Service Packages
Securosys CloudHSM offers a variety of services tailored to different needs, ensuring flexibility and scalability for your organization. Choose from dedicated or shared HSM options, tailored to your requirements, including flexible solutions for production, testing, and hosted environments.
HSM as a Service (HSMaaS)
Shared HSMs
Your own partition on a physical Hardware Security Module (HSM) in the cloud. A cluster consists of two active HSMs located in two active datacenters and a third HSM in a NATO Zone 2 Electromagnetic Pulse-protected bunker in the Alps, which serves as a backup and disaster recovery facility.
- CloudHSM Economy (ECO), all-purpose service
- CloudHSM Economy Certified (ECO CC), operated in certified mode
- CloudHSM Sandbox (SBX), for integration and pre-production testing (No backup)
- CloudHSM BYOK, for Bring Your Own Key use cases
Dedicated HSMs
- CloudHSM Platinum exclusively owned and operated by Securosys, ensuring your keys and data remain isolated.
Customer-owner HSMs
- HSM Operation Service (HOS) Maintain full custody by owning the HSM while it’s operated by Securosys.
A partition is defined as the amount of user space in megabytes (MB) allocated on each HSM in the cluster for storing objects and partition logs.
Service Package Comparison
| Economy (ECO) | Economy Certified (ECO CC) | Sandbox (SBX) | Platinum | HSM Operation Service (HOS) | Bring Your Own Key (BYOK) | |
|---|---|---|---|---|---|---|
| Subscription Type | ||||||
| Platform | 3 HSM in 3 data centers | 3 HSM in 3 data centers | 2 HSM in 2 data centers (Testing) | 3 HSM in 3 data centers | ||
| Performance (Sig./Min) | ||||||
| Capacity | key objects | |||||
| Support Availability Response time (critical/major/minor) | 2/8/24h | 2/8/24h | 8/12/24h | 2/8/24h | 2/8/24h | 2/8/24h |
API Integration Options
CloudHSM offers a REST API and a selection of Primus API Providers (client API software / libraries), installed on your application server. These ensure secure communication with the HSM, along with automatic failover and load balancing.
- REST API (HTTPS)
- JCE/JCA
- PKCS#11
- Microsoft CNG
- Best suited for complex architectures (micro-services) with different software stacks and languages.
- Utilize the Swagger-UI for a comprehensive API documentation, which helps in understanding the API structure and functionality, significantly reducing development time.
- Upgradeable to Transaction Security Broker (TSB) for Smart Key Attributes (SKA), Cryptocurrencies
- Most flexible solution for Java integration.
- Enhanced feature support for Smart Key Attributes (SKA), Cryptocurrencies, Key Attestation and more.
- Best for applications that use the PKCS#11 standard interface, e.g. OpenSSL, Apache, NGINX, Public Key Infrastructures, Key Management Systems and many programming language libraries.
- Best for Microsoft Windows operating systems.
- Native integration for many applications using Microsofts Cryptography Next Generation interface (CNG).
Configuration Options
All CloudHSM service packages can be individually configured with regards to the required API integration and optional packages for Cryptocurrencies, Smart Key Attributes (SKA), Post-Quantum Cryptographic (PQC) Algorithms and Transaction Security Broker (TSB).
Furthermore, in the Partition Security Policy, you can configure policy settings for Key Import, Key Export and Key Invalidation. Additionally, access to the CloudHSM partition can be restricted to a list of whitelisted source IP addresses.
Partition Remote Administration
By default, Securosys provides support to perform any changes you request on your HSM.
However, with our Decanus Terminal’s Partition Administration you also have the option to fully control access to your HSM partition. This includes making configuration changes, downloading backups, and even disabling HSM administrators' access to your partition. This way, you benefit from the security advantages of your own HSM without the usual headaches and costs.