Creating a robust data encryption strategy in a multi-cloud environment can be challenging. Considerations like availability, fail-over, control, cost and compliance are crucial. For organizations that are encrypting data on-premises and considering moving data to the cloud, a typical approach is to use an on-premises Hardware Security Module (HSM) or a cloud-based HSM. However, acquiring and managing traditional on-premises HSMs can be costly and complex. The acquisition and overhead costs can be prohibitive for organizations that require on-prem HSMs for key generation and backup, and a low number of cryptographic operations per year.
There are also challenges with cloud-based HSMs as they can lock you into a single cloud provider – thus moving security and control of an organization’s data to the provider. In turn, this makes it difficult and expensive to utilize the benefits of a multi-cloud environment – like decrypting and porting data to other cloud providers.
To address this and enable organizations to own multi-cloud encryption keys, Yubico will be introducing ‘Bring Your Own Key’ (BYOK) capabilities for YubiHSM 2. With this upcoming functionality, the world’s smallest hardware security module will enable organizations to securely and cost-effectively store and transfer data in a multi-cloud environment using an on-premises HSM for secure management of cryptographic credentials – at a fraction of the cost and size of traditional HSMs. These new YubiHSM 2 capabilities will provide a number of benefits to organizations including:
Enhanced data security in a multi-cloud environment
Organizations will be able to stay in control of the security of their data in the multi-cloud versus relying on cloud-based HSMs. Organizations will be able to securely generate and manage data encryption keys on-premise with YubiHSM 2. The low price point and nano form factor will enable easy and cost-effective data portability in multi-cloud environments.
Better control, portability and flexibility
Organizations will have the option of BYOK using the YubiHSM 2 for Amazon AWS, Microsoft Azure and Google Cloud in order to stay cloud agnostic. YubiHSM 2 meets standard BYOK requirements across these leading cloud providers, enabling greater security for organizations by having control over their data encryption keys – including the choice of where to store their data and master keys based on business needs and budgetary requirements.
Reduction of cost and maintenance requirements compared to traditional on-premises HSMs
The world’s smallest hardware security module will enable organizations to securely and cost-effectively store and transfer data in a multi-cloud environment using an on-premises HSM for secure management of cryptographic credentials, at a fraction of the cost and size of traditional HSMs.
Meet regulatory compliance
YubiHSM 2 helps organizations stay compliant with a better way to secure and trust credentials. In order to meet the highest security compliance, YubiHSM 2 is available in a FIPS 140-2 validated, Level 3 version.
YubiHSM 2 is a full-function, network accessible HSM with a rich cryptography suite, PKCS#11 interface, software development kit, and additional cryptographic tools. YubiHSM 2 is available in a nano form-factor that easily fits into a USB-A port on a server, offering a low-cost alternative to traditional HSM models. Organizations can choose to deploy a production and backup version of the YubiHSM 2 for business continuity purposes. There are two versions of the YubiHSM 2: a FIPS 140-2 validated, Level 3 version as well as the non-FIPS YubiHSM 2 which includes the new BYOK feature.
The YubiHSM 2 has an ecosystem of robust tools and libraries for simplified deployment for organizations for all sizes, and a cryptographic suite of the most well-known, secure, and widely used cryptographic algorithms for key generation, key storage, management, signing operations and more.
To stay updated and for more information on the upcoming ‘Bring Your Own Key’ feature for YubiHSM 2, sign up here.
Attending AWS re:Invent this week? Be sure to stop by booth #1402 to discuss phishing-resistant MFA and learn how Yubico and AWS deliver trust at scale, as well as ask any questions about BYOK with YubiHSM 2 – register in advance for a consultation here.
