HSM-as-a-Service: 10 Questions You Should Ask

Hardware security modules (HSMs) are used for generating and protecting cryptographic keys, as well as performing cryptographic operations within a secure hardware environment.

HSMs are employed in many use cases, such as enterprise key management,  public key infrastructure (PKI), data encryption, code signing, and blockchain wallets, and their use is often mandated within the banking and financial services industry for compliance with PCI-DSS.

Why HSM-as-a-Service?

As a growing number of organizations adopt HSMs to meet ever-more-stringent security and privacy requirements, they are increasingly adopting HSM-as-a-Service (HSMaaS) rather than buying and operating their own HSMs.

There are several good reasons for this:

• Many organizations today are either cloud-native or actively migrating to cloud and eliminating their on-premises infrastructure;
• Standalone HSMs are notoriously difficult to operate, maintain and update, and the necessary skills and resources are hard to find;
• HSMs typically have a short lifecycle and need to be replaced every 3-5 years;
• HSMaaS doesn’t require a significant up-front investment in hardware and services;
• With HSMaaS, you only pay for what you need, and you can flex this either up or down

Questions You Should Ask

If you are looking to use HSMaaS, which questions should you ask prospective suppliers to make sure you are getting the best value for money?

1. Can I choose where the service is hosted?

Service location can be important for sovereignty, regulatory compliance, and/or latency. Check that the service provider can provide their service locally within your region and does not use other regions for DR or backups.

2. How is high availability (HA) provided?

HSMs are often used by mission-critical applications that demand very high availability. Does the supplier provide you with a single, dedicated HSM (or HSM partition), or is the service provided by a large cluster of HSMs fronted by a load balancer such that any HSM in the cluster can service your requests to provide tolerance against multiple points of failure?

Does the service remain available during software updates and maintenance? Does the vendor offer an availability SLA?

3. How is disaster recovery (DR) provided?

Disasters can happen, is your supplier prepared for the complete loss of a data centre? How many data centres are employed by the service to protect against disasters?

Is DR failover seamless and transparent? If not, then what are the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)?

4. How are my keys protected?

Any compromise of your keys could lead to loss of data confidentiality and/or integrity. What is the security architecture of the HSM? Is the code written in a secure programming language such as Rust?

Does it take advantage of a Trusted Execution Environment (TEE) to protect against zero-day vulnerabilities in the underlying system? Does it use a hardened, open-source operating system or a closed-source OS?

Is it certified to standards such as FIPS 140-2 Level 3, PCI-DSS, and SOC 2 Type II? Does the supplier have access to any master keys?

5. How does the solution scale to meet my future needs?

The service should be capable of growing seamlessly to meet your evolving needs. How is capacity/performance licensed? For example, what are the limits on the number of HSMs, partitions, keys, users, applications, operations/month, burst rate?

What happens if I exceed my allowance? How easy is it to upgrade? Are there other capacity and performance limits?

6. What security and compliance controls are available?

Security and compliance are meaningless without the right controls. Does the service support role-based access controls with custom roles as well as user-defined policies such as cryptographic policies, M-of-N quorum approval policies, and key rotation policies? Can you integrate it with your existing SSO and SIEM tools?

7. How easy is the service to use?

Ease-of-use is not only about reduced friction, but also avoiding potential user errors that could cause harm. Does the service offer a web-based management console that is intuitive and easy to use, allowing you to manage all your keys, users, and HSM applications through a single user interface?

Are there integration wizards and on-line documentation to make on-boarding new use cases quick and easy? Does the supplier offer a free trial, free training, and free support for you to fully evaluate all aspects of the service?

8. What additional value-add functions are available / included?

Multi-functional products can save you time and money as well as reducing your vendor base.

In addition to basic HSM functions, such as key generation and cryptographic operations, can the service provide additional value through bundled capabilities such as enterprise key management, secrets management, tokenization, or comprehensive REST APIs? Does it support automation using tools like Terraform and Ansible?

9. Does the service provide future proofing?

Having an agile supplier will enable you to take advantage of new opportunities quickly. How extensible is the product architecture? Will it support your anticipated future needs?

How frequently does the supplier update the product to deliver new features/functions? Does the service enable crypto agility with support for post-quantum algorithms?

10. What level of support is available?

Will your supplier be there for you when you need them? Can the supplier offer 24/7 support? What is the target response time?