Cloud // Infrastructure as a Service
News
3/26/2013
11:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Amazon CloudHSM Aims To Ease Security Worries

Amazon Web Services adds security appliance to keep encryption keys out of common infrastructure, help public cloud users comply with strict compliance regulations.

10 Tools To Prevent Cloud Vendor Lock-in
10 Tools To Prevent Cloud Vendor Lock-in
(click image for larger view and for slideshow)
Amazon Web Services (AWS) is adding a single-tenant, secure hardware cloud appliance to its usual software services to give customers an extra-secure method of storing encryption keys, issuing digital signatures and executing digital rights management in compliance with strict regulations.

AWS CloudHSM uses Safenet's Luna-SA appliances. AWS is making them available in EC2 only to Virtual Private Cloud customers, who access their virtual servers over virtual private networks and use other security precautions. The appliance is given an IP address within the virtual private cloud and is accessible only to the customer contracting for it, even though Amazon monitors it and ensures that it remains up and running.

The availability of a hardware security module (HSM) inside Amazon's EC2 allows a cloud user to store a cryptographic key, digital signature, digital rights, etc. in the cloud instead of having to maintain them on premises and upload them to an application in the cloud when they're needed. The latter inevitably slows performance and adds to the time needed to get work done.

The appliance is an Ethernet device that is tamper-resistant and can call up and use a cryptographic key without exposing it outside the device's boundaries. AWS CTO Werner Vogels considered the hardware addition significant enough to alert his thousands of Twitter followers. Noting virtual private clouds already come with security protection measures, he referred followers to an AWS blog post that said rigorous contractual or regulatory requirements in some cases require "additional protection."

[ What will it take for users to feel safe in a public cloud? Public Cloud Concerns Remain Strong: Survey. ]

When it came to security keys themselves, "Until now, organizations' only options were to maintain data in on-premises datacenters or deploy local HSMs to protect encrypted data in the cloud. Unfortunately, those options either prevented customers from migrating their most sensitive data to the cloud or significantly slowed application performance," AWS said in its blog post.

Amazon released a whitepaper this month describing its existing AWS security measures.

An Amazon FAQ suggested CloudHSM would be good for encrypting databases in the cloud, storing the keys of public key infrastructure, authentication and authorization, document signing, digital rights management, and transaction processing.

Amazon will charge a one-time fee $5,000 to set up the CloudHSM and $1.88 per hour or $1,373 per month on average thereafter until the CloudHSM is terminated. As usual with a new service, it is available only in AWS's U.S. East data center in Ashburn, Va. in the U.S., and at its Dublin, Ireland, facility in Europe. Amazon did not say whether CloudHSM would also become available in its other regional centers in the U.S. or around the world.

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
Protecting Critical Infrastructure: A New Approach NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.