Amazon Web Services (AWS) is adding a single-tenant, secure hardware cloud appliance to its usual software services to give customers an extra-secure method of storing encryption keys, issuing digital signatures and executing digital rights management in compliance with strict regulations.
AWS CloudHSM uses Safenet’s Luna-SA appliances. AWS is making them available in EC2 only to Virtual Private Cloud customers, who access their virtual servers over virtual private networks and use other security precautions. The appliance is given an IP address within the virtual private cloud and is accessible only to the customer contracting for it, even though Amazon monitors it and ensures that it remains up and running.
The availability of a hardware security module (HSM) inside Amazon’s EC2 allows a cloud user to store a cryptographic key, digital signature, digital rights, etc. in the cloud instead of having to maintain them on premises and upload them to an application in the cloud when they’re needed. The latter inevitably slows performance and adds to the time needed to get work done.
The appliance is an Ethernet device that is tamper-resistant and can call up and use a cryptographic key without exposing it outside the device’s boundaries. AWS CTO Werner Vogels considered the hardware addition significant enough to alert his thousands of Twitter followers. Noting virtual private clouds already come with security protection measures, he referred followers to an AWS blog post that said rigorous contractual or regulatory requirements in some cases require “additional protection.”