SYSTEMS AND METHODS FOR CLOUD-BASED WEB SERVICE SECURITY MANAGEMENT BASEDON HARDWARE SECURITY MODULE

摘要

A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services.

主权项

1. A system for offloading key storage, management, and crypto operations for cloud-based web services, comprising:
a hardware security module (HSM), comprising one or more HSM partitions, wherein each of the HSM partitions is configured to perform key management and crypto operations for a web service host; an HSM managing virtual machine (VM) running on a host, which in operation, is configured to create one or more HSM virtual machines (HSM-VMs), wherein each of the HSM-VMs is authenticated by and dedicated to one of the HSM partitions of the HSM in a one-to-one correspondence; said one or more HSM-VMs running on a host, which in operation, is each configured to:
establish a secured communication channel over a network between the web service host and the HSM-VM to be served by an HSM partition dedicated to the HSM-VM;receive and provide a request and/or data from the web service host to the HSM partition via the secured communication channel; andprovide results of the key management and crypto operations by the HSM partition back to the web service host via the secured communication channel.