Many of our readers have told us that they want to learn more about encryption and key management in AWS. CloudHSM is an AWS service that can establish an even greater trust in AWS from which encryption and key management applications can be anchored. If you’re not familiar with AWS CloudHSM, you can read more about it on the CloudHSM Detail Page. It’s an AWS service that provides secure cryptographic key storage and operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
Todd Cignetti, AWS Security Product Manager, works with AWS customers and partners who build applications that leverage CloudHSM. He describes several use cases for CloudHSM below to help you understand when you should consider using the service as a part of your application.
It may not be obvious how to use CloudHSM for practical applications, so I’d like to discuss how a few applications use the service. Frankly, it’s not always necessary to use HSM technology to store key material, so we’ll also discuss some of the common requirements that dictate the extra level of security provided by CloudHSM. CloudHSM is used for a wide range of applications, including database encryption, digital content encryption, payment applications, certificate management and public key infrastructure (PKI), and identity and auditing.
Several commercial database engines support a feature called transparent data encryption (TDE) that can seamlessly encrypt the data in a database. TDE uses a master key to encrypt the keys that are used to encrypt the data. I’ll discuss the idea of a master key and how it relates to other encryption keys to create a key hierarchy in a future blog post, but for now just think of the master key as an encryption key that can unlock all of the data.
TDE typically stores the master key in a software container on the same virtual server as the database itself. Typically the software container is isolated from the database data using separate access controls or it is encrypted with a password. While storing the master key in a software container is appropriate for some AWS customers, several CloudHSM customers configure their EC2-based database instances to store the TDE master keys in the HSM instead. In this scenario, the master key is created inside the HSM and it never leaves the HSM. With the appropriate credentials, the database can use the master key, but the database never has a copy of the key and so the customer controls access to the key and can even revoke access to it at any time. Oracle Database 11g and Microsoft SQL Server 2008 and 2012 support TDE that includes the option to store the master key in an HSM. Several CloudHSM customers are using this solution with database instances in EC2 to provide extra protection for the master key.
Several CloudHSM customers are using the CloudHSM service to protect keys used to encrypt digital content. This includes everything from key management for encrypted video content to a healthcare portal for accessing secure documents. The common theme among these applications is strong protection for the encryption keys.
The decision to use CloudHSM may be based on third-party requirements or a customer’s own best practices. In the case of video content, the content owners imposed contractual requirements on the content distributors to use hardware-based key storage. Internal best practices and a proactive approach to HIPAA compliance were the drivers for using CloudHSM in securing sensitive healthcare documents.
Many customers have expressed interest in using CloudHSM with payment applications in the AWS cloud. The Payment Card Industry Data Security Standard (PCI-DSS) requires very stringent encryption and key management best practices for systems that handle credit card data. CloudHSM may make it easier to demonstrate secure key storage and management compared to software-based key management. The CloudHSM service is included in the list of AWS services validated for the 2013 PCI DSS Compliance package. In combination with appropriate key management processes, CloudHSM can help customers comply with PCI DSS key management requirements 3.5 and 3.6.
PKI and Certificate Management
Several customers are using the CloudHSM service to generate certificates, sign certificate signing requests (CSRs), and to store private keys used with certificates. The CloudHSM is typically used as an architectural building block and root of trust in these applications. The requirement to use CloudHSM depends on the application. One CloudHSM customer is building a service to digitally sign documents using an intermediate signing certificate that is signed by a public certification authority (CA). The public CA requires the intermediate signing key to be stored in hardware.
Entersekt , an AWS Technology Partner and transaction authentication solution provider, built a system to authenticate sensitive financial transactions from mobile devices in AWS. The system is based on PKI and stores private root keys in CloudHSM appliances, and it uses the private keys to perform certificate-based authentication rather than using SMS or browser-based passwords. CloudHSM made it possible to migrate the application infrastructure to AWS while enhancing security.
Identity and Auditing
Xceedium, an AWS Technology Partner and vendor of identity management and secure auditing solutions, has integrated and tested its Xsuite platform with CloudHSM. Xsuite controls access, monitors and audits privileged access to EC2 instances, the AWS management console, and AWS management APIs. Xsuite leverages CloudHSM for high assurance protection of the keys used to vault customer credentials and passwords. Using CloudHSM with the Xsuite AMI (Amazon Machine Instance) in AWS provides a service-based alternative to buying, maintaining and hosting physical Xsuite appliances. Applications such as Xsuite can use CloudHSM with one set of APIs such as PKCS#11, Java JCA/JCE, or Microsoft Cryptographic API (CAPI) without being rewritten. They can continue to use the same APIs, but the implementation of the API call is performed by the HSM appliance instead of software.
For some AWS customers who have migrated much of their infrastructure to AWS, HSM appliances are the last remaining devices in their datacenters. CloudHSM has allowed some customers to close datacenters and realize significant cost savings. These customers typically see improved application performance for applications that use HSMs due to the close proximity and low network latency afforded by CloudHSM, and they eliminate costs such as: hosting, power, cooling, network connectivity, and firewall maintenance.
We’ve discussed the basic ideas behind CloudHSM and some of the ways customers are using it. In a future post we’ll dig into more detail on key hierarchies and how to integrate CloudHSM with specific applications. You can learn more about CloudHSM at CloudHSM Detail Page or get started by contacting us to sign-up.