Hardware Security Modules (HSMs) are optional with SecureData, and provide an additional level of security in managing SecureData encryption keys. SecureData supports a limited set of off-cloud HSMs, and does not support current cloud HSMs.
When HSMs are integrated with the Key Servers, Master Secrets for the Security District—used to derive all keys for that Security District—are always encrypted by the HSMs. This means that keys for that Security District cannot be derived without connection to those HSMs. When HSMs are not used, Master Secrets are stored in the configuration database, encrypted by a Field Encryption Key (FEK).
In off-cloud, non-HSM deployments, FEKs are stored on the file system, meaning that a copy of the file system, VM, or container is sufficient to set up a Key Server that can derive customer keys.
With supported cloud service providers (CSPs), the FEK is stored in a native cloud key vault, with access controlled by appropriate cloud security administrators. This prevents an attacker using a copy of the file system, VM, or container to decrypt the configuration database and derive keys, because they will have no access to the FEK in the CSP’s key vault.
However, this does not provide total protection from attack. SecureData administrators must be able to back up the configuration, including the Key Server, any time a configuration change is made, to allow recovery if the systems running the Key Servers are lost. This backup is initiated from the Management Console interface, and protected by a password, which the administrator records for use should a restore become necessary. Because SecureData can be used in a combination of off-cloud installation and one or more CSPs, such a backup must be usable on a system with no access to the cloud key vault, even if the backup was initiated from a cloud instance. This means that an attacker with a backup from a Management Console (and the password used for that backup) can use that backup to set up their own Key Servers and has the potential to derive customer keys.
When an HSM is in use, however, the Master Secrets are protected by the HSM, and are not directly available in the backup. Without access to the configured HSM, a Key Server, built from a backup obtained by an attacker, cannot be used to derive keys for those HSM-protected districts.
Because an HSM provides this additional level of protection, it is recommended, especially for cloud deployments, to use an HSM with SecureData. If an HSM is not used, customers must implement strict protocols to reduce the risk of an attacker gaining access to a backup (and password).