According to the 2019 Thales Cloud Security Study, almost half of all businesses are adopting a multi-cloud strategy when it comes to their IT infrastructure and services needs, but 32 percent don’t employ a security-first approach to storing data in the cloud.
This finding is problematic given the fact that more than half of the organizations highlighted compatibility with their on-premises infrastructure as the most important consideration in being able to adopt a hybrid cloud strategy.
Hardware Security Modules (HSMs) help organizations protect the cryptographic keys, for critical functions such as encryption, decryption and authentication. As such, HSMs play an essential role in safeguarding applications, identities and databases. They’re also instrumental in establishing a root of trust, securing public key infrastructure and serving as the basis for code signing.
Hybrid cloud enables organizations to freely move compute resources between an enterprise’s private cloud infrastructure and public infrastructures to optimize performance, cost, and agility. But traditionally, combining multiple types of HSMs including those from different cloud service providers as well as those on-premises, and in a variety of environments, left IT and security teams with little flexibility to evolve. As a result, many organizations face the dilemma and feel pressure to trade off between the high-assurance security that an HSM provides and fully embracing the optimization of hybrid cloud.
This is why Thales and leading IT service providers work together to deliver high-assurance root of trust based security services designed for multi-cloud environments. This post will discuss one such partnership between Thales and Fujitsu.
Securing Public Key Infrastructure (PKI) from the cloud
Fujitsu, the world’s seventh-largest IT services provider in terms of global revenue, has132,000 employees. Fujitsu supports its customers with a full range of technology products, solutions and services in more than 100 countries.
A global pharmaceutical company asked Fujitsu for help in securing its PKI infrastructure. As a healthcare organization, they faced a growing list of regulatory requirements with which it needed to comply, and therefore decided to focus on improving its key management practices. As a result, Fujitsu chose Thales to address its customer’s request because of its different FIPS 140-2 Level 3 HSM deployment options including on-premises Thales Luna HSMs and a Luna Cloud HSM offering -Thales Data Protection on Demand (DPoD) - with common APIs and integrations, and flexible billing models. Since the customer also wanted to reduce its capital expenses, Fujitsu, working with Thales distributor Exclusive Networks, chose DPoD to fulfil this use case. This solution offers Luna Cloud HSM services that help customers manage and protect their sensitive cryptographic operations in an as-a-service model.
Since this pharmaceutical customer used Microsoft Certificate Authority for their PKI, the solution had to support hardening the boundaries for the Microsoft Root CA’s cryptographic signing key. Therefore, Fujitsu integrated DPoD’s Luna Cloud HSM for Microsoft Active Directory Certificate Services (ADCS) service. The customer also felt their investment with Fujitsu and DPoD was protected because Thales supports hybrid HSM services, and it can be deployed in conjunction with on-premises Luna HSMs if they require that flexibility in the future.
Expanding Fujitsu high-assurance service offerings
With the pharmaceutical company’s high satisfaction and ease of implementation, Fujitsu began working with Thales to develop the Managed Microsoft CA with Cloud HSM Root of Trust service as part of their standard offering. Customers use this solution to reduce the complexity of securing certificate authority servers across their IT infrastructure, including cloud/hybrid and on-premises environments. This cost-effective offering requires zero upfront investment and usage-based pricing. The solution also supports automated service orchestration for easy management.
In addition, customers now have strong separation of roles and privileges to assure only authorized users can carry out sensitive PKI operations, such as certificate signing, which further reduces risk.
Petri Heinälä, security offering architect at Fujitsu said:
“With all of the regulatory pressures surrounding an organization’s data, key management without an HSM is simply unsustainable. In an industry like healthcare that holds particularly sensitive data, organizations have to do everything possible to ensure that only the right people can access the right data for the right reason. Traditionally on-premises HSMs have played an important role in protecting data but organizations are now seeing the benefits and cost efficiencies with cloud-based PKI environments, and in the ability to support hybrid, multi-cloud environments. With DPoD we have been able to deliver a more flexible, but secure, PKI environment for our customers and help them to protect their data and their budgets.”
A Look into the Future
The combined DPoD-Microsoft CA service provides several benefits. As in the case of the pharmaceutical company, the IT services provider can use the new offering to cater to customers looking for expanded key management and encryption services such as privilege access management. It also strengthens Fujitsu’s position in the managed services market by broadening its portfolio to include a solution that can meet the PKI needs of customers requiring higher levels of security.
With seamless key migration between Luna HSM and DPoD Luna Cloud HSM service, Thales helps customers ensure their data and the keys to that data is secure, regardless of where their data resides, by supporting third-party HSM integrations, common SDK and API support and high-availability group access for both on-premises Luna devices and DPoD services. Thales is the only vendor that offers an extensive range of HSM deployment options, providing a truly hybrid HSM that can distribute workloads between on-premises and cloud-based environments and maintain a real-time, cloud-based backup of an organization’s cryptographic objects.
Going forward, Fujitsu is interested in using the success of the DPoD-Microsoft CA offering to create other services such as key management and encryption services. Thales will continue to work with Fujitsu and its other managed service provider (MSP) partners to enable them to expand their service offerings that simplify the adoption of high-assurance data security and better protect their customers.
For more information on the Thales-Fujitsu partnership and its combined DPoD-Microsoft CA offering, download this case study.