nobeastsofierce - Fotolia

CloudHSM offers premium level of cloud security

AWS provides numerous customizable security options for its customers, but those in search of private access to dedicated hardware turn to CloudHSM.

Amazon Web Services' CloudHSM is not your mother's cloud security tool. And that's a good thing if you need the highest possible level of security and compliance in the cloud. CloudHSM is the first Amazon service to offer companies complete control of their most sensitive cloud data while in the public cloud.

"The question is: How risk-averse are you?" asked Pete Lindstrom, research director for security products for IDC. "[CloudHSM] is a way to tie things distributed across an architecture, and even up in the cloud, to something that's physical that's backed by a physical Hardware Security Module [HSM]."

But it's certainly not for everyone. "[CloudHSM] is a big security shotgun and most people just need a pistol," said Carl Brooks, a research analyst at 451.

Fewer than 1% of Amazon's customers fall in that category of those who need CloudHSM, said Rich Morrow, a cloud computing consultant who specializes in AWS. "For those who do need it, though, if it isn't there then they walk away."

Creating tangible trust

The technology behind CloudHSM is complex, but the premise is simple. Users have private access to dedicated hardware inside AWS data centers. This is a revolutionary idea given how a public cloud can feel -- and operate -- like a shared space, even if that shared space offers security.

Typically, an AWS customer sends encrypted data to the cloud, and then AWS encrypts it again. More security-conscious customers can take advantage of the new Amazon Key Management System, which lets them create and control encryption keys and store them on hardened HSMs.

Customers can choose from a wide array of AWS and third-party security offerings to take it a step further.

[CloudHSM] is a big security shotgun and most people just need a pistol.
Carl Brooksresearch analyst at 451

Amazon offers a high level of physical security -- locked data centers, background checks on employees, limits on which Amazon employees have access to certain types of data. For the vast majority of companies, this is more security in the cloud than they'll need. In fact, AWS is widely seen as offering the strongest security in the public cloud today.

But for a certain category of customers, this isn't secure enough. Before CloudHSM, "there was mutual trust in this scenario," said Brooks. "But the reality is, if AWS has encrypted your data, they can unencrypt it too. And that's where it can get tricky."

Customers who are legally or contractually required to maintain sole possession of encryption keys are unable to use the AWS Key Management Service because, in theory, AWS could gain access to the data.

"The question is: How can you create the strongest roots of trust?" Lindstrom asked. "These companies really need to separate out the key management from the actual content and encrypt all the steps to make sure a malicious hacker can't get access to the data. This is a surprisingly simple issue with surprisingly complex solutions, at least when it comes to the cloud."

With the existing AWS Key Management System, customers can create and store encrypted keys, but misplaced keys and other security hiccups can occur if customers are inattentive. With CloudHSM, security-sensitive customers can encrypt a master key that can encrypt other, lower level keys; those keys, in turn, can unlock bulk data. The master key is stored on the HSM (think Fort Knox) and only the customer has access to it. This is the highest level of security available today, according to Amazon published reports; it requires the creation of fewer keys, thus limiting the potential risk.

CloudHSM setup

To get started, customers can set up CloudHSM instances within their virtual private clouds with their own IP addresses. CloudHSM can also work with compatible on-premises HSMs to further secure key encryption. AWS takes care of the hardware, but has no access to encryption keys.

Prior to this, customers who couldn't get the level of necessary security in the cloud were forced into piecemeal options; secure information remained in on-premises data centers while other processes went to the cloud. Performance suffered, and often so did the bottom line.

The price of security

A free trial of CloudHSM is available in some cases, with an upfront fee of $5,000 per instance and monthly fees averaging $1,373 (in the U.S.), according to AWS estimates. But, for most, CloudHSM is not without cost.

Amazon created the high-end service based on demand from customers like Netflix. And it was a big change for a company that's always been fairly hands-on.

"This represents the first time AWS has deviated from its '100% we do everything ourselves' mantra," said Brooks. "This is a significant ice-breaker for AWS and is absolutely crucial for enterprise deals."

In some cases, customers just need to see security as something they can touch.

"There is just no substitute for having a hardware module-based security system," Morrow said.

And while other leading public clouds offer high-level security services, none of them are "out of the box" like CloudHSM. "With other public clouds, it's more flexible, sort of a 'we'll work with you to purchase your own HSM,'" said Brooks. "Others don't have this turnkey, built-in solution."

Next Steps

Do you need a hardware security module to protect your information?

How AWS Key Management Service bolsters cloud security

AWS cloud security and compliance win enterprise trust

Dig Deeper on AWS security