Amazon Web Services adds security appliance to keep encryption keys out of common infrastructure, help public cloud users comply with strict compliance regulations.
10 Tools To Prevent Cloud Vendor Lock-in
(click image for larger view and for slideshow)
Amazon Web Services (AWS) is adding a single-tenant, secure hardware cloud appliance to its usual software services to give customers an extra-secure method of storing encryption keys, issuing digital signatures and executing digital rights management in compliance with strict regulations.
AWS CloudHSM uses Safenet's Luna-SA appliances. AWS is making them available in EC2 only to Virtual Private Cloud customers, who access their virtual servers over virtual private networks and use other security precautions. The appliance is given an IP address within the virtual private cloud and is accessible only to the customer contracting for it, even though Amazon monitors it and ensures that it remains up and running.
The availability of a hardware security module (HSM) inside Amazon's EC2 allows a cloud user to store a cryptographic key, digital signature, digital rights, etc. in the cloud instead of having to maintain them on premises and upload them to an application in the cloud when they're needed. The latter inevitably slows performance and adds to the time needed to get work done.
The appliance is an Ethernet device that is tamper-resistant and can call up and use a cryptographic key without exposing it outside the device's boundaries. AWS CTO Werner Vogels considered the hardware addition significant enough to alert his thousands of Twitter followers. Noting virtual private clouds already come with security protection measures, he referred followers to an AWS blog post that said rigorous contractual or regulatory requirements in some cases require "additional protection."
When it came to security keys themselves, "Until now, organizations' only options were to maintain data in on-premises datacenters or deploy local HSMs to protect encrypted data in the cloud. Unfortunately, those options either prevented customers from migrating their most sensitive data to the cloud or significantly slowed application performance," AWS said in its blog post.
An Amazon FAQ suggested CloudHSM would be good for encrypting databases in the cloud, storing the keys of public key infrastructure, authentication and authorization, document signing, digital rights management, and transaction processing.
Amazon will charge a one-time fee $5,000 to set up the CloudHSM and $1.88 per hour or $1,373 per month on average thereafter until the CloudHSM is terminated. As usual with a new service, it is available only in AWS's U.S. East data center in Ashburn, Va. in the U.S., and at its Dublin, Ireland, facility in Europe. Amazon did not say whether CloudHSM would also become available in its other regional centers in the U.S. or around the world.
Multicloud Infrastructure & Application ManagementEnterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.