Earlier this week Amazon Web Services announced their new CloudHSM offering. Essentially the service is a Luna SA appliances offered by SafeNet for each tenant, and can take at least two days to provision once ordered. The cryptographic assets are not accessible to AWS as they hold the admin credentials and the customer keeps both the HSM Admin and HSM Partition Owner credentials.
You can choose from multiple availability zones in the US East and EU West regions. The Cloud HSM is meant specifically for use in the AWS Virtual Private Cloud (VPC).
Ref: AWS CloudHSM
The addition of the AWS CloudHSM is a welcome evolution in making the cloud more secure. However it still leaves many problems. In a recent publication about the “Cost of Failed Trust” by the Ponemon Institute, the average global 2000 organization has in excess of 17,000 encryption keys and certificates spread across their network. A network that spans the enterprises datacenter into virtual private clouds such as the AWS offering, and mobile devices.
Organizations need to be weary of silo management of encryption keys and certs. The Cloud HSM is only available for AWS Virtual Private Cloud workloads. Thus creating silo management of keys and certificates for your AWS deployment, your datacenter deployment and mobile devices. You need to make sure you implement a centralized key management solution in order to gain full visibility into your entire key and certificate inventory.
The only key difference whether or not you are using an HSM on-premise or the AWS CloudHSM is the location of the HSM. You still need to be able to manage your entire key and certificate inventory. The CloudHSM is not going to provide you with this.
Make sure you deploy a key and certificate management platform, that from a single pane of glass can manage the encryption keys stored within the HSM—be it AWS CloudHSM or a locally installed one. Venafi Encryption Director manages any key, any certificate, anywhere.