Securing the Cloud with Hardware Security Modules
Subscribe to vXchnge Blog
More and more of today’s businesses are migrating their data and computing operations to the cloud. The combination of cost-savings and ease of use make the move an easy decision for small to medium size businesses. A 2016 survey of more than 1,200 small businesses in the US found that 71% of them ran at least one-quarter of their business in the cloud, up from 23.5% just 18 months earlier. Even for larger enterprises, migrating to the cloud provides tremendous advantages in terms of IT flexibility, freeing up valuable tech resources that can be diverted to innovation and delivering better customer experiences.
With so many companies embracing the cloud, the amount of data located there continues to grow. About 39% of all company data is now stored in the cloud, which raises some significant security concerns about how to protect sensitive information. From customer data to proprietary assets, companies need to think about how to protect their cloud infrastructure from data breaches.
Encryption is still the best way to protect digital data from being compromised. By translating readable text into code commonly referred to as ciphertext, encryption ensures that only users with the appropriate decryption key will be able to access and read the information. Modern encryption keys are generated by complex algorithms and require authentication to verify the origin of data and ensure it hasn’t been altered in any way.
While about 80% of cloud providers encrypt data in transit, less than 10% of them encrypt data at rest, which can leave company information stored in the cloud vulnerable to access by unauthorized users. Furthermore, there are some thorny legal and privacy issues involved with cloud providers and encryption keys. If a cloud provider is subpoenaed by the government to hand over customer data, it can also be compelled to provide the encryption keys needed to access it.
Hardware Security Modules
For all of these reasons, cloud customers are searching for tools that allow them to control their own encryption keys and protocols. The most secure and versatile solution is a physical hardware security module (HSM).
Specifically designed for encryption key management, an HSM serves as a gatekeeper between internal servers and the wider digital world. In addition to generating and managing the encryption keys necessary for accessing data, an HSM can also store valuable firmware and other proprietary information behind a secure perimeter managed according to strict internal and external protocols.
A typical HSM has only limited access to a company’s network and runs on a dedicated OS specially optimized for security. It generates and stores randomized encryption keys and dictates which systems have access to them and when, making it possible to lock out any unauthorized access to sensitive data throughout the network.
Unfortunately, the physical nature of HSMs have long made them an unrealistic solution for businesses on the cloud. While an HSM is ideal for companies connecting their private IT infrastructure to the public cloud as part of a hybrid cloud model, the modules are expensive and require extensive hands-on management. For smaller businesses without any IT infrastructure of their own and store all of their critical data and assets in the cloud, HSMs have not been a viable solution.
HSM as a Service
Luckily, new programming developments have made it possible for cloud providers to offer the benefits of having an HSM without the associated costs of owning and managing the module itself. With HSM as a Service, the cloud provider makes it possible for users to generate their own encryption keys and set access protocols for their data. While the cloud provider manages access to the HSM, the cryptographic keys themselves remain under the exclusive control of its customers.
Once the keys are generated, they can be stored in a secure cloud environment separate from the public cloud where the data itself is located. This ensures that even if there is a breach, the cryptographic keys will not be compromised as well. For an extra layer of security, colocation data centers can store keys in physical HSMs located and managed on-site.
With HSM as a Service, cloud customers finally have access to a scalable security solution that allows them to protect their valuable data and assets. The ability to better manage access to encrypted data is particularly important for companies required to adhere to strict compliance regulations.
As organizations continue to migrate more of their operations to the cloud, the need to secure the data being stored there is more pressing than ever. With HSM as a Service, cloud providers and data centers finally have the tools to give their customers the very best security measures possible. While it may not be possible to provide 100% security for data stored in the cloud, providing cloud users with the ability to generate and manage their own encryption keys and access protocols goes a long way toward making the cloud a safer, more secure environment for conducting business.
About Ali Marashi
Ali is the Senior Vice President of Engineering and Chief Technology Officer for vXchnge. Ali is responsible for all engineering, construction, network, and information technology functions for the company. Ali brings over 20 years of experience in the development and support of engineering and IT systems. Prior to joining vXchnge, Ali served as Vice President of IBX Ops Engineering for Equinix. There he led the design of data center architecture and all critical infrastructure and control systems for North America. Prior to joining Equinix, Ali served many executive positions for Switch & Data and Internap.