SYSTEMS AND METHODS FOR CLOUD-BASED WEB SERVICE SECURITY MANAGEMENT BASEDON HARDWARE SECURITY MODULE
First Claim
1. A system for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
- a hardware security module (HSM), comprising one or more HSM partitions, wherein each of the HSM partitions is configured to perform key management and crypto operations for a web service host;
an HSM managing virtual machine (VM) running on a host, which in operation, is configured to create one or more HSM virtual machines (HSM-VMs), wherein each of the HSM-VMs is authenticated by and dedicated to one of the HSM partitions of the HSM in a one-to-one correspondence;
said one or more HSM-VMs running on a host, which in operation, is each configured to;
establish a secured communication channel over a network between the web service host and the HSM-VM to be served by an HSM partition dedicated to the HSM-VM;
receive and provide a request and/or data from the web service host to the HSM partition via the secured communication channel; and
provide results of the key management and crypto operations by the HSM partition back to the web service host via the secured communication channel.
3 Assignments
0 Petitions
Accused Products
Abstract
A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.
-
Citations
26 Claims
-
1. A system for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
-
a hardware security module (HSM), comprising one or more HSM partitions, wherein each of the HSM partitions is configured to perform key management and crypto operations for a web service host; an HSM managing virtual machine (VM) running on a host, which in operation, is configured to create one or more HSM virtual machines (HSM-VMs), wherein each of the HSM-VMs is authenticated by and dedicated to one of the HSM partitions of the HSM in a one-to-one correspondence; said one or more HSM-VMs running on a host, which in operation, is each configured to; establish a secured communication channel over a network between the web service host and the HSM-VM to be served by an HSM partition dedicated to the HSM-VM; receive and provide a request and/or data from the web service host to the HSM partition via the secured communication channel; and provide results of the key management and crypto operations by the HSM partition back to the web service host via the secured communication channel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
-
creating one or more virtual machines (VMs) on a host, wherein each of the VMs is authenticated and dedicated to one of a plurality of partitions of a hardware security module (HSM) in a one-to-one correspondence; establishing a secured communication channel over a network between a web service host and a VM to be served by an HSM partition dedicated to the VM; receiving and providing a request and/or data from the web service host to the HSM partition by the VM via the secured communication channel; performing key management and crypto operations via the dedicated HSM partition for the web service host; and providing results of the key management and crypto operations back to the web service host via the secured communication channel. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
Specification