Thales, Microsoft serve secure crypto in the cloud

Microsoft and Thales e-Security have deployed an architecture for encrypted cloud storage where you, the customer, control the keys and the provider has none.

Are you concerned about the security of your data in the cloud? Of course you should be, even if you're just an isolated consumer. But what if you're responsible for the security of data for an enterprise?

The economics of cloud computing are too compelling to ignore. How can you minimize the amount of trust you must place in the cloud provider? The answer involves hardware security modules (HSM).

An HSM is a hardware device which stores and manages encryption keys and performs other cryptoprocessing. They are used in high-value situations. Microsoft uses HSMs to generate the code signing keys for Windows. The IANA uses HSMs to generate keys for and to sign the DNSSec root zone. That kind of high-value. The keys and other internal memory of the HSM are inaccessible to the outside and the device can be set only to operate with specific authorization.

In the normal design of a cloud service like or Windows Azure, you don't completely control the encryption keys, assuming your data is encrypted at all. Combined with other good security practices, HSMs can minimize the points of risk for unencrypted data to become accessible outside of your control.

Thales e-Security and Microsoft have come up with the architecture for a solution for enterprises. It uses HSMs hosted in the cloud, but administered by you. The actual announcement is related to the use of Microsoft's Windows Azure Rights Management Service (RMS). Enterprises can use a Thales HSM on-premise to generate a "tenant key" and securely transfer it to Thales HSMs running in in the Azure cloud.

Even though the HSM in the cloud generating and managing the keys belongs to Microsoft, Microsoft cannot access those keys. Thales calls this "Bring Your Own Key" (BYOK).

This specific offering is interesting and useful, but I'm more interested in the fact that it's an architecture that can work more generally in the cloud for customer key management. This solution is Thales-specific.

All security comes down to issues of trust at some level. You want to know where you are trusting someone else and to secure that transaction as much as possible. In this case, the main trust point is the HSM itself. You don't know for a fact that the device doesn't have some secret back door for the NSA. Companies like Thales depend absolutely on trust for their survival. Even a significant, unintended vulnerability would be a major problem for such a company, but a back door would be disastrous. Nobody would or should trust an HSM company that would do such a thing.

But if you're going to try to do security right, you have to trust someone. HSMs may be the way actually to minimize trust in the cloud. Better to trust the HSM company than the cloud provider.