3

This is exactly what I want to know. Cloud based HSM is expensive and I need to make sure of what to be paid for.

Tariq
  • 59
  • 6

2 Answers2

5

Primarily public-key cryptography. HSMs contain keypairs that chain back to trusted public roots, in the same way that SSL/TLS works. You can get a signed certificate from the device, and then verify that the certificate​ is signed by the manufacturer. (This is the same way you'd verify that an HSM in your physical possession is real and not a counterfeit.)

You're also trusting that the manufacturer and the certifying agencies with which they work are correct in their statements about the device's security, but that's no different than you have to do with an HSM in your possession.

The only difference in the threat models of on-prem vs. cloud HSMs is that in a cloud situation, my cloud provider can watch traffic and attempt to run commands on the HSM. However, the traffic is all encrypted and the device is at the very least password-protected (and will usually zeroize itself if too many failed login attempts occur), so my cloud provider can't actually access any cryptographic material or see what you're doing. The most they could see is how much traffic you're sending to the HSM, and if you're really paranoid you can have a system that adds random traffic to obfuscate usage patterns.

For more information, AWS has their answer to this question in their CloudHSM FAQs under "How do I know that I can trust CloudHSM appliances?" (you need to scroll down a bit, the docs don't support linking to a specific question, just a section)

turtlemonvh
  • 9,149
  • 6
  • 47
  • 53
LiVi
  • 329
  • 1
  • 4
  • 1
    Nice answer. Detailed explanation is in [SafeNet HSM Technical Note - How do I know the HSM in the Cloud is real?](https://safenet.gemalto.com/resources/Other/Data_Protection/How_do_I_know_the_HSM_in_the_Cloud_is_real__-_HSM_Technical_Note) – jariq Apr 07 '17 at 17:56
0

If a Cloud HSM provider state that it has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS) you do not have to worry about their system.

Dedicated compliance firms Qualified Security Assessor inspect Cloud HSM providers and give regulatory approvals. Validation of compliance is performed annually by those Qualified Security Assessors. Entire credit card system based on those security of HSMs so those security requirements are extensive(not just checking HSM's are hardware). This is why Cloud HSM is expensive too.

Ahmet Arslan
  • 5,380
  • 2
  • 33
  • 35