HSM in the Cloud – Azure Dedicated HSM

Published by Amy Nihad on

KT Secure - penetration testing, software code signing, hsm management

If you are using Microsoft Azure and require cryptographic services and secure key management then Azure dedicated HSM may be the solution for you.  Azure Dedicated HSM provides subscribers with single-tenant FIPS 140-2 Level 3 certified devices that Microsoft manage and monitor but the customer controls.

Microsoft has designed the Dedicated HSM service around SafeNet Luna Network HSM 7 (Model A790) appliances from Gemalto they are available in many Azure regions and are easily deployed and configured for high-availability.  They may be configured across regions to ensure against region level failures.  Once deployed Dedicated HSM are available in your VDC and can also be used in a hybrid manner with on-premises applications accessing the HSM via VPN connectivity.

Benefits of Azure Dedicated HSM

Azure Dedicated HSM offers many of the benefits on-premise HSM with the flexibility of being provisioned in the cloud.  The service is designed around industry standard Hardware Security Module allowing on-premise applications to be easily migrated to the cloud or operate in a hybrid mode simply and easily.

  • Single Tenant Devices
  • FIPS 140-2 Level 3 and eIDAS Common Criteria EAL4+ Certified devices
  • Customer has full Admin Control of the devices once provisioned
  • Customer has ability to disable Azure monitoring of hardware (if desired)
  • High Performance Solution supporting up to 10K RSA-2048  operations per second and 10 partitions
  • Hybrid support allowing keys to be stored on a on-premises Gemalto HSM or an Azure Dedicated HSM

Azure Dedicated HSM Use Cases

Azure Dedicated HSM is an appropriate solution for many use-cases where the use of strong encryption and storage and management of digital key material is required.  A number of Azure services are not yet integrated with Dedicated HSM requiring analysis of requirements and applications before finally settling on the choice of Azure Dedicated HSM.

Lift and Shift Application Migrations

Many Organisations that require management and storage of digital keys will find that Azure Key Vault service to be more appropriate and cost effective. However, Azure Dedicated HSM is appropriate if you are:

  • Migrating on-premise applications to Azure Virtual Machines
  • Migrating Applications from AWS CloudHSM Classic to Azure

Public Key Infrastructure (PKI)

In a PKI environment a Hardware Security Module is commonly used to create, store and managed the Asymmetric Key pairs that are used by the Certification and Registration authorities.  If you are running ADCS on Azure Virtual Machines then Azure Dedicated HSM is a good choice for you.

Transparent Data Encryption

Azure Dedicated HSM can currently be used to store the Encryption Master Key for TDE on SQL or Oracle databases.

Secure Sockets Layer Connection Establishment

When processing large numbers of SSL connections host CPU utilisation can become an issue where performance is critical.  The RSA operations used in SSL are CPU intensive as they require a number of large multiplication operations.  To address these potential performance bottlenecks these operations can be offloaded to a HSM.

Software Code Signing

Software Code Signing service the software end users or the systems on which the software is installed to verify that software images and updates are from a legitimate source.  Our Software Code Signing service is utilised by premium automotive manufacturers to verify the software that is deployed to numerous vehicle Electronic Control Units (ECU).  We utilise HSMs to offload the cryptographic operations used within our service and to store the digital key material.

When not to use Azure Dedicated HSM

Not all Azure services are integrated at the time of writing with Azure Dedicated HSM such as Azure Information Protection, Azure Disk Encryption, Azure Data Lake Store, Azure Storage, Azure SQL Database, and Customer Key for Office 365.  If you require key storage and management with customer provided keys for any of these services then Azure Key Vault should be investigated to see if it meets your requirements.

Need help with your HSM?

KT Secure have extensive experience using and managing Hardware Security Modules.  Whether you are looking for advice on how to use a HSM in your PKI infrastructure, offload your cryptographic operations to a HSM or looking for someone to deploy and manage your HSMs we can help.  Look here for more information about our HSM service offerings.

Although it may seem counter intuitive as to why an organisation may want to outsource the management of its HSMs to a third party – there are numerous business benefits:

  • Staff costs saved on both initial training and on-going certifications
  • Allows key Staff to focus on less admin related tasks and focus on higher end business processes
  • Utilising external supplier may provide more rapid deployment and business agility than internal resources
  • Ability to leverage external experience in best practices, process definitions and documentation support
  • Reduces vendor or solution tie in by utilising external expertise