In a bid to improve data security, Amazon Web Services (AWS) has launched AWS CloudHSM, which uses a separate appliance to protect cryptographic keys used for encryption.
There are already a variety of alternatives for protecting sensitive data on Amazon's cloud. But for some applications and data that are subject to contractual or regulatory mandates for managing cryptographic keys, additional protections may be necessary. Here is where the CloudHSM (Hardware Security Module) fits in, according to Amazon.
Until now, organizations' only options were to keep data locally or to deploy equipment in-house to protect encrypted data in the cloud, which has a negative impact on application performance, it said.
The service is powered by a Luna SA appliance from SafeNet that has a tamper-resistant enclosure. An enterprise can store its keys on the unit and use them to encrypt and decrypt data, while having full control, according to Amazon. Potential applications include database encryption, authentication and authorization, document signing, and transaction processing.
Applications can be integrated using APIs such as Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions).
When an enterprise signs up for the service they receive single-tenant access to each appliance. The appliance appears as a network resource in a Virtual Private Cloud (VPC). Amazon has administrative credentials to the appliance, but those can only be used to manage the appliance. The separation of duties and role-based access control is a key part of the SafeNet Luna SA, according to Amazon.
A VPC allows IT staff to create an isolated section of Amazon's cloud where they can launch resources in a virtual network defined by themselves, including public subnets, private subnets, and hardware VPN access.
CloudHSM costs US$5,000 up front for each unit plus $1.88 per hour as long as the appliance is available to use. All that amounts to an average cost of $1,373 per month, Amazon said. The company will also charge for network data transfers in and out of each unit that exceeds 5,000GB per month at a rate of $.02 per GB.
There is no additional charge for using the VPC in the standard setup. However, if an enterprise chooses to connect using a hardware VPN gateway, they are charged $0.05 per hour.
CloudHSM is now available in multiple zones in the US East (Northern Virginia) and EU West (Ireland) regions. Amazon will add more regions throughout the year based on customer demand.
To help convince enterprises that its cloud has what it takes to secure sensitive data, the company has created the AWS Security & Compliance Center.
Here the company has published security and compliance information, including the various certifications it has been awarded and are working on getting. There are also details about the security features it offers, including multi-factor authentication and support for server-side and client-side encryption in S3 (Simple Storage Service).