AWS CloudHSM uses Safenet's Luna-SA appliances. AWS is making them available in EC2 only to Virtual Private Cloud customers, who access their virtual servers over virtual private networks and use other security precautions. The appliance is given an IP address within the virtual private cloud and is accessible only to the customer contracting for it, even though Amazon monitors it and ensures that it remains up and running.
The availability of a hardware security module (HSM) inside Amazon's EC2 allows a cloud user to store a cryptographic key, digital signature, digital rights, etc. in the cloud instead of having to maintain them on premises and upload them to an application in the cloud when they're needed. The latter inevitably slows performance and adds to the time needed to get work done.
The appliance is an Ethernet device that is tamper-resistant and can call up and use a cryptographic key without exposing it outside the device's boundaries. AWS CTO Werner Vogels considered the hardware addition significant enough to alert his thousands of Twitter followers. Noting virtual private clouds already come with security protection measures, he referred followers to an AWS blog post that said rigorous contractual or regulatory requirements in some cases require "additional protection."
[ What will it take for users to feel safe in a public cloud? Public Cloud Concerns Remain Strong: Survey. ]
When it came to security keys themselves, "Until now, organizations' only options were to maintain data in on-premises datacenters or deploy local HSMs to protect encrypted data in the cloud. Unfortunately, those options either prevented customers from migrating their most sensitive data to the cloud or significantly slowed application performance," AWS said in its blog post.
Amazon released a whitepaper this month describing its existing AWS security measures.
An Amazon FAQ suggested CloudHSM would be good for encrypting databases in the cloud, storing the keys of public key infrastructure, authentication and authorization, document signing, digital rights management, and transaction processing.
Amazon will charge a one-time fee $5,000 to set up the CloudHSM and $1.88 per hour or $1,373 per month on average thereafter until the CloudHSM is terminated. As usual with a new service, it is available only in AWS's U.S. East data center in Ashburn, Va. in the U.S., and at its Dublin, Ireland, facility in Europe. Amazon did not say whether CloudHSM would also become available in its other regional centers in the U.S. or around the world.