Cloud HSM

SplitSecure is a distributed hardware security module. What that means is that we take secrets like keys and credentials and split them across multiple devices, leveraging the hardware security claims of each device. This allows us to offer superior claims to traditional hardware security modules, while being cheaper, more performant, and easier to manage.

Because SplitSecure leverages the security claims of the hardware it runs on, it can make hardware-based security claims (such as physical intrusion resistance) which would not be possible with software alone. This is what allows it to act as a substitute for FIPS-140-3 Level 3 compliant HSMs. This extends to the cloud as well – leveraging the correct cloud services, SplitSecure can act as a substitute for cloud HSMs.

However, SplitSecure is significantly cheaper and more performant than the cloud HSMs it replaces. Enterprises that switch from cloud HSMs to SplitSecure can see up to an 80% decrease in cost and 10x increase in throughput.

Let’s go over a specific example of how this is possible.

TIP

We use AWS CloudHSM as our example for how SplitSecure can reduce cloud HSM costs. However, SplitSecure supports all major providers, including GCP, Azure, Entrust, etc. We pick AWS CloudHSM so we can give specific real examples of cost savings.

Example: Cutting AWS CloudHSM Costs by 80%

SampleCo uses AWS CloudHSM to protect secrets used to access legally protected customer data. While their exact usage varies, they typically have x1000 hsm2m.medium HSMs in use in the us-east-2 region, at an hourly rate of $1.45 per HSM. This gives them an annual cloud HSM spend of $12.7 million.

To comply with industry norms, SampleCo must store these secrets in a FIPS-140-3 Level 3 compliant system – the current “gold standard” for security-sensitive use cases. The AWS hsm2m.medium HSM has this certification.

Using SplitSecure, we will enable SampleCo to replace their hsm2m.medium HSMs with less expensive AWS Nitro Enclave instances – specifically with AMD SEV-SNP enabled t4g.2xlarge EC2 instances in the same us-east-2 region.

Normally, an AWS Nitro Enclave instance would not be an appropriate substitute for a HSM. The AMD SEV-SNP enabled Nitro Enclave supports the isolation of secrets, but it has no persistent storage and starts empty every time. This means that the secrets must be stored elsewhere and seeded into the enclave when needed.

This is how SplitSecure and the AWS Nitro Enclave combined become a cloud HSM. SplitSecure stores the secrets in FIPS-140-3 Level 3 compliant hardware and seeds them into the Nitro Enclave as-needed. The Nitro Enclave then performs the expected actions with the secrets. AWS Nitro Enclave already has mechanisms to support secure seeding – all Nitro instances support FIPS validated encryption and have a CMVP certificate for FIPS compliant communication.

This is analogous to a serverless application. Instead of a cloud HSM persistently holding SampleCo’s secrets, SplitSecure holds their secrets, and whenever they need a cryptographic action performed, an AWS Nitro Enclave instance is spun up fresh to perform the task, and SplitSecure seeds it with the secret.

To implement SplitSecure this way, SampleCo needs to decide what devices they will use to store their secrets, and what EC2 instances they would like to use to replace their hsm2m.medium HSMs.

SampleCo decides they will store their secrets on a dozen FIPS-140-3 Level 3 compliant USB devices. These devices are their SplitSecure network, and the only permanent home for their secrets. They then decide to replace their hsm2m.medium HSMs with t4g.2xlarge EC2 instances, with both Nitro Enclave and AMD SEV-SNP support enabled.

Including Amazon’s surcharges for AMD SEV-SNP support, they pay a total of $0.2956/hr per Nitro Enclave in the us-east-2 region. After adding all fixed costs and additional fees, their total costs will drop from $12.7 million to $6.1 million. That's more than a 50% cost reduction.

TIP

SplitSecure supports end-user customization of the code running in the enclave, so we cannot make the general statement that all SplitSecure deployments structured this way are automatically FIPS-140-3 Level 3 compliant. However, assuming standard HSM use cases such as signing oracles or tokenization, SplitSecure offers an easy path to FIPS certification.

Depending on their use case, SampleCo might not even need to replace their HSMs 1:1. The t4g.2xlarge EC2 instance has 8 vCPU’s, giving it massively higher throughput and storage capacity than the hsm2m.medium it's replacing. If SampleCo’s use case is performance constrained, this might allow them to replace HSMs at some N:1 ratio, reducing costs even further.