Think about it: a Cloud HSM may be a great solution

The Wikipedia definition states that: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

So I always thought about HSMs as on premise hardware used almost only at Certification Authorities to securely generate key pairs. Turns out that I recently came across some interesting situations where deploying a HSM - or better - deploying a cloud HSM would benefit a lot our current operations.

Taking a look at the 3 most important cloud providers, it′s easy to understand the offer:

AWS Cloud HSM - https://aws.amazon.com/cloudhsm/

A?zure Dedicated HSM - https://azure.microsoft.com/en-us/services/azure-dedicated-hsm/

Google Cloud Platform HSM - https://cloud.google.com/hsm/

The three of them include the ability to generate and use encryption keys on FIPS 140-2 level 3 validated HSMs - the Azure product is also eIDAS Common Criteria EAL4+

So, if your organization needs to comply with PCI, managing the keys that will be used to encrypt credit card data on your own HSM might be a good idea. Same could be said to manage the keys used to encrypt personal data at rest that your organization needs to maintain, complying with GDPR.

Also, you could use your cloud HSM to offload your webservers processing SSL data while improving security, by storing private keys securely outside the webservers.

In our case we′re using cloud HSMs to support an eSeal operation - Loqr will sign reports with it′s Qualified eSeals (issued by an EU Trusted Service Provider). But that′s for another article.

Cheers !