SYSTEMS AND METHODS FOR HIGH AVAILABILITY OF HARDWARE SECURITY MODULES FOR CLOUD-BASED WEB SERVICES
First Claim
1. A system to support high availability (HA) of hardware security modules (HSMs) for cloud-based web services, comprising:
- an HSM HA domain including a plurality of HSM adapters, wherein each of the HSM adapters further comprises;
a plurality of active HSM partitions running on each of the HSM adapters, wherein each of the HSM partitions is configured to perform key management and crypto operations offloaded from a web service host;
an HSM managing virtual machine (VM) running on a host, which in operation, is configured to;
monitor load information on key management and crypto operations currently being performed by the HSM partitions running on the HSM adapters in the HSM HA domain;
identify one or more second HSM partitions running on the HSM adapters if a first HSM partition serving the offloaded key management and crypto operations is determined to be overloaded based on the load information;
distribute at least a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions.
0 Assignments
0 Petitions
Accused Products
Abstract
A new approach is proposed to support high availability (HA) of hardware security module (HSM) adapters in an HSM HA domain for web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM adapters. Each of the HSM adapters is a high-performance, FIPS 140-compliant security solution and includes multiple partitions isolated from each other each dedicated to support one of the web service hosts to offload its key management crypto operations. An HSM managing virtual machine (VM) monitors load information on the operations currently being performed by the HSM partitions in the HSM HA domain and identifies one or more second HSM partitions if a first HSM partition serving the operations is determined to be overloaded. The HSM managing VM then distributes a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions.
-
Citations
34 Claims
-
1. A system to support high availability (HA) of hardware security modules (HSMs) for cloud-based web services, comprising:
-
an HSM HA domain including a plurality of HSM adapters, wherein each of the HSM adapters further comprises; a plurality of active HSM partitions running on each of the HSM adapters, wherein each of the HSM partitions is configured to perform key management and crypto operations offloaded from a web service host; an HSM managing virtual machine (VM) running on a host, which in operation, is configured to; monitor load information on key management and crypto operations currently being performed by the HSM partitions running on the HSM adapters in the HSM HA domain; identify one or more second HSM partitions running on the HSM adapters if a first HSM partition serving the offloaded key management and crypto operations is determined to be overloaded based on the load information; distribute at least a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method to support high availability (HA) of hardware security modules (HSMs) for cloud-based web services, comprising:
-
performing key management and crypto operations offloaded from a web service host via one or more of a plurality of HSM partitions running on one or more HSM adapters in an HSM HA domain having a plurality of HSM adapters; monitoring load information on the offloaded key management and crypto operations currently being performed by the HSM partitions running on the HSM adapters in the HSM HA domain; identifying one or more second HSM partitions running on the HSM adapters if a first HSM partition serving the offloaded key management and crypto operations is determined to be overloaded based on the load information; distributing at least a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification