Amazon CloudHSM (It is Safenet in the backend), Safenet Luna HSM SaaS version an

Question

Amazon CloudHSM (It is Safenet in the backend), Safenet Luna HSM SaaS version and other cloud HSM providers provide Key Management and encryption services on device in the cloud.

From my research, I understand that they can be used to encrypt some data and get the encrypted blob for storage in DB / disk either on - the CLOUD (Amazon RDS / Amazon S3) or - On Premise behind the firewall (Local Database / Local File System)

(CloudHSM) <===== talking to ====> (On Premise / Behind the Firewall application)

- What are the Security concerns w.r.t this model ?
- Any specific recommendations from Network Security point of view ?
- Is this even a valid model in the first place.

Explanation / Answer

In most cases, you would install the driver/engine software in your servers and would do PKCS#11 over TLS.

Be aware that some vendors' offering may not be a true HSM; specifically it may be the software and management around an HSM delivered as a virtual appliance. These are not meant to provide the same level of resilience to attack as a true HSM. The key-store is an encrypted file on the virtual appliance, and not an encrypted NVRAM inside a blob of epoxy. This means in theory, it could be repeatedly cloned for massively parallel offline cryptanalysis. As such, these virtual appliances will not receive FIPS-140 certification.

I cannot say which of the first-tier vendors I got this from, nor can I go into more depth, as some things are covered by NDA, but I would work closely with your employer's risk management team and audit to determine whether it is an acceptable risk to outsource.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.