The Microsoft Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices with complete and exclusive control of the HSM appliance. The Azure Dedicated HSM service uses SafeNet Luna Network HSM 7 devices from Gemalto. This device offers the highest levels of performance and cryptographic integration options and makes it simple for you to migrate HSM-protected applications to Azure. The Azure Dedicated HSM is leased on a single-tenant basis.
- Migrate HSM-protected applications: The Gemalto HSM model uses hundreds of applications such as Oracle DB TDE, Active Directory Certificate Services, Apache/NGINX TLS offload, and your own applications that have integrated with SafeNet HSMs over the last 15 years. This makes it easy for you to migrate applications to Azure Virtual Machines or run hybrid topologies spanning across Azure and on-premises. It can also be used to back up keys on-premises. Once your applications have migrated to Azure, you will achieve low latency (single-digit millisecond) and high throughput for cryptographic operations (10,000 RSA-2048 tps). Azure Dedicated HSM supports up to ten partitions per HSM for flexibility of application usage and increased capacity per device.
- Maintain security and compliance: The HSM devices are certified for FIPS 140-2 Level 3 and eIDAS Common Criteria EAL4+, helping you meet the most stringent security and compliance requirements.
- Manage HSMs in the cloud: You have full administrative and cryptographic control over the Azure Dedicated HSMs in Azure. Microsoft does not have visibility into your cryptographic keys.
Azure Dedicated HSM is provisioned directly on your virtual network in Azure. This service can also connect to your on-premises infrastructure via a virtual private network.
When to use Azure Dedicated HSM
Azure Dedicated HSM addresses a unique set of customer needs for secure key storage scenarios in Azure. The following criteria will help determine best fit for your requirements:
The Azure Dedicated HSM is most suitable for migration of HSM applications to Azure or HSM applications from other clouds. It is also suited for applications which needs FIPS 140-2 Level 3, Common Criteria EAL 4+, NITES, or Brazil ITE and needs crypto other than RSA and ECC. Some examples are included below:
- Migrating applications from on-premises to Azure Virtual Machines.
- Running shrink-wrapped software in Azure Virtual Machines.
Not a fit
The Microsoft Azure cloud services that support encryption with customer managed keys such as Azure Information Protection, Azure Disk Encryption, Azure Data Lake Store, Azure Storage, Azure SQL, and Office 365 Customer Key are not integrated with Azure Dedicated HSM. Customers who use such PaaS/SaaS services rely on Microsoft to ensure availability and disaster recovery and to protect against users accidentally deleting their keys. To meet these promises, such services offer customer managed keys via the Azure Key Vault service.
The Dedicated HSM service is available in eight Azure regions, namely East US, West US, South Central US, East US 2, Southeast Asia, East Asia, West Europe, and North Europe. We plan to continue expanding this service to other Azure regions.
To learn more about the Azure Dedicated HSM service, please refer to the service documentation.
To learn about pricing and suitability of this service for your applications, please contact your Microsoft account representative or leave a comment below.