How to (Securely) Share Certificates with Your Cloud Security Provider
Businesses today know they must handle sensitive data with extra care. But evolving cyber threats combined with regulatory demands can lead executives to hold their proverbial security cards close to their chest. For example, they may be reluctant to share encryption keys and certificates with a third party (i.e., cloud service providers), fearing data theft, MITM attacks or violations of local privacy regulations.
In turn, this can cause conflicts when integrating with cloud security services.
So how can businesses securely share this information as they transition to the cloud?
Today, nearly all web applications use HTTPS (encrypted traffic sent to and from the user). Any website with HTTPS service requires a signed SSL certificate. In order to communicate securely via encrypted traffic and complete the SSL handshake, the server requires three components: a private key, a public key (certificate) and a certificate chain.
These are essential to accomplish the following objectives:
- Authentication – The client authenticates the server identity.
- Encryption – A symmetric session key is created by the client and server for session encryption.
- Private keys stay private – The private key never leaves the server side and is not used as session key by the client.
Hardware Security Module (HSM)
A Hardware Security Module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. HSMs are particularly useful for those industries that require high security, businesses with cloud-native applications and global organizations. More specifically, common use cases include:
- Federal Information Processing Standards (FIPS) compliance – For example, finance, healthcare and government applications that traditionally require FIPS-level security.
- Native cloud applications – Cloud applications designed with security in mind might use managed HSM (or KMS) for critical workloads such as password management.
- Centralized management – Global organizations with global applications need to secure and manage their keys in one place.
Managing cryptographic key lifecycle necessitates a few fundamentals:
- Using random number generator to create/renew keys
- Processing crypto-operations (encrypt/decrypt)
- Ensuring keys never leave the HSM
- Establishing secure access control (intrusion-resistant, tamper-evident, audit-logged, FIPS-validated appliances)
The Challenge with Cloud Security Services…
One of the main challenges with cloud security services is the fact that reverse proxies need SSL keys. Managed security services, such as a cloud WAF service, force enterprises to hand over their private keys for terminating SSL connections. However, some can’t (FIPS-compliant businesses, for example) or simply don’t want to (for trust and liability concerns, or simply due to multi-tenancy between multiple customers). This is usually where the business relationship gets stuck.
…And the Solution!
Simply put, the solution is a HSM Cloud Service.
Yes, integrating a cloud WAF service with a public cloud provider (like AWS CloudHSM) into an external HSM is the answer. It can easily be set up by a VPN among a cluster sharing the HSM credentials, per application or at large.
Indeed, cloudHSM is a popular solution–being both FIPS and PCI DSS compliant — trusted by customers in the finance sector. By moving the last on-prem component to the cloud to reduce data center maintenance costs, organizations are actually shifting towards consuming HSM as a Service.
Such an integration supports any type of certificate (single domain, wildcard or SAN) and secures minimal latency as public cloud providers have PoPs all around the globe. The external HSM is only used once, while there are no limitations to the amount of certificates that are hosted on the service.
This is the recommended approach to help businesses overcome the concern of sharing private keys. Learn more about Radware Cloud WAF service here.