When deploying to the cloud, regulated companies need to be able to make unambiguous assertions about their data ownership.
The primary question about data ownership centers on who can access regulated data, and how to protect data from unintentional access by an unauthorized user.
It goes without saying that we expect that data placed in a cloud environment will be encrypted. Both data in motion and at rest is likely to be encrypted, with the encryption/decryption operations performed by the communication, application, middleware or base infrastructure tiers.
An encryption algorithm needs one or more encryption keys to determine its approach to scrambling or unscrambling stored data or streams of data in motion. A random stream of bits is used to construct an encryption key. The longer the stream of bits, the harder it is to crack or break the algorithm.
As the equivalent of a front-door key which controls access, the encryption key itself has value, just as the data it protects. For compliance purposes, a regulator typically needs confidence that the regulated company owns any key, and does not share them.
While there are many ways to store a key, protecting one robustly typically falls to a Hardware Security Module (HSM). An HSM is a tamper resistant security appliance in which security parameters can be stored, exercised and retrieved using standard protocols and APIs.
https://en.wikipedia.org/wiki/Hardware_security_module
"A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server."
Cloud service providers recognized the need to provide customer-dedicated HSM devices. With IBM Cloud's SoftLayer offering, a client can order an HSM from the management portal. While some cloud providers can provide both logical (virtualized multi-tenant appliance) and physical HSM devices, IBM's approach favors regulated environments by exclusively offering a dedicated hardware option.
For assurance, a client ordering an HSM, IBM cloud provides a physical single-tenant device delivered in factory state accessible only to the customer's virtual LAN (VLAN). The client receives a one-time user-id and password and must set the HSM with credentials that are never captured or shared with IBM. IBM has no access to the HSM, except to monitor that it is powered and alive.
The working principle is that the regulated client will never share HSM access or encryption parameters with the cloud provider. On that basis, a customer subject to regulation, can confidently assert that they uniquely own both their security parameters and their data.
For more information, take a look at the link below or drop me a message.
https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=KUS12364USEN
John,
ReplyDeleteWell written and full of interesting insight. Do you ever see HSM physical hardware making its way to commodity hardware.? Big iron has had it for years.
Great question Jeff. Thank you very much for asking.
DeleteIBM Cloud uses Gemalto HSM appliance devices. They are considered an industry leader and have all of the appropriate certifications.
In addition to an appliance device, Gemalto also makes similar capabilities available in a PCIe card form factor that can be installed into most commodity servers or integrated into an engineered/embedded device. In addition to their key management capabilities, these devices are most often used to accelerate encryption/decryption operations at custom hardware (or in-line) speed.
https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/pci-hsm/
HSM devices are delivered with software libraries that enable secure access to key management and crypto capabilities from applications, OS or middleware.
Additionally, IBM sells highly capable PCIe bus-attached crypto cards that can be deployed in System z mainframes, POWER systems, and selected x86 servers.
http://www-03.ibm.com/security/cryptocards/
This comment has been removed by the author.
ReplyDelete