

AWS CloudHSM: Secure Key Storage and Cryptographic Operations - jcase
http://aws.amazon.com/cloudhsm/

======
geertj
What is the threat model here?

My assumption is that the cryptographic keys will not be able to leave the
HSM. This means that the HSM itself will need to perform cryptographic
operations. You send it your data (e.g. a blob to decrypt), and the HSM will
decrypt it for you using its embedded keys. Similarly it would implement other
cryptographic primitives. To unlock the device to perform cryptographic
operations, presumably some kind of pass phrase is required. That pass phrase
would need to be online for applications to work in an unattended way. Either
in memory or on disk.

So it would seem this would protect against someone stealing your data
surreptitiously. The only way to decrypt that data is via the HSM, and
presumably the HSM has untamperable access logs. Suppose data is stolen. Then
after fixing the attack vector and making sure your systems are trustable
again, you'd change the HSM pass phrase, and make sure there are no unexpected
entries in the HSM audit log. At that point you can consider your private data
to be safe again.

However it seems that an active attack is still possible. If an attacker gets
into an EC2 instance with HSM encrypted data and an online pass phrase, he can
just use the HSM to decrypt that data. Unless you watch your HSM audit logs
really closely, the attacker could have stolen your data before you even
notice.

Also it would still be possible for a govt. agency to seize the HSM and the
instance with an online passphrase. So this would do little for EU companies
that cannot legally have their data become in scope for the PATRIOT act.

[Edit: spelling]

~~~
toomuchtodo
I don't see the benefit of having an HSM device in a multi-tenant environment.
Great! My keys are safe! Now what's going to protect my data when there's a
vulnerability in the dom0/hypervisor?

~~~
some_user
The HSMs themselves are single-tenant.
(<https://aws.amazon.com/cloudhsm/#details>)

~~~
toomuchtodo
Right. So why wouldn't I just pay the upfront fee and colo it myself without
having to pay Amazon the upfront fee _and_ the recurring hourly charge? Sure,
you could argue I would have to pay to colo it somewhere else, but if I'm an
org that requires an HSM appliance I more than likely already have my own colo
space somewhere. Compliance should also be much easier when I say, "The box is
right here, these are the employees with physical access" vs "The box is at
Amazon, I have no idea where, and I don't know who can touch it".

The hourly charge is $1.88/hour. That's $1398.72/month. To have the box in
Amazon's datacenter. You can colo the box somewhere for under $200/month. That
margin is _ridiculous_.

~~~
some_user
you're assuming that the upfront fee is either more than the cost of the hsm
or the cost of the hsm.

------
hamburglar
Am I missing some actual numbers hiding somewhere in the "pricing" section?
"There will be a one-time fee plus an hourly fee" is not pricing information.

~~~
borski
Looks like $5000 upfront and $1.88/hr.

~~~
matthiasb
That's seems right. HSMs are expensive to purshase and managed.

