In an effort to boost data security in the cloud, Amazon Web Services (AWS) has just launched a new service called AWS CloudHSM, designed to help its customers meet strict regulatory requirements without sacrificing their cloud application’s performance.
AWS says that the new security feature is aimed at customers whose regulatory requirements prevent them from running apps on shared infrastructure, which has been one of the key hurdles in the way of its efforts to win over the enterprise. Previously, companies in that position have been compelled to keep their most sensitive data – or at least, its encryption keys – buried within on-premise servers to meet those requirements, preventing them from fully migrating to the cloud. Now, AWS is hoping to do away with that need.
In a blog post announcing the launch, AWS’s Jeff Barr explains that CloudHSM is a dedicated appliance providing secure key storage to protect encryption keys:
“You can store your keys within an HSM and use them to encrypt and decrypt data while keeping them safe and sound and under your full control. You are the only one with access to the keys stored in an HSM,” writes Barr.
“The AWS CloudHSM service brings the benefits of HSMs to the cloud. You retain full control of the keys and the cryptographic operations performed by the HSM(s) you create, including exclusive, single-tenant access to each one. Your cryptographic keys are protected by a tamper-resistant HSM that is designed to meet a number of international and US Government standards including NIST FIPS 140-2 and Common Criteria EAL4+.”
Each CloudHSM is given its own user-specified IP address within the Amazon Virtual Private Cloud (VPC). Users who sign up for the service will be provided with administrator credentials, allowing them to create user accounts, create and manage encryption keys, and perform other cryptographic-related tasks using their accounts. As an added reassurance, AWS won’t have any access to those keys, which remain under the user’s sole control.
CloudHSM runs Luna SA software version 5. It can be accessed via a number of standard APIs once provisioned, including Microsoft Cryptography API (CAPI), PCKS #11 (Cryptographic Token Interface Standard) and Java JCA/JCE (Java Cryptography Architecture / Java Cryptography Extensions).
In all, CloudHSM seems to be a pretty well thought-out solution that should help most enterprises satisfy regulatory requirements if they wish to fully migrate into the cloud. Even so, it’s certainly not the cheapest solution around, with AWS demanding a cool $5,000 to provision a single CloudHSM, on top of the $1.88 hourly fee it charges (about $1,373 per month, on average). But for companies that need to be in the cloud with the highest level of security possible, CloudHSM looks like it might just provide them with value for money.