According to Gartner, “Cloud computing has become the new normal for modern IT environments — cloud adoption rates among organizations are projected to jump from 68% in 2017 to 85% in 2019.”1 However, data in the cloud is not necessarily safe. In fact, Dropbox, LinkedIn, Home Depot, Apple iCloud, Yahoo, and many others 2 have had their data breached in the cloud.
Our customers at nCipher know this. They also know that best practice for data security in the cloud is to obfuscate the data through a cryptographic process and to maintain control of the encryption keys. In this model cloud service providers are repositories for the securely encrypted data, but the organization that owns the data and hires the cloud service holds the cryptographic keys.
So in September 2019, nCipher is announcing its new, powerful nShield as a Service.
nShield as a Service
nShield as a Service is a cloud-based hardware security module (HSM). The service is a subscription-based solution for generating, accessing and protecting cryptographic key material. These functions are separated from sensitive data in the cloud, using FIPS 140-2-certified nShield Connect HSMs. This cloud-hosted model gives organizations the option to either supplement or replace HSMs in their data centers while retaining the same benefits as owning the nShield appliances.
nShield as a Service is ideal for cloud-first strategies, selective cloud migration, or supplementing existing HSM capacity to handle workload spikes. It enables users to:
- Extend cloud-based cryptography and key management across multiple clouds
- Align crypto-security requirements with organizational cloud strategy
- Simplify budgeting for business-critical security
- Decrease time spent on maintenance and monitoring
Subscribed customers interact with the cloud-based nShield HSMs in the same way that they would with appliances in their own dark data centers, but they do not need to receive, install and maintain physical hardware. This can result in faster deployment of secured applications.
Thinking outside (or inside) the box:
nShield as a Service customers can choose to run application code either within or outside an HSM—unprecedented dual functionality.
For cloud-hosted applications, nShield as a Service allows the user to maintain full control of the key material regardless of the location of the hosting infrastructure.
To run applications inside an HSM, nShield as a Service provides CodeSafe, secure execution for crucial portions of cloud-based applications within a trusted runtime environment. The exclusive CodeSafe capability gives users on-demand access to expanded secure computing capacity. Customers can seamlessly migrate their secure code execution from an on-premises HSM to the cloud.
This dynamic and powerful pair of options allows each customer to tailor a secure configuration for its sensitive data in a way unavailable elsewhere.
nShield as a Service uses the same unique Security World architecture as on-premises nShield deployments so customers can use a hybrid approach that mixes nShield as a Service and on-premises HSMs. Security World is a scalable key management framework that spans the customer’s nShield estate. It provides a unified administrator and user experience and guaranteed interoperability across all devices, whether subscription-based or company-owned. This allows organizations to easily and efficiently scale their HSM operations with their specific environment, operational approaches and security needs.
The power of nShield—now in the cloud
For more than two decades, nShield HSMs have provided state-of-the art key protection, access control enforcement, and secure code execution. Now nShield as a Service provides the same protections paired with remote management and flexible access control both in the cloud and within onsite data centers.
Customers seeking cloud-first solutions can work with market-leading cybersecurity and infrastructure vendors in nCipher’s nFinity Strategic Technology Partner program, including F5, IBM, Micro Focus Voltage, Red Hat, Venafi, and Citrix. These partners can provide additional functionality including SSL, code signing, and database encryption.