At a conference recently, I heard a speaker make a reference to cloud-based key management via a hardware security...
module, or HSM. What is an HSM? How do I know whether I need one, given all the other cloud security options we use?
The short answer is, if you haven't heard much about HSMs, you probably don't need one for information security -- at least, not yet. You can find plenty of other easier and cheaper options to secure your data.
HSMs are dedicated hardware systems specifically designed to store and manage private and public keys, such as secure sockets layer, or SSL, certificates. Among the best-known HSM offerings is Amazon Web Services CloudHSM, which works inside the AWS cloud. AWS describes CloudHSM as a service that "allows customers to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by the customer."
These systems are useful if you need to run digital rights management or a public key infrastructure. These systems can be used to provide high levels of security for products that require it, particularly to ensure regulatory compliance.
But that's much more security than you need for most typical projects. Unless you are working with such information as classified government data, confidential medical information or building-identity systems, you probably don't need an HSM.