On July 31, 2019, Alibaba Cloud announced the availability of the beta release of Managed HSM, a cloud-managed hardware security module (HSM) service. Via these FIPS 140-2 Level 3 validated HSMs, we are offering high security assurance for cryptographic keys, enabling you to protect your most sensitive workloads and assets, and to meet regulatory compliance.
FIPS 140-2 is a standard that provides security guidance for cryptographic modules; its validation program gives out security level ratings to tested crypto modules. Level 3 validated modules provide physical tamper-resistance, identity-based authentication. What's more, the standard for level 3 requires physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module – to put it in more readable form, no single identity or role is able to access the internal encryption keys of the HSM, hence assuring the security of crypto keys hosted in the HSM.
Managed HSM is a fully managed, cloud-hosted hardware security module (HSM) service. Alibaba Cloud worked with third party vendors to bring top-level security to your cryptographic keys.
For regions outside mainland China, Managed HSM provides FIPS 140-2 Level 3 validated HSM.
Refer to the NIST certification for more information regarding the crypto module.
Most validated modules would allow the usage of non-approved algorithms or running the HSM under non-FIPS approved mode. Alibaba Cloud ensures to our customers that Managed HSM would only run the HSMs under FIPS approved level 3 mode of operation - with this mode, the vendor and Alibaba Cloud serve as two different roles in entering the HSM's critical security parameters, making it impossible for either party to obtain the CSP plaintexts.
As a fully managed service, Managed HSM tightly integrates with Key Management Service (KMS) to bring the advantages to our customers – you get to easily manage the keys, versions, rotations, native integration with other cloud services with almost no development cost, while you don't need to worry about cluster management, scaling, HA, or building your own KMI with terribly complex vendor APIs.
At the core of data security and business compliance lies the underlying cryptographic security. As a fundamental security and compliance element, HSM with FIPS validation can help you accelerate the process to meet your business or regulatory compliance requirements, such as PCI-DSS and HIPPAA.
To use Managed HSM, you use KMS APIs to create keys in the HSM and all following cryptographic operations are performed within the HSM boundary – Managed HSM ensures that no one sees your keys. If you prefer BYOK, for the purpose of achieving even better control over the randomness, lifecycle, durability of your keys, you can do so by securely wrap your key with an exchange key that is only available in the HSM, and the HSM guarantees that the imported key material can never be exported.
Last but not least, because KMS is integrated with other Alibaba Cloud services, including but not limited to ECS, RDS, OSS, NAS, and MaxCompute. You can secure your assets managed by these services and retain control over how and when they access your data.
Alibaba Clouder - June 26, 2018
Jincheng Liu - July 6, 2018
Alibaba Clouder - June 25, 2018
Alibaba Clouder - May 28, 2019
Alibaba Clouder - July 3, 2019
Li Shen - October 16, 2018
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security serviceLearn More
Security Center is a flagship security product that integrates both Server Guard and Threat Detection Service. It is a unified security management system that recognizes, analyzes, and alerts of security threats in real-time.Learn More
By leveraging Anycast to redirect malicious traffic to globally distributed scrubbing centers close to the source of the internet traffic, Anti-DDos Premium protects servers against volumetric DDoS attacks.Learn More
A secure solution to migrate TB-level or PB-level data to Alibaba Cloud.Learn More
More Posts by Alibaba Cloud Security