一千萬個為什麽

搜索

在雲中運行非托管硬件安全模塊(HSM)



I have to admit to never having asked, or been asked, the question if it is possible to have a Hardware Security Module in a public cloud, by which I mean Google, Amazon or Azure. 有沒有人找到使組織能夠完全管理HSM的技術?

在我看來,雲和HSM這兩個概念在根本上彼此不一致 - 因為雲通常涉及“外包”或將操作硬件的風險轉移到雲服務提供商。

就像您在Azure和AWS中發現的那樣,完全托管的HSM顯然存在一個中間立場:

  • Azure KeyVault: Use Key Vault and you don’t need to provision, configure, patch and maintain HSMs and key management software. Provision new vaults and keys (or import keys from your own HSMs) in minutes and centrally manage keys, secrets and policies.
  • AWS CloudHSM: AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

另外還有一些非HSM解決方案用於密鑰管理:

  • Cloud Key Management (Google): Cloud KMS is a cloud-hosted key management service that lets you manage encryption for your cloud services the same way you do on-premises. You can generate, use, rotate and destroy AES256 encryption keys. Cloud KMS is integrated with IAM and Cloud Audit Logging so that you can manage permissions on individual keys, and monitor how these are used. Use Cloud KMS to protect secrets and other sensitive data which you need to store in Google Cloud Platform.
  • Various Security Appliances available in all of the cloud marketplaces.

有沒有人找到使組織能夠完全管理HSM的技術?

轉載註明原文: 在雲中運行非托管硬件安全模塊(HSM)

一共有 2 個回答:

因此,Azure已經向我證實了在Microsoft Azure中使用FIPS-140 Level 2認證的硬件安全模塊的唯一方法是使用 Azure密鑰庫

I just wanted to point to you that there are solutions out there to benefit from HSM aaS dedicated. We are piloting this at Interxion (colocation provider Europe) : https://www.interxion.com/products/key-guardian/