One of the major concerns with apps & data migrating to public cloud provider is related with security. There could be lots of questions hanging in your mind when you move data to cloud, some being – How can I ensure security of data while in transit? How to control access to these data? Should I use encryption software for data at rest? There are lots of services from AWS relating to security and encryption, which can be used to protect the data and apps you move to Cloud. In this blog post, we will see one type of data at rest encryption service released by AWS.
CloudHSM is a cloud based hardware security module which is used to store customer encryption keys in cloud. CloudHSM allows customers to add high performance cryptographic operations to AWS based applications. CloudHSM is a service based on physical HSM devices provisioned by AWS & dedicated for the customer within customer VPC private subnets. Hence customer has the capability to start or stop HSMs on demand.
HSM’s physically are handled by AWS and customers can store/rotate keys, start/stop the device, and handle access permissions. AWS takes care of device provisioning, software patching, backup and high availability. The physical device used by CloudHSM is tamper-proof and is equipped to wipe the data automatically & completely if it found anyone performing unauthorized access or handling. Provision multiple physical devices to create a cluster for high availability and key replication within CloudHSM. Customer is charged for an hourly fee for each HSM running within their VPC/account.
CloudHSM is a great fit for customers who has data protection compliance in place within the organization and those who want to ensure nobody else manages the encryption keys except the organization. The pay-as-you-go model pricing for such a bold encryption service makes it easy for customers to make use of the service without any upfront payment.