On July 31, 2019, Alibaba Cloud announced the availability of the beta release of Managed HSM, a cloud-managed hardware security module (HSM) service. Via these FIPS 140-2 Level 3 validated HSMs, we are offering high security assurance for cryptographic keys, enabling you to protect your most sensitive workloads and assets, and to meet regulatory compliance.
FIPS 140-2 is a standard that provides security guidance for cryptographic modules; its validation program gives out security level ratings to tested crypto modules. Level 3 validated modules provide physical tamper-resistance, identity-based authentication. What's more, the standard for level 3 requires physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module – to put it in more readable form, no single identity or role is able to access the internal encryption keys of the HSM, hence assuring the security of crypto keys hosted in the HSM.
Managed HSM is a fully managed, cloud-hosted hardware security module (HSM) service. Alibaba Cloud worked with third party vendors to bring top-level security to your cryptographic keys.
For regions outside mainland China, Managed HSM provides FIPS 140-2 Level 3 validated HSM.
Refer to the NIST certification for more information regarding the crypto module.
Most validated modules would allow the usage of non-approved algorithms or running the HSM under non-FIPS approved mode. Alibaba Cloud ensures to our customers that Managed HSM would only run the HSMs under FIPS approved level 3 mode of operation - with this mode, the vendor and Alibaba Cloud serve as two different roles in entering the HSM's critical security parameters, making it impossible for either party to obtain the CSP plaintexts.
As a fully managed service, Managed HSM tightly integrates with Key Management Service (KMS) to bring the advantages to our customers – you get to easily manage the keys, versions, rotations, native integration with other cloud services with almost no development cost, while you don't need to worry about cluster management, scaling, HA, or building your own KMI with terribly complex vendor APIs.
At the core of data security and business compliance lies the underlying cryptographic security. As a fundamental security and compliance element, HSM with FIPS validation can help you accelerate the process to meet your business or regulatory compliance requirements, such as PCI-DSS and HIPPAA.
To use Managed HSM, you use KMS APIs to create keys in the HSM and all following cryptographic operations are performed within the HSM boundary – Managed HSM ensures that no one sees your keys. If you prefer BYOK, for the purpose of achieving even better control over the randomness, lifecycle, durability of your keys, you can do so by securely wrap your key with an exchange key that is only available in the HSM, and the HSM guarantees that the imported key material can never be exported.
Last but not least, because KMS is integrated with other Alibaba Cloud services, including but not limited to ECS, RDS, OSS, NAS, and MaxCompute. You can secure your assets managed by these services and retain control over how and when they access your data.
Alibaba Clouder - June 26, 2018
Alibaba Clouder - October 14, 2019
Jincheng Liu - July 6, 2018
Alibaba Clouder - June 25, 2018
Alibaba Clouder - May 28, 2019
Alibaba Clouder - July 3, 2019
This solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.Learn More
Alibaba Cloud is committed to safeguarding the cloud security for every business.Learn More
Simple, secure, and intelligent services.Learn More
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.Learn More
More Posts by Alibaba Cloud Security