Hardware Security Modules (HSM) vs. Key Management Solutions (KMS): Part Two

Imam Sheikh
Hardware Security Modules (HSM) vs. Key Management Solutions (KMS): Part Two

It’s been a year since we wrote about the pros and cons of hardware security modules (HSM), key management solutions and HSM as a Service (HSMaaS). The hardware security module solutions market continues to grow. A MarketWatch Global Hardware Security Modules Market Growth 2019-2024 report anticipates compound annual growth rate (CAGR) over 11 percent for the next five years reaching US$2020 million by 2024. Based on market changes, collaboration with clients worldwide and market-driven product enhancements here’s an update on how businesses are comparing three approaches to develop their encryption key management for cloud strategy.

Legacy hardware security modules: There’s still demand for hardware security solutions

With greater concern for data security across all sizes of businesses, HSMs provide a proven means for managing encryption keys and are often the logical choice for small to medium size businesses needing to improve on-premises data security. For larger businesses with evolving cloud strategies, HSM limitations include procurement cycles, physical management, usage in a single cloud provider and legacy application development tools.


Key management solutions: convenient, but keys and data with the same provider

Major cloud providers such as Alibaba, Azure, AWS, Google, IBM, Oracle and Salesforce.com offer key management services (KMS). The solutions vary among providers, some offering natively-developed software-only services, others use HSM vendors as the foundation for their key management service, a few offer KMS with the option of underpinning the service with HSMs.

For businesses able to host applications and data with a single cloud provider, KMS offers the most expedient means of implementing encryption keys. Shortcomings of the KMS approach include usage limited to a single cloud provider and the vulnerability of keys and data from outside hackers or malicious insiders (Capital One being one glaring example).

HSM as a Service: secure and convenient

HSM as a Service (HSMaaS) is an alternative to HSM devices and KMS. HSMaaS provides secure, centralized key management and cryptography without the need for HSM appliances. Its on-demand implementation simplifies the provisioning and control of encryption keys. An added benefit of the HSMaaS approach is the ability to maintain encryption keys separate from the data they protect, thereby providing an additional level of data security.

HSM or KMS or HSM as a Service: What drives the decision?

In our discussions with businesses developing or evaluating an encryption key management for cloud strategy we’ve worked with every size organization at every level of the maturity curve—small businesses proactively working to improve data security, cloud-born startups, organizations with hybrid cloud architectures and global organizations wrestling with the complexity of complying with varying regulations such as GDPR and the California Consumer Privacy Act (CCPA). In advising these businesses on their encryption key management strategy we’ve discovered several common reasons for choosing HSM as a Service over HSMs or KMS.

Hybrid Multicloud requirement

Businesses that were pioneers in moving to the cloud years ago began by hosting data and applications with a single cloud provider. Now, by necessity, they contract with multiple cloud providers to support the diversity of applications, provide coverage across geographies, avoid provider lock-in or support compliance requirements. Many customers also use a hybrid approach where some of their critical workloads still reside outside the cloud. In these circumstances, HSMs can’t efficiently be deployed across widely-distributed cloud resources and no single KMS can seamlessly provide centralized key management for hybrid multicloud environments.

Cloud-native development

Businesses developing new applications for cloud environments don’t want to be limited to using legacy development tools or standards that support HSMs. They want the flexibility of using the latest cloud-native RESTful APIs, as well as standard legacy interfaces such as PKCS#11, KMIP, JCE and CNG if needed. HSMaaS provides development tools, SDKs and sample code that bridges requirements for legacy integration and modern cloud applications.

Cloud architects’ perspective

Even though the key management solutions are primarily a CISO responsibility, cloud and network developers and architects play an increasingly important role in guiding the decision. Developers and Architects are looking to optimize network performance, simplify overall network management and deploy security services to minimize the risk of intrusion. HSM as a Service addresses these needs by providing a centralized method of encryption key management in hybrid multicloud environments while supporting the foremost security and compliance requirements of CISOs.

Uses beyond standard data encryption

Businesses are interested in wider applications of encryption technology. Our discussions have touched on the context of payment services, integration using KMIP with storage vendors to extended encryption services to those platforms and secure cryptographic operations in blockchain environments.

As businesses adopt hybrid multicloud environments and evaluate their encryption key management solutions, businesses in greater numbers are looking for alternatives to existing HSM and KMS approaches.

HSM as a Service: The appeal of SmartKey

Invariably, encryption key management discussions focus on the capabilities that differentiate HSM as a Service from alternative solutions. SmartKey, Equinix’s HSM as a Service solution, addresses the inherent limitations of HSM devices and KMS via the following capabilities:

  • Deployment: In keeping with the on-demand model of cloud services, SmartKey is deployed without requiring significant, long-term investments in legacy HSM devices.
  • Hybrid multicloud support: SmartKey supports encryption key management solutions across private, public and hybrid cloud environments and leading providers like AWS, Azure, Google, Oracle and Salesforce among others.
  • HSM-grade security: Secure key management solutions and cryptography service without the need for legacy HSM devices. SmartKey ensures all access control, key generation, cryptographic operations, user and application authentication and logging occur only within the secure Intel® SGX enclave.
  • Exclusive key ownership: Keys are maintained in a separate environment from the data they encrypt to ensure only key owners, not the cloud service provider nor any entity external to the business, can access and control keys.
  • Digital ecosystem: When deployed on Platform Equinix, SmartKey can easily take advantage of a global ecosystem of interconnections—secure, direct connections to more than 1,800 network and 2,900 cloud, network and IT service providers—allowing businesses to quickly deploy centrally managed encryption key management solutions where and when needed.

While we’ve shared several of the reasons businesses opt for the HSM as a Service approach,

developing the right encryption key management solutions requires careful consideration. The 451 RESEARCH PAPER:  Equinix SmartKey explores the SaaS-based approach that leverages global Equinix locations to generate, store and manage encryption keys. Also, the free hands-on SmartKey trial may be useful in helping to determine if HSM as a Service is the right approach to meet your needs.