We are getting used to the fast pace of innovation and new tools brought by Amazon Web Services (AWS), but this week CloudHSM announcement was a surprise. So, you do not trust AWS to store your keys and keeping them outside adds complexity and impacts performance? You want to use AWS but you have critical and confidential data and you need to comply with security standards? The CloudHSM is the answer to these questions.
An Hardware Security Module (HSM) is like a (big) smartcard that is certified and physically protects your keys. When detecting an attack, the first thing the HSM does is to erase the keys in a secure maner.
Nevertheless, the idea of providing HSM as a Service is very innovative, thank you AWS! Nevertheless, this kind of toys do not come cheap and key management (rotation, revocation just to give 2 examples) is always a tricky issue. We look forward to test it and to include the CloudHSM in our reference architectures in AWS!