New Amazon CloudHSM service vows enterprise-grade security

Amazon(s amzn) Web Services runs on tons and tons of shared hardware. That’s a huge benefit in terms of cost but also spooks customers with strict regulatory requirements that prevent them from running their applications on shared infrastructure.
But now, as Amazon tries to woo these picky customers, it’s trying to replicate some of the perks that come with dedicated, on-premises hardware. That’s what the new CloudHSM service is about. Traditionally, a Hardware Security Module is a dedicated, hardened box for storing keys and running cryptography. Amazon says it can bring that dedicated security to its customers within its infrastructure.
In a Tuesday night blog post, Amazon said CloudHSM:

“brings the benefits of HSMs to the cloud. You retain full control of the keys and the cryptographic operations performed by the HSM(s) you create, including exclusive, single-tenant access to each one. Your cryptographic keys are protected by a tamper-resistant HSM that is designed to meet a number of international and US Government standards including NIST FIPS 140-2 and Common Criteria EAL4+.”

Each CloudHSM provisioned for the customer incurs an upfront, one-time $5,000 fee and then an hourly rate of $1.88 per hour or $1,373 per month. Pricing is  here.

Bringing on-prem perks to public infrastructure

Amazon has made progress in offering more enterprise-grade cloud capabilities with its GovCloud services and Virtual Private Cloud capabilities. But still, even some of the biggest AWS customers will only put parts of their workloads on the Amazon cloud. The mission-critical goodies stay on premises or on private clouds.
That’s why Amazon has to get more acclimated with private cloud capabilities — observers say one reason that AWS might be building a private cloud for the CIA, as has been reported, is to prove its credibility there.  And that’s why we’ll be seeing more services like this CloudHSM service.