Skip to main content

Overview

CloudHSM offers a range of service packages designed to meet varying architecture, capacity, and performance needs. Choose from dedicated or shared HSM options, tailored to your requirements, including flexible solutions for production, testing, and hosted environments.

Shared HSMs

  • CloudHSM Economy (ECO) is a multi-tenant HSM service. The subscriber obtains unique access to his partition on an HSM cluster for secure key storage and usage. The clusters in these packages are formed by 2 active HSMs in 2 active Datacenters and a third HSM in an Nato Zone 2 Electro Magnetic Puls protected bunker in the alps which serves as a backup and desaster recovery facility.
  • CloudHSM Economy Certified is operated in Common Criteria mode and is certified according CC EN 419 221-5 which is relevant for eIDAS compliant qualified signatures.
  • CloudHSM Sandbox (SB)X is our dedicated package for integration and pre-production testing. Firmware updates will be deployed first on CloudHSM Sandbox (SBX) for customer testing and verification, before being rolled out to the service in production environment CloudHSM Economy (ECO), Certified and Platinum production environments.
  • CloudHSM Bring Your Own Key is a multi-tenant HSM service with a 1MB capacity.
What is a HSM partition?

A partition is defined as the amount of user space in megabytes (MB) allocated on each HSM in the cluster for storing objects and partition logs.

Dedicated HSMs

  • CloudHSM Platinum is a managed service of a dedicated HSM. Starting from two HSM devices, the subscriber decides on the cluster size, number of partitions, capacity and deployment locations in our worldwide datacenters. For more information and options, please contact Securosys sales.
  • HSM Operation Service (HOS) is a managed service of your purchased Primus HSM within the CloudHSM environment.

Service Package Comparison

Economy
(ECO)
Economy Certified
(ECO CC)
Sandbox
(SBX)
PlatinumHSM Operation Service (HOS)Bring Your Own Key
(BYOK)
Subscription Type
Multi-tenant HSM subscription
Multi-tenant HSM subscription
Multi-tenant HSM subscription
Dedicated HSM subscription
Dedicated HSM purchased (customer owned)
Multi-tenant HSM subscription
Platform
2x1 +1
3 HSM in 3 data centers
2x1 +1
3 HSM in 3 data centers
2x1
2 HSM in 2 data centers
(Testing)
Dedicated HSMs hosted in data centers
Dedicated HSMs hosted in data centers
2x1 +1
3 HSM in 3 data centers
Performance (Sig./Min)
Up to 600
Up to 600
Best available
Up to 12`000
Up to 120`000
-
Capacity
10 MB
10 MB
10 MB
120 MB
30 GB
1 MB
Support
Availability
Response time
(critical/major/minor)
24 x 7 x 365
2/8/24h
24 x 7 x 365
2/8/24h
24 x 7 x 365
8/12/24h
24 x 7 x 365
2/8/24h
24 x 7 x 365
2/8/24h
24 x 7 x 365
2/8/24h
Platform

High Availability (HA) cluster with synchronized data available in active/active mode and in case of ECO, ECO CC or BYOK, a 3rd HSM that is located in a Business Continutity Data Center.

Performance

A consistent performance on ECO and ECO CC packages is garanteed, measured as the average number of RSA4096/ECC512 signatures processed per minute over a 24-hour window. No hard rate limit is imposed. Performance fluctuations may be observed in short intervals.

Partition Remote Administration

By default, Securosys provides support to perform any changes you request on your HSM.

However, with our Decanus Terminal’s Partition Administration you also have the option to fully control access to your HSM partition. This includes making configuration changes, downloading backups, and even disabling HSM administrators' access to your partition. This way, you benefit from the security advantages of your own HSM without the usual headaches and costs.

Configuration Options

All CloudHSM service packages can be individually configured with regards to the required API integration and optional packages for Crypto Currencies, Smart Key Attributes, Post-Quantum Cryptographic (PQC) Algorithms and Transaction Security Broker.

Furthermore, in the Partition Security Policy, you can configure policy settings for Key Import, Key Export and Key Invalidation. Additionally, access to the CloudHSM partition can be restricted to a list of whitelisted source IP addresses.

More content