Share your experience using AWS CloudHSM

AWS Key Management Service's major use case is to encrypt data, specifically encrypting data at rest. We have two options: either we can go with AWS-managed keys or we can use customer-managed keys, depending on the compliance of the organization. I have a student who is in a bank, and they have a compliance requirement that they should have their own key and should not be visible to AWS. We can create a master key, which generates a data key—one encrypted and one unencrypted. The unencrypted key is stored in RAM temporarily, encrypting data in the EBS volume or wherever it lies, after which it's deleted. To decrypt, we use the KMS encrypted data object key, which goes back to AWS Key Management Service to decrypt itself and our data. AWS Key Management Service key remains in the protective vault of AWS, and all we are doing is generating the data key to encrypt and decrypt our data. Thus, encryption and decryption at rest is the basic functionality provided by AWS Key Management Service.

I see benefits from these integrations because that's the beauty of microservices. When using RDS, we just create the key first, and when creating RDS, if we want encryption in storage, we select AWS Key Management Service. When using S3, instead of AWS-managed keys, we can choose to go with our customer-managed key and select that AWS Key Management Service from there. In fact, we can integrate AWS Key Management Service with any storage in any place in AWS.

I am working with this feature in my organization. We mostly use symmetric encryption, while asymmetric is primarily used in cases of SSL. I know that AWS provides both symmetric and asymmetric options in AWS Key Management Service. However, the asymmetric option is mostly relevant for web applications that need to encrypt data in transit. In this case, we have a public key and a private key, where the private key is used to decrypt the data, and the public key is used to encrypt it, making it another use case in our organization.

I assess audit logging through AWS CloudTrail as having all our event history and all the API calls made to AWS. We can search using filters, but it's a bit messy. To improve this, we can create a trail for specific services and store the logs in an S3 bucket. From there, we can export it to CloudWatch or anywhere we want for analysis.

AWS Key Management Service is used to encrypt data at rest, and we have gone through AWS Key Management Service in detail.

I leverage the bring your own key feature from AWS Key Management Service. Customers can upload their keys through either the CLI or the portal.

Automatic key rotation feature significantly helps with compliance. Admins just have to specify how often they require rotation, with a minimum of seven days, up to whatever frequency they need; 365 days is the standard, or they can opt for more frequent rotation. Automatic rotation is one of the very cool features.

The architecture is very beautiful and good for AWS Key Management Service, so there isn't much to change.

The area related to the issue I faced was about multi-region keys; it was during exam preparation for AWS. We got deep into it, but since it was a while ago, I can't recall the exact details.

I have been working with AWS Key Management Service for around two years.

I would rate the stability as a 10. I don't think it's a heavy service, and there shouldn't be any kind of instability. AWS possesses high availability in every service, so I would also rate it a 10.

I rate the scalability of AWS Key Management Service as 10 out of 10.

There is no paid technical support; only some free support is available along with chat options. However, technical support is generally not available for small and medium enterprises that can't afford it.

The only problem that I once faced was connected with multi-region keys. I would rate this review as 10 out of 10.

We installed Thales Luna HSM and generated the partitions to integrate with multiple databases like Mongo, Oracle, SQL, or MySQL, and transfer the keys from the databases to the HSM to secure these keys from compromising. Thales Luna HSM is working as a safe where we transfer and migrate keys from the database to Thales Luna HSM using CipherTrust Manager that connects with Thales Luna HSM. We also work on other projects such as digital signature.

The most valuable capability for Thales Luna HSM is saving the keys, migrating and encrypting them by adding encryption above the encryption they are already encrypted with. Migrating the keys from the safe and from the databases is a huge processing task, and it works smoothly without any issues. Sometimes we face issues while integrating with new databases, but it almost works smoothly without any problems or challenges.

The data encryption capabilities of Thales Luna HSM improve data security for our customers by encrypting the keys that are already encrypted in the database with multiple algorithms such as RSA, MD5, and SHA.

Data encryption capabilities improve security by protecting the keys, migrating the keys to the HSM, and allowing us to take a backup from Thales Luna HSM or migrate the keys. By encrypting the keys that are already encrypted, it adds a new layer of security that can save the databases from being compromised if someone hacked it, as they will not find the keys. They will only find the database that is encrypted without any keys that can help them. They will not compromise the data and the keys in the same safe or in the same partition. This is the most valuable aspect of the HSM, specifically Thales Luna HSM, along with other capabilities such as digital signature functionality.

Thales Luna HSM integrates with multiple security platforms such as F5, Palo Alto, and SIM solutions such as any syslog server we are working with. SIM solutions work smoothly with it, and it can monitor the HSMs and check their performance easily. Anyone from the security team can check Thales Luna HSM's performance.

Thales Luna HSM can be improved by enhancing integration with databases because databases have multiple commands, but it works fine. If we have good knowledge of databases such as Mongo, SQL, or Oracle, it would be beneficial. Sometimes we face a few problems and challenges in integrating and migrating the keys to HSM, but troubleshooting is easy because it has steps to follow, and if we work through these steps one by one, it will surely work fine.

We have been working with Thales Luna HSM for about two years.

Sometimes we face challenges with utilization, but it only happened for one or two customers, and the technical support helped us very well in these situations.

The HSM utilization was full at 100 percent, causing it to turn off and the applications to go down. We had to restore the most recent stable version for HSM and upgrade or downgrade it. We believe they solved these issues in the next firmware patches as we upgraded the HSM in this situation.

We rate the technical support a seven out of ten.

We rated them a seven because they answer immediately when we are working on critical problems, but sometimes they are late in answering when it is low or moderate urgency, taking some time to respond in those situations.

Positive

The initial setup and deployment of Thales Luna HSM is very good, very smooth, and familiar for anyone, even juniors working for the first time. It will be easy for them, even in CLI, which is usually complicated, but it is familiar and good.

There is a competitor for Thales Luna HSM that mentioned their price is 50 percent less than Thales Luna HSM for a general-purpose HSM.

The user interface is not an issue because Thales Luna HSM works on CLI, so there is no web interface. It is like any command line interface, and it works smoothly when we install the Thales Luna HSM client. We do not face any challenges or problems with it.

Pricing is all about the sales team and the management.

Thales Luna HSM has already improved the partition functionality.

We do not want to improve anything about the technical support. Our overall rating for this solution is ten out of ten.