AWS CloudHMSMmik Huang

All about NIST FIPS 140-2 

http://en.wikipedia.org/wiki/FIPS_140-2

FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4".

FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.

FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

FIPS 140-2, issued on 25 May 2001, Security requirements for cryptographic modules issued on 1 March 2006.

FIPS 140-3 is a new version of the standard which is currently under development. In the first draft version[2] of the FIPS 140-3 standard, NIST introduced a new software security section, one additional level of assurance (Level 5) and new Simple Power Analysis(SPA) and Differential Power Analysis (DPA) requirements. The draft issued on 11 Sep 2009, however, reverted to four security levels and limits the security levels of software to levels 1 and 2.

Hardware HMS http://www.safenet-inc.com/data-encryption/hardware-security-

modules-hsms/luna-hsms-key-management/luna-sa-network-hsm/

Key Management with Luna Hardware Security Modules

http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/luna-hsms-key-management/

SafeNet Luna SA, a network-attached hardware security module, provides high assurance protection for encryption keys used by applications in on-premise, virtual, and cloud environments.

SafeNet ProtectV with virtual Key Secure for EBS volume encryption

Data at Rest Encryption Whitepaper: AWS has released a new whitepaper, Securing Data at Rest with Encryption, which outlines the wide range of options available for encrypting data at rest in the cloud based on where encryption keys are stored and how they are accessed. The whitepaper highlights a number of SafeNet solutions to deliver data at rest protection in AWS:

Client side object encryption for AWS S3 with SafeNet ProtectApp and the AWS SDKs

Storage encryption for the AWS Storage Gateway with SafeNet StorageSecure

Encryption and pre-boot authentication for EC2 instances and EBS volumes with SafeNet ProtectV

Hardware root of trust for AWS RDS TDE and Redshift with SafeNet Luna SA HSMs

Enterprise key management for the above solutions, as well as any Key Management Interoperability Protocol (KMIP) based key management partners.

SafeNet ProtectV with virtual Key Secure for EBS volume encryption

Amazon Redshift HSM Support: Thanks to an update to Amazon Redshift, users can now protect their Redshift encryption keys at the highest level possible with a hardware security module (HSM) – in the cloud with AWS CloudHSM and on-premises with SafeNet’s Luna SA. Read Amazon’s HSM management documentation to learn more about how to leverage an HSM to encrypt your Redshift cluster.

http://data-protection.safenet-inc.com/2013/11/enhancing-encryption-and-key-management-in-aws/

Cost

SafeNet Virtual KeySecure (Hourly)

$0.75/hr for software + AWS usage fees

Requires ProtectV encryption solution

SafeNet ProtectV, 100 Nodes (Hourly)

$3.62/hr for software + AWS usage fees

100 node / year = (3.62+0.75)*24*365 = 38281.2 USD

https://aws.amazon.com/marketplace/seller-profile/ref=dtl_pcp_sold_by?ie=UTF8&id=b985fa3c-56a3-42ba-8865-967fad6ffea4

Cost

CloudHSM service is charged using a one-time upfront fee and an hourly fee for the time that the CloudHSM is provisioned to you. 

CloudHMS / year = 5000 + (1.88)*24*365 = 21468.8 USD

FAQ Q: What types of HSMs are available?

As part of the service, AWS currently provides Luna SA  HSM appliances from SafeNet, Inc., with version 5 of the Luna SA software

Q: I don’t currently have a VPC. Can I still use AWS CloudHSM? No. To protect and isolate your CloudHSM from other Amazon customers, CloudHSM

must be provisioned inside a VPC. Creating a VPC is easy.

Q: How can my application use CloudHSM? SafeNet has integrated and tested the Luna SA HSM with a number of commercial

software solutions. Examples include

Oracle Database 11g,

Microsoft SQL Server 2008 and 2012,

SafeNet ProtectV with virtual Key Secure for EBS volume encryption,

Apache web server SSL termination with private keys stored in the HSM.

If you are developing your own custom application, your application can use the standard APIs supported by the Luna SA HSM, including PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions).