- Andreas Kroehnert
What is DPoD ? A brief introduction.
Last week WIRD Group announced the availability of our WIRD Data Protection on Demand - DPoD Service. But what is DPoD really?
All the following catchy phrases do sound great: "Zero upfront investment", "Up and running in less than 5 minutes", "Low TCO".
They sound great for the purchasing department and convinces them of the DPoD advantages. But those in business and IT operations need a bit more "flesh on the bone". So please continue reading below:
The challenge: Make HSM protection easily available
Hardware Security Modules, or HSM for short have been around a while. Designed to generated, manage and store cryptographic keys, they are the vault of the data center. However, these purpose build tamper-proof appliances with dedicated crypto chips and circuits do have a quite significant price tag.
In order to manage on-premise HSMs according to the best practices, there are precise operational procedures on how to access the device in security sensitive environments. This may require multiple custodians and 2-Factor authentication of some sort. Resiliency requirements will usually dictate that the service and its data be duplicated / backuped to a secondary site. The same is needed for the encrytion keys, because there is nothing worse than encrypting data and then loosing the keys.
No one wakes up in the morning, feeling a sudden urge to buy some HSMs. Typically, you have the immediate need for some good coffee or tea. Should you have stringent compliance requirements, then the on-site HSAM will be no brainer - but those situations are quite rare. More common is the increasing awareness that we all are potential victim of state driven cyber attacks, and that a higher level of datat protection in needed.
The solution: HSM service, but cloud-based
WIRD Group has been working with the market leader for hardware based security for many years now. We have been advocates of the development of a service offering that provides cloud-based key managagement services. This would dramatically reduce the cost and deployment time for our customers and of course ease the burden of handling a complex crypto appliance in a secure environment .
Today we can now offer such a service in our WIRD Cloud. This is a service oriented solution, that allows you to easily and quickly onboard applications available in a pay-as-you-go model with zero upfront investment. Virtually unlimited crypto management resources are available in an elastic manner, backed by a hardened HSM with the necessary FIPS certifications. It is managed locally in a trusted environment. Integration with other services via a REST interface allows you to gain immediate access to crypto services as part of an Infrastructure as a Code deployment model.
Data Protection On Demand is cloud and infrastructure agnostic and enables multi-tier management, including complete separation of duties, even when managing multiple levels of child accounts (virtual service providers).
Now let us draw some scenarios for the implementation of such a DPoD services.
Integrations with other services
HSM on Demand - If there is no specific shopping tile
Set up and access an HSM on Demand service as a Root of Trust for your organization’s cryptographic operations.
This is a generic HSM on Demand (HSMoD) service which can be used for the supported HSM integrations on DPoD which are not yet available as a specific tile.
Use your HSM to generate and/or store cryptographic keys, establishing a common root of trust across all applications and services. Your key vault can also perform cryptographic operations such as encryption/decryption of Data Encryption keys, protection of secrets (passwords, SSH keys, etc.), and more.
Secure CyberArk Privileged Access Security Solution’s top-level encryption key within an HSM.
HSMoD for CyberArk provides a root of trust for CyberArk Privileged Access Security Solution’s top-level encryption key in an HSM. By generating the server key using HSM-based entropy, HSM on Demand provides secure key storage for CyberArk Privileged Access Security Solution’s system keys.
Together, HSM on Demand for CyberArk secures the master key that is used within the vault, and is hosted in a secure environment. HSM On Demand for CyberArk mitigates this risk by securing the master key being used in a secure vault.
The service provides additional advantages by managing keys and certificates within carefully designed cryptographic boundaries that use robust access control mechanisms so keys are only used for their authorized purpose.
Enable a secure Root of Trust for applications and services providing digital signatures for documents and code.
By using HSMoD for Digital Signing, you can protect the private keys associated with your signing application in an HSM service to avoid the private keys from being stolen or compromised.
By digitally signing software and firmware packages or electronic documents with an HSM as the root of trust, you can ensure the integrity of the signed data and establish the publisher’s identity while protecting the private keys associated with your signing application.
Bringing trust to blockchain transactions to perform the required crypto operations across the distributed system.
HSMoD for Hyperledger stores the private keys used by blockchain Hyperledger members to sign all transactions, and ensures that cryptographic keys cannot be used by unauthorized devices or people for a range of blockchain Hyperledger applications.
HSMoD for Hyperledger protects cryptographic keys, the blockchain system and digital wallets, while ensuring keys are readily available in the cloud once access is granted. HSMoD for Hyperledger provides high assurance security in data centers and the cloud, enabling multi-tenancy of blockchain identities per partition as proof of transaction and for auditing requirements. With HSMoD for Hyperledger, you can secure keys for every role in your Hyperledger framework.
Java Code Signer
HSM on Demand for Java performs code signing operations on Java artifacts using an signature key generated on an HSM.
With HSMoD for Java Code Signer you can generate and protect the private keys used to sign your Java application in an HSM to avoid the private keys from being stolen or compromised
Security is significantly enhanced by generating signing keys and certificates using HSM entropy and Java code signing crypto operations are performed inside the HSM on Demand Service. In addition, this improves performance as cryptographic operations are off-loaded from the signing servers.
Generate and secure your Microsoft Authenticode certificates on an HSM.
HSMoD for Microsoft Authenticode generates and secures Microsoft Authenticode certificates on an HSM and by doing so, provides hardened boundaries for Microsoft Authenticode digital certificates.
HSMoD Service integrates with Microsoft Authenticode to provide a trusted system for protecting the organizational credentials of the software publisher. An HSM on Demand Service secures the keys used by the code signing application within the HSM service. By using HSMoD for Microsoft Authenticode, users can ensure that relevant Microsoft systems, software and hardware products meet approved standards, and prevent signing keys being accessed by any unauthorized entity.
Microsoft Active Directory Certificate Services - ADCS
Secure the keys of your Microsoft Root Certificate Authority (CA) in an HSM.
HSMoD for Microsoft ADCS provides a root of trust for Microsoft Certificate Authority (CA) signing key in an HSM. This enforces hardened boundaries for the CA’s cryptographic signing key, which is used to issue trusted certificates for individuals or systems and devices.
Using an HSMoD service to secure the Microsoft ADCS root key ensures the security of the trust hierarchy.
By providing the root of trust for the CA's public key Microsoft’s security is bolstered for example when configuring applications servers hosting Microsoft ADCS in dispersed data centers.
Microsoft SQL Server
Off-load Microsoft SQL Server cryptographic operations to an HSM.
HSMoD for Microsoft SQL Server enables Microsoft SQL Server cryptographic operations on an HSM. The HSM provides root of trust for storage of keys used in Microsoft SQL. So that encryption keys do not reside with encryption data. Data can be encrypted by using encryption keys that only the database user has access to on in the HSMoD service and cryptographic operations such as key creation, encryption, decryption, etc. can be offloaded to the HSM.
In conjunction with the HSMoD services from Data Protection On Demand, users can ensure secure storage of keys and cryptographic operations such as key creation, deletion, encryption, and decryption, using the Extensible Key Management (EKM) feature. Data can be encrypted by using encryption keys that only the database user has access to on the external EKM/HSM module.
This solution is ideal for on premise or hosted Microsoft SQL environments.
Ensure that data encryption keys used by the native Oracle TDE feature are encrypted with a master key that resides within the HSM.
HSMoD for Oracle TDE provides a secure storage of Oracle TDE encryption keys for on premise or hosted Oracle Enterprise solutions instead of using Oracle Key Vault or Wallet.
The service can also be used in conjunction with Oracle Key Vault to further enhance the security of the encryption keys stored in a hardware device.
HSMoD for Oracle TDE ensures protection of the Master key/s. There is direct integration to Oracle database using PKCS#11. By storing the Master Key or Key Encryption Key (KEK) in an HSM, you can ensure that only authorized services are allowed to request decryption of local data encryption keys known as Data Encryption Keys (DEK).
HSM on Demand for PKI - Private Key Infrastructre
Secure private keys belonging to Certificate Authorities responsible for establishing a PKI trust hierarchy.
Using HSMoD for PKI Private Key Protection establishes trust hierarchy by protecting your private keys, which are generated, stored and used within the confines of your dedicated HSM service.
By using HSMoD for PKI Private Key Protection, you can ensure the integrity of Root Certificate Authorities and corresponding Sub-CA certificates that are in turn used to sign user and device certificates.
Salesforce Key Broker
Create key material (tenant secrets) for Salesforce and manage your keys and security policies with Salesforce Shield across their lifecycle.
Key Broker for Salesforce enables you to retain control of your keys and align your key management policies across Salesforce environments. The key broker serves as a custodian of keys, providing a consolidated key management directory to manage, search and audit all keys.
Using the Key Broker On Demand for Salesforce, you can design and enforce policies, helping to ensure compliance. To further ensure the security and privacy of your data, you can Bring Your Own Key (BYOK) within the Data Protection On Demand service in the cloud.
Luna HSM Backup
Backup and restore your organisation's on-premises Luna HSM's
The Luna HSM Backup is an HSM on Demand (HSMoD) service offering that provides a dedicated backup and restore location for your organization's on-premises Luna HSMs. The Luna HSM Backup allows users to take cryptographic objects from a source Luna HSM partition (the partition that you are backing up) and securely store them on a destination partition (the Luna HSM Backup).
At the moment, DPoD does not support backing up PED authenticated partitions using the Luna Backup HSM.