

HSM as a Service provides unique features and functionality designed for ease of use, greater cloud security management and application development and integration:

Ease of deployment

HSM as a Service provides the same FIPS 140-2 level 3 security as the HSMs used for on-premises key storage, without the need to purchase, provision and manage physical HSMs. As data and processing demands increase, HSM as a Service is very easily configured with online access and scales to meet your needs locally and globally.

Added level of cloud security management

Best practices recommend that encryption keys and data be managed separately. HSM as a Service allows you to securely manage encryption keys in an environment physically and logically separate from yet proximate to data managed by your cloud provider. The separate-yet-proximate arrangement offers an added level of security because:

  • Secure, private, low latency connectivity between the HSM as a Service and the cloud provider
  • Master keys can be stored in the HSM as a Service and separate from the cloud providers

Highest level of customer privacy and confidentiality with confidential computing

Equinix SmartKey HSM as a Service leverages Intel SGX to ensure the highest level of customer privacy and confidentiality. With Intel SGX, SmartKey encrypts customer data at rest, in transit and in memory protecting customer data from malicious attacks and preventing service provider access to the data. With SmartKey, only the customer has access to their unencrypted data, not the service provider, which protects against data breaches and requires customer notifiction in the event of government subpoena for data access.

Enterprises concerned with PII management should welcome this additional defense against potential data breaches.

Development tools for today’s cloud environment

Development tools need to support older applications as well as take advantage of the newest encryption capabilities. HSM as a Service provides a set of cloud-friendly application programming interfaces (API), software development kits (SDK), sample code and support for popular interfaces such as Representational State Transfer (RESTful) APIs, Public-Key Cryptography Standard (PKCS) #11, Cryptography API Next Generation (CNG), Java Cryptography Extension (JCE) and Key Management Interoperability Protocol (KMIP). These integration tools, in conjunction with support services from Equinix, can reduce application development time from weeks and months to days.

As part of application and integration development, HSM as a Service enables you to run specific algorithms to process data. These algorithms are not available from off-the-shelf HSM solutions or cloud providers. To further enhance security, the code is executed in a protected enclave execution environment.

The unique features of HSM as a Service, in combination with its functionality, give it a distinct advantage over other cloud security management solutions.

Complement leading cloud providers

There’s no question of the value major cloud providers offer in terms of services, ease of software deployment, availability, scalability and economic benefit. As we mentioned earlier, however, encryption key management becomes complex and almost unmanageable in multicloud environments. HSM as a Service, available as SmartKey from Equinix, complements the strengths of cloud providers by providing an easily deployed, secure, centralized encryption key management solution.

The capabilities and benefits are further enhanced with SmartKey as part of Platform Equinix, which provides a reliable backbone across global data centers to interconnect with multiple cloud providers. The platform allows you to quickly establish multiple virtual connections and obtain high-performance, low-latency interconnection between SmartKey and the cloud provider of your choice. This HSM as a Service solution is powered by Fortanix and is based on Intel® Software Guard Extensions (SGX), a technology for application developers seeking to protect application code and data from disclosure or modification. This core technology both obviates the need for physical HSMs and provides application integration and development tools for today’s cloud environments.

HSM as a Service: security and simplicity

With the majority of enterprises operating multicloud environments, the best method of managing encryption keys across these varied environments takes advantage of the most essential cloud attributes: ease of deployment and scalability. HSM as a Service in the form of SmartKey is quickly configured online, easily scales to match your growth and, most importantly, provides HSM-level encryption key security. It gives you a single tool to simplify provisioning and control of encryption keys in private, public and hybrid cloud environments. We invite you to consider a free trial of Equinix SmartKey to experience how easily HSM as a Service is deployed and managed. While cloud security management is complex and challenging, SmartKey allows you to choose simplicity without sacrificing security.