Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 1

CryptoServer CloudWebinar, November 29th, 2018

Dr. Daniel Minder

Product Manager

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 2

▪ CryptoServer Cloud Architecture

▪ Features:

▪ Multi-Cloud Capabilities

▪ Migration

▪ Availability

▪ Use Cases

Outline

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 3

Some challenges

Secure your assets in the cloud with an HSM!

I want to

secure my

custom code

in the cloud!

I want to have

migration flexibility!

Moving into the cloud

is a challenge.

Moving out could be

an even bigger one.

I want to

implement our

cloud strategy on

multiple clouds!

I want to

reduce capex

vs opex

Enterprise /

Business Unit

Business Line / Product management

CloudCloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 4

Architecture

CryptoServer Cloud

Data center

CryptoServer Se2

Routing

infrastructure

Data center

Customer’s

collocation

Customer’s public cloud applications

Azure AWS Google

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 5

▪ Log into 34.214.199.233

▪ … 52.160.93.58

Two VMs from two different CSPs

Multi-Cloud Demo

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 6

▪ AWS

▪ Azure

Same HSM can be seen from all VMs and Key Store is empty

Multi-Cloud Demo

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 7

▪ In AWS only!

▪ In Azure, it’s there

Create a key

Multi-Cloud Demo

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 8

▪ It’s really encrypted…

▪ We can transmit it now,e.g. in a mail (base64)

Encrypt some data in AWS

Multi-Cloud Demo

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 9

▪ In Azure

Receive and decrypt the data in Azure

Multi-Cloud Demo

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 10

Migration made easy

Your Cloud Journey

Start testing with the simulator

Migrate to an on-premise HSM

Migrate to

CryptoServer Cloud

Migrate back or use

buy-out option

Connect your on-premise HSM with the

cloud via VPN (Host Your own Key)

Migrate to other Cloud

Service Providers –

stay on the same HSM(s)!

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 11

Utimaco offers you a reliable and trustworthy HSM-as-a-Service that helps you secure

your assets in the cloud:

▪ Long term architectural fit & risk management

▪ Migration strategies in & out of the cloud

▪ Accessible from major cloud service providers (CSP)

▪ No lock-in to specific CSP due to multi-cloud capability

▪ Standard HSM as available on premise with all standard features, e.g. 2-factor auth

▪ Simulator for service design and testing

▪ Dedicated HSM with full administrative rights

▪ Run your most sensitive & valuable custom code in the secure perimeter of the HSM

▪ Low Latency: Short RTD from your HSM to your cloud based applications

▪ Best service possible: Get the Cloud HSM SLA from the HSM vendor!

Unique Features

CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 12

▪ For HSM: MTBF 90,000 hours

▪ For connection:

▪ 99% availability with a single connection

▪ 99.99% availability with redundant connections

▪ Response time for cloud service:

▪ 8/5 standard support: 8 business hours

▪ 24/7 premium support: 4 hours

▪ Utimaco manages CSLAN completely and in agreement with user, e.g. to perform hardware maintenance or software updates

▪ Complete hardware replacements will be done when technically needed, e.g. before EOL

For details see CryptoServer Cloud T&Cs

Service Levels

CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 13

▪ In a shared HSM, custom firmware should not be allowed

▪ Possibility of cache attacks etc

▪ Virtualized HSMs could be moved (which can be intended behavior), but who guarantees security of stored state under all circumstances?

▪ Subpoenas, US Cloud Act

▪ Only a dedicated HSM administered by customer guarantees full security!

Why a dedicated HSM administered by customer?

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 14

▪ Vs. Azure Key Vault, AWS KMS & Google KMS

▪ Better migration in&out: all KMS have very limited import&export functionality

▪ More functionality: key types and algorithms are limited in KMS

▪ Run your own code with SecurityServer SDK

▪ Standard interfaces: only proprietary for KMS, no PKCS#11/CNG/JCE support

▪ Quorum authentication possible: KMS use cloud specific IAM

▪ Customer always in full control: KMS is basically a software layer/protection

▪ FIPS Level 3: KMS max level 2 so far

▪ Vs. AWS Cloud HSM

▪ More functionality: no FIPS restriction with normal SecurityServer package

▪ Run your own code with SecurityServer SDK

▪ Two factor authentication: AWS HSM has password auth only

▪ Customer always in full control: In AWS HSM user gets only a slot

▪ Available from major clouds, also at the same time!

▪ High availability: No SLA defined for AWS HSM

Compared to typical KMS and AWS Cloud HSM

Advantages of CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 15

Availability

CryptoServer Cloud

Santa Clara

Frankfurt

Hong Kong

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 16

Availability in Cloud Regions of AWS

CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 17

Availability in Cloud Regions of AWS, Azure

CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 18

Availability in Cloud Regions of AWS, Azure and Google

CryptoServer Cloud

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 19

Large(r) companies OEMs (&VARs)

Why cloud OPEX instead of CAPEX No own infrastructure

Pain point Risk management Functionality

CSPs are

missing

• CSP independence

• Easy migration between clouds and

into and out of the cloud

• Multi-cloud capabilities

• Customizable HSMs

• Multi-tenancy

• Ability to run own code in the HSM

…and are not satisfied with AWS/Azure/Google KMS or HSM?

Why do customers need a Cloud HSM?

▪ Combinations are possible!

▪ Commonalities, e.g. certification requirements

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 20

▪ Remember: Connection between PKI and HSM is the same as for an on-premiseinstallations – it‘s just an IP address!

▪ High availability with >1 HSM in cluster mode (as for on-premise) and redundant cloud connection

Run your PKI in the cloud

Use Cases

CryptoServer Cloud

Your

Company

VPC

Private cloud connection

PKI

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 21

Use Cases

CryptoServer Cloud

Your

Company

Your

Customer 1

VPC

Web / App

Private cloud connection

Your

Customer n

Your

Application

Web / App...

Create your cloud-based applications offering end customer services

Secured IP connections (e.g. TLS)

Utimaco HSM Business Unit · Aachen, Germany · ©2018 hsm.utimaco.com Page 22

Utimaco IS GmbH

Germanusstraße 4

52080 Aachen

Germany

Tel +49 241 1696 200

Fax +49 241 1696 199

Email hsm@utimaco.com

Utimaco Inc.

Suite 150

910 E Hamilton Ave

Campbell, CA 95008

United States of America

Tel +1 844 884 6226

Email hsm@utimaco.com

Product Manager

Thank you!

Dr. Daniel Minder

daniel.minder@utimaco.com