Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 1
CryptoServer CloudWebinar, November 29th, 2018
Dr. Daniel Minder
Product Manager
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 2
▪ CryptoServer Cloud Architecture
▪ Features:
▪ Multi-Cloud Capabilities
▪ Migration
▪ Availability
▪ Use Cases
Outline
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 3
Some challenges
Secure your assets in the cloud with an HSM!
I want to
secure my
custom code
in the cloud!
I want to have
migration flexibility!
Moving into the cloud
is a challenge.
Moving out could be
an even bigger one.
I want to
implement our
cloud strategy on
multiple clouds!
I want to
reduce capex
vs opex
Enterprise /
Business Unit
Business Line / Product management
CloudCloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 4
Architecture
CryptoServer Cloud
Data center
CryptoServer Se2
Routing
infrastructure
Data center
Customer’s
collocation
Customer’s public cloud applications
Azure AWS Google
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 5
▪ Log into 34.214.199.233
▪ … 52.160.93.58
Two VMs from two different CSPs
Multi-Cloud Demo
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 6
▪ AWS
▪ Azure
Same HSM can be seen from all VMs and Key Store is empty
Multi-Cloud Demo
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 7
▪ In AWS only!
▪ In Azure, it’s there
Create a key
Multi-Cloud Demo
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 8
▪ It’s really encrypted…
▪ We can transmit it now,e.g. in a mail (base64)
Encrypt some data in AWS
Multi-Cloud Demo
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 9
▪ In Azure
Receive and decrypt the data in Azure
Multi-Cloud Demo
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 10
Migration made easy
Your Cloud Journey
Start testing with the simulator
Migrate to an on-premise HSM
Migrate to
CryptoServer Cloud
Migrate back or use
buy-out option
Connect your on-premise HSM with the
cloud via VPN (Host Your own Key)
Migrate to other Cloud
Service Providers –
stay on the same HSM(s)!
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 11
Utimaco offers you a reliable and trustworthy HSM-as-a-Service that helps you secure
your assets in the cloud:
▪ Long term architectural fit & risk management
▪ Migration strategies in & out of the cloud
▪ Accessible from major cloud service providers (CSP)
▪ No lock-in to specific CSP due to multi-cloud capability
▪ Standard HSM as available on premise with all standard features, e.g. 2-factor auth
▪ Simulator for service design and testing
▪ Dedicated HSM with full administrative rights
▪ Run your most sensitive & valuable custom code in the secure perimeter of the HSM
▪ Low Latency: Short RTD from your HSM to your cloud based applications
▪ Best service possible: Get the Cloud HSM SLA from the HSM vendor!
Unique Features
CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 12
▪ For HSM: MTBF 90,000 hours
▪ For connection:
▪ 99% availability with a single connection
▪ 99.99% availability with redundant connections
▪ Response time for cloud service:
▪ 8/5 standard support: 8 business hours
▪ 24/7 premium support: 4 hours
▪ Utimaco manages CSLAN completely and in agreement with user, e.g. to perform hardware maintenance or software updates
▪ Complete hardware replacements will be done when technically needed, e.g. before EOL
For details see CryptoServer Cloud T&Cs
Service Levels
CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 13
▪ In a shared HSM, custom firmware should not be allowed
▪ Possibility of cache attacks etc
▪ Virtualized HSMs could be moved (which can be intended behavior), but who guarantees security of stored state under all circumstances?
▪ Subpoenas, US Cloud Act
▪ Only a dedicated HSM administered by customer guarantees full security!
Why a dedicated HSM administered by customer?
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 14
▪ Vs. Azure Key Vault, AWS KMS & Google KMS
▪ Better migration in&out: all KMS have very limited import&export functionality
▪ More functionality: key types and algorithms are limited in KMS
▪ Run your own code with SecurityServer SDK
▪ Standard interfaces: only proprietary for KMS, no PKCS#11/CNG/JCE support
▪ Quorum authentication possible: KMS use cloud specific IAM
▪ Customer always in full control: KMS is basically a software layer/protection
▪ FIPS Level 3: KMS max level 2 so far
▪ Vs. AWS Cloud HSM
▪ More functionality: no FIPS restriction with normal SecurityServer package
▪ Run your own code with SecurityServer SDK
▪ Two factor authentication: AWS HSM has password auth only
▪ Customer always in full control: In AWS HSM user gets only a slot
▪ Available from major clouds, also at the same time!
▪ High availability: No SLA defined for AWS HSM
Compared to typical KMS and AWS Cloud HSM
Advantages of CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 15
Availability
CryptoServer Cloud
Santa Clara
Frankfurt
Hong Kong
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 16
Availability in Cloud Regions of AWS
CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 17
Availability in Cloud Regions of AWS, Azure
CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 18
Availability in Cloud Regions of AWS, Azure and Google
CryptoServer Cloud
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 19
Large(r) companies OEMs (&VARs)
Why cloud OPEX instead of CAPEX No own infrastructure
Pain point Risk management Functionality
CSPs are
missing
• CSP independence
• Easy migration between clouds and
into and out of the cloud
• Multi-cloud capabilities
• Customizable HSMs
• Multi-tenancy
• Ability to run own code in the HSM
…and are not satisfied with AWS/Azure/Google KMS or HSM?
Why do customers need a Cloud HSM?
▪ Combinations are possible!
▪ Commonalities, e.g. certification requirements
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 20
▪ Remember: Connection between PKI and HSM is the same as for an on-premiseinstallations – it‘s just an IP address!
▪ High availability with >1 HSM in cluster mode (as for on-premise) and redundant cloud connection
Run your PKI in the cloud
Use Cases
CryptoServer Cloud
Your
Company
VPC
Private cloud connection
PKI
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 21
Use Cases
CryptoServer Cloud
Your
Company
Your
Customer 1
VPC
Web / App
Private cloud connection
Your
Customer n
Your
Application
Web / App...
Create your cloud-based applications offering end customer services
Secured IP connections (e.g. TLS)
Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 22
Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Tel +49 241 1696 200
Fax +49 241 1696 199
Email [email protected]
Utimaco Inc.
Suite 150
910 E Hamilton Ave
Campbell, CA 95008
United States of America
Tel +1 844 884 6226
Email [email protected]
Product Manager
Thank you!
Dr. Daniel Minder