On July 31, 2019, Alibaba Cloud announced the availability of the beta release of Managed HSM, a cloud-managed hardware security module (HSM) service. Via these FIPS 140–2 Level 3 validated HSMs, we are offering high security assurance for cryptographic keys, enabling you to protect your most sensitive workloads and assets, and to meet regulatory compliance.
What Is FIPS 140–2 Level 3 Validation?
FIPS 140–2 is a standard that provides security guidance for cryptographic modules; its validation program gives out security level ratings to tested crypto modules. Level 3 validated modules provide physical tamper-resistance, identity-based authentication. What’s more, the standard for level 3 requires physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module — to put it in more readable form, no single identity or role is able to access the internal encryption keys of the HSM, hence assuring the security of crypto keys hosted in the HSM.
Alibaba Cloud Managed HSM Offering
Managed HSM is a fully managed, cloud-hosted hardware security module (HSM) service. Alibaba Cloud worked with third party vendors to bring top-level security to your cryptographic keys.
For regions outside mainland China, Managed HSM provides FIPS 140–2 Level 3 validated HSM.
Refer to the NIST certification for more information regarding the crypto module.
Approved Mode of Operation
Most validated modules would allow the usage of non-approved algorithms or running the HSM under non-FIPS approved mode. Alibaba Cloud ensures to our customers that Managed HSM would only run the HSMs under FIPS approved level 3 mode of operation — with this mode, the vendor and Alibaba Cloud serve as two different roles in entering the HSM’s critical security parameters, making it impossible for either party to obtain the CSP plaintexts.
Fully Managed Service
As a fully managed service, Managed HSM tightly integrates with Key Management Service (KMS) to bring the advantages to our customers — you get to easily manage the keys, versions, rotations, native integration with other cloud services with almost no development cost, while you don’t need to worry about cluster management, scaling, HA, or building your own KMI with terribly complex vendor APIs.
Using Managed HSM for Security and Compliance
At the core of data security and business compliance lies the underlying cryptographic security. As a fundamental security and compliance element, HSM with FIPS validation can help you accelerate the process to meet your business or regulatory compliance requirements, such as PCI-DSS and HIPPAA.
To use Managed HSM, you use KMS APIs to create keys in the HSM and all following cryptographic operations are performed within the HSM boundary — Managed HSM ensures that no one sees your keys. If you prefer BYOK, for the purpose of achieving even better control over the randomness, lifecycle, durability of your keys, you can do so by securely wrap your key with an exchange key that is only available in the HSM, and the HSM guarantees that the imported key material can never be exported.
Last but not least, because KMS is integrated with other Alibaba Cloud services, including but not limited to ECS, RDS, OSS, NAS, and MaxCompute. You can secure your assets managed by these services and retain control over how and when they access your data.