Encryption is one of the basic building blocks for any organization containing sensitive data/information. Sensitive data compliant with data privacy regulations creates a brand value for your organization as your organization becomes less prone to data breaches. As we all know the strength of the encryption depends upon two critical factors
Security of the Keys
Key length is quantifiable and could be determined using the various encryption algorithms such as AES-128 or AES-256. On the other hand, the Security of the key is a subjective matter. As we all know, the more secure the keys are, private keys in asymmetric and shared keys in symmetric encryption, the more powerful the encryption landscape is.
In today’s article, we will compare Cloud-based HSM and On-prem HSM and try to
Find an answer for what criteria a customer should choose as the appropriate option for their organization’s crypto security.
As organizations step up their cloud journey as fast as possible to utilize the advantages of the cloud e.g. scalability, flexibility, cost-effectiveness, they have to parallelly think about data security in their IT landscape. This makes encryption, and subsequently HSMs, an inevitable component of an organization’s Cybersecurity strategy.Based on the use cases, we can classify HSMs into two categories: Cloud-based HSMs and On-Prem HSMsIn regards to the classification of HSMs (On-prem vs Cloud-based HSM), kindly be clear that the cryptographic technology is the same, but delivered via different methods.
On-prem HSMs are specifically useful for storing encryption keys when the organization wants complete control over their keys and policies without having any dependency on the Cloud Service Provider (CSPs). However, this comes at substantial upfront investment in terms of hardware, skilled resources, management software licenses managing the HSM cluster etc.
On-prem HSMs also make sense when an organization uses a secure application which is extremely sensitive to latency. The secure application uses an On-prem HSM only, thus avoiding the latency. Another important use case is where an application with intensive cryptographic operations is in use due to security best practices, technological designs, and/or performance requirements. On-prem HSM is also beneficial to organizations which operate in countries with strict regulatory/compliance requirements on data localization, and where Cloud Service Providers (CSP) may not have a local datacenter in that geographic location. It also benefits organizations with foreseeable workloads, where it is highly unlikely that the business requirements and transaction volumes will exceed the capacity of the HSM in the near future.
On the other hand, Cloud-based HSMs offer out-and-out advantages of the cloud in addition to conventional features of HSMs. To dig deeper, we can further classify the Cloud-based HSM into two categories: Public Cloud HSM Services and Third- Party HSM Services. Some Public Cloud HSM Services offer Single-tenant/dedicated or Multi-tenant services (e.g. AWS, Azure) whereas others offer only Multi-tenant services (e.g. GCP KMS, Oracle Key Vault) thus, these HSM Services are best suited for organizations which are dependent upon single Cloud Service Provider (CSP). In Third Party HSM Services, you can leverage multi-cloud platforms managed through the central management portal (e.g. DPoD) thus, these HSM Services are best suited for organizations with multi-cloud strategies. These HSM Services also offer use-case-based modular services to lessen data protection cost. Some examples of these services are Key Vault, Oracle TDE (Transparent Data Encryption), Code/Digital Signing etc.
Cloud-based HSMs are extremely helpful in the case of SMB (small and medium business) organizations which already have some other IT service dependencies, and substantial upfront investments for On-prem HSMs may not be feasible in terms of cost- effectiveness. Another classic Cloud-based HSM use case is where enterprises want to test or pilot multiple vendor HSM services with minimal upfront investments before committing to a vendor. Also, it is useful in organizations where the workloads are less in the organization/department and application performance and latency requirements are not stringent enough to require a dedicated, On-prem HSM. This model is suitable for smaller organizations which prefer a foreseeable and PAYG (pay-as-you-go) based financial model offered by the Cloud Service Provider (CSP) rather than high initial capital investments required by an On-prem HSM. Organizations/departments with highly variable workloads which might require elasticity (i.e. scaling up and scaling down of the HSM infrastructure) do come under the umbrella of Cloud-based HSMs as well.
Comparison at a Glance
No hardware required
# of hardware required including for resiliency, HA, Management Platform etc.
Included in the cost
Licenses may be required for each partition and Client Software
Easy with CSP documentation
Complex and skill dependent
Responsibility of CSP
Responsibility of the organization
Low as it’s a managed service from CSP
High as its managed by organization
SLA (Service Level Agreements)
Responsibility of CSP
Responsibility of organization
Operational Technical Knowledge
Medium with CSP’s documentation & vendor support
High as its managed by organization
Total Cost of Ownership
High specifically for low # of partitions
*CSP: Cloud Service Provider
The HSM service is certainly a critical component while designing and deciding the data privacy measures for your organization’s PKI infrastructure. The decision between Cloud- based HSM or On-prem HSM is a function of TCO (total cost of ownership), number and complexity of the use cases, business, regulatory, legal compliances, foreseeable growth in the volume of the sensitive data, divergent data sources, and choice of business applications to name a few. Although Cloud-based HSM Services are becoming more popular considering the fact that more and more organizations are jumping to the cloud for its numerous benefits. However, On-prem HSMs become critical in the case when Cloud Service Provider (CSPs) hit some limitations, although they are very few in the count. To conclude, one thing remains consistently clear: the benefits offered by Public Key Infrastructure (PKI) can be completely undermined if private keys are compromised. Protecting and managing those keys is, therefore, a critical requirement to ensure enterprise data security. HSMs, whether On-prem or Cloud-based, are the best options today to fulfil that requirement.
Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.