Public Cloud Integration

Integrate cloud HSM and key management services

Connect to a multi-cloud environment

Public cloud security

Integrate workloads running inside public clouds with Futurex VirtuCrypt cloud HSMs. All VirtuCrypt cloud services are powered by Futurex FIPS 140-2 Level 3-certified cryptographic modules. The VirtuCrypt cloud is your doorway to unlimited cryptographic functionality through native public cloud integration.

Schedule a demoSee available integrations
public cloud integration and security

Sign up for cloud HSM services directly from cloud provider marketplaces

AWS cloud HSM integration
Amazon Web Services

Get started

Azure dedicated HSM
Microsoft Azure

Get started

Google cloud HSM integration
Google Cloud Platform

Request consultation

Connection architecture

VirtuCrypt and the public cloud

Futurex solutions come with vendor-neutral APIs so you can integrate our services with the public cloud. This helps with onboarding, scaling your infrastructure, and securing communication.

High availability, no matter your location

Our global data center presence provides cloud computing at the edge, with data center failover and monitoring by region. Learn more about VirtuCrypt data centers.

VAP

A VirtuCrypt Access Point (VAP) is a streamlined method for connecting applications running within public clouds to Futurex VirtuCrypt cloud HSMs through a secure private network that avoids using the public internet. Users establish a VAP through the user-friendly VirtuCrypt Intelligence Portal (VIP), avoiding the typical hassle of creating firewall rules, setting up site-to-site VPNs, and other networking activities. The result is a connection with higher security and lower latency.

CryptoTunnel

A CryptoTunnel defines the connection parameters to VirtuCrypt. It consists of the following elements: a name, the Cryptoverse used to authenticate clients, the service to which the tunnel routs (the cloud HSM), the incoming channel (Internet, public cloud, and so on), the public cloud provider, the public cloud region, and any information that you need to whitelist.

Cryptoverse

A Cryptoverse uses a PKI managed by VirtuCrypt to determine the services to which public cloud applications have access. You can use a Cryptoverse to encrypt and mutually authenticate all endpoints, whether cloud HSM services, connections to VirtuCrypt, access points like load balancers and edge systems, or client applications.

Endpoints

Endpoints allow your organization to access VirtuCrypt in the public cloud. You need to designate an endpoint on the VAP to create the communication channel between the public cloud and the VirtuCrypt cloud HSM. Define the endpoints with the VirtuCrypt Intelligence Portal.

Cryptographic Architecture

Learn more about why Futurex technology is future-proof

View now

About Futurex

For over 40 years, Futurex protects the world’s most sensitive data.

Learn more

Why integrate?

Benefits of integrating cloud HSMs with public clouds

High availability and disaster recovery

The VirtuCrypt Intelligence Platform makes it easy to manage your cloud infrastructure. Configure cloud HSMs to be highly available, with high fault tolerance and full disaster recovery capabilities.

Multi-region and application support

Enable a single cloud HSM to connect with multiple public cloud regions. Applications from different global regions can connect to VirtuCrypt cloud HSMs simultaneously.

Cloud-like features

Grow your cloud footprint by creating HSM environments that scale on demand. VirtuCrypt’s management features perform system updates and maintenance with no downtime.

Simple and secure process

VirtuCrypt onboarding

VirtuCrypt hardens your HSM and key management infrastructure, establishing security from step one to eliminate process-related risks or errors.

Futurex designed our onboarding process for compliance, security, and ease of use. VirtuCrypt follows this standardized onboarding process validated by independent third-party auditors for adherence to compliance requirements.

Get started
1

Step One

Create a VIP account and go through onboarding administration.
2

Step Two

Download a client certificate from the VIP portal.
3

Step Three

Set up the network and conduct validation with VirtuCrypt.
4

Step Four

Load major keys and network keys into the HSM estate.
public cloud integration VirtuCrypt Intelligence Portal (VIP)

VirtuCrypt Intelligence Portal (VIP)

The VirtuCrypt Intelligence Portal (VIP) provides customers with control and visibility of their cloud in the field or corporate office. VirtuCrypt CryptoTunnels ensure secure communication between applications and HSMs.

  • On-demand cloud HSM provisioning
  • User-managed high availability clustering
  • Centralized log management and reporting
  • RESTful API for integrating VirtuCrypt programmatically
Schedule a demo

Hardware-backed cloud services

VirtuCrypt Cloud combines the convenience of a scalable cloud platform with the enterprise-grade security of FIPS 140-2 Level 3-validated cryptographic hardware.

VirtuCrypt cloud HSMs
Learn more

VirtuCrypt cloud payment HSMs
Learn more

Cloud data security services
Learn more

Frequently Asked Questions

This whitepaper provides an overview of the architecture of cloud payment HSMs and an increasingly popular deployment approach organizations are migrating to – cloud HSMs integrated natively with public clouds.

Addressed in the document are the features and benefits of cloud integration, what components comprise the infrastructure, and how this service is deployed, focusing specifically on usage examples with Amazon Web Services, although these same principles apply to all major public cloud providers. It also discusses compliance certifications and key management methods, VirtuCrypt service models, and what capabilities exist for expansion.

In recent years, public cloud usage has been on the rise. As more businesses grow globally connected, the demand for cloud computing has increased. According to Gartner, the market for public cloud services is expected to reach $266.4 billion in 2020, growing 17 percent from the previous year. The threats against data security are growing as well, and users need protection without sacrificing cost and efficiency. The benefits of using the public cloud have been part of why we’ve seen more of a shift towards it in the last few years. These benefits include cost-efficiency, flexibility, speed of deployment, and in many cases, higher security as well.

An increasingly popular choice for public cloud usage is direct integration with other services and applications housed outside the public cloud itself. Integrating on-premises hardware with cloud based applications or connecting Software-as-a-Service (SaaS) solutions to separate cloud applications unifies data and improves sharing and visibility.

SaaS, the largest market segment of the public cloud services, is expected to grow to $116 billion in 2020, according to Gartner. This growth is attributed to increasing demand in workload and applications that cannot be accommodated solely by on-premises data centers. As the demand for cloud services increases and many financial acquiring, issuing, and Point-to-Point Encryption (P2PE) application providers take a cloud-native approach, organizations are looking to their payment hardware security module (HSM) vendors for cloud solutions.

Public Cloud Providers Supporting Native HSM Integration

Financial data security architecture has evolved over time. Now, most financial organizations deploy some form of HSM and payment application infrastructures. What began as on-premises infrastructure is transitioning to an almost entirely cloud-hosted infrastructure.

Initially, payment applications and HSMs were managed on-premises at an organization’s own data centers. While this structure can be beneficial for organizations operating their own data centers, many others began to move towards the cloud in order to increase scalability, redundancy, and reduce internal IT operations so they can increase focus on their own core competencies.

As organizations began moving towards a partial cloud environment, payment applications were placed in the cloud while HSMs were maintained on-premises. This hybrid approach allows for greater flexibility and redundancy for the payment application, but the burden of managing HSMs on-premises, including staff training, compliance audits, and higher up-front capital expenditure, were still there.

After fully realizing the benefits of the cloud for their payment applications, many financial services providers found that moving the HSM component to the cloud provided even more opportunities for maintaining a secure, robust, and scalable cryptographic infrastructure. Today, many organizations take the approach of opting to have their payment application hosted with the public cloud provider and their HSMs with a cloud HSM service such as Futurex’s VirtuCrypt offering. These organizations reap the benefits of hosting in the cloud – complete flexibility, customizability, reduced cost – as well as maintain the high standard of hardware security and encryption capabilities. Organizations self-manage the connection between their payment applications and their cloud HSMs.

Now, even more organizations are wanting to take full advantage of the services provided by a public cloud provider. When using cloud HSMs that are natively integrated with public cloud providers, operational burdens are significantly reduced. Networking infrastructure is made much simpler, onboarding is fast, establishing multi-cloud and multi-region high availability is a near-turnkey process, and operational tasks like invoicing and payments are built on top of the organization’s existing public cloud account management structure.

Many organizations are pursuing integrated solutions that migrate the HSM and payment application to the cloud with full integration. It is not as common to host the HSM and host application independently or on-premises. There are several features of this new model that draw organizations in:

  • Easy onboarding and renewals, performed through an organization’s existing public cloud account
  • Secure communication from the public cloud to VirtuCrypt cloud HSMs, with no direct Internet routing
  • VirtuCrypt cloud HSM routing based on region, for multiple regions and multiple clouds
  • VirtuCrypt data center failover and monitoring by region

An example of a public cloud provider that can be integrated with cloud payment HSMs is Amazon Web Services (AWS). Using AWS as a public cloud provider, this section provides an example of how the integration process works.

One of the main benefits of integrating cloud HSMs with AWS is the full integration with the Amazon Marketplace. As one of the largest and most widely used cloud platforms, AWS has a multitude of services that can be utilized for hosting applications & infrastructure with global availability. Using the Amazon Marketplace helps with the onboarding as well. If a client is already using AWS, the onboarding and renewal will be much simpler in terms of using the existing customer information available through AWS.

Through AWS, you can create a Virtual Private Cloud (VPC) that can connect to VirtuCrypt. A VPC allows for a logically separated section of the cloud where your organization can define its own virtual network and handle workloads. These VPCs are deployed per AWS region. With this integration, customers will be able to use VirtuCrypt Access Points (VAP) that manage access to the VirtuCrypt cloud. By using VAPs, the process of connecting to VirtuCrypt eliminates any need for direct Internet routing.

In addition to enabling access to the same VirtuCrypt cloud services from multiple AWS regions, organizations benefit from the variety of access methods, such as on-premises applications through Internet or VPN and hybrid environments. Access to all the different regions allows for lower latency, increased availability, and more robust levels of disaster recovery and redundancy.

When integrating a VirtuCrypt cloud payment HSM with a public cloud, several components are incorporated to ensure the process moves smoothly. First, we will define the necessary components of the infrastructure, then we will show how the process works. In some scenarios, not all these components are required. When architecting a cloud payment HSM infrastructure, it is important to outline your organization’s goals and discuss how best to achieve them both with Futurex’s Solutions Architects and with your payment application provider.

The following components are used to integrate public clouds with VirtuCrypt cloud payment HSMs:

VirtuCrypt
  • VirtuCrypt Intelligence Portal (VIP) Account
  • Cryptoverse
  • CryptoTunnel
  • VirtuCrypt Access Point (VAP)
Public Cloud Provider
  • Virtual Private Cloud (VPC)
  • Endpoints/PrivateLink
VirtuCrypt Intelligence Portal (VIP) Account

The VirtuCrypt Intelligence Portal is the primary method through which users manage their cloud payment HSM service. An account is needed on the VIP to integrate the public cloud with the cloud payment HSM. The VIP is a secure website for configuring and reviewing everything related to your organization’s VirtuCrypt services. Through its dashboard, the VIP allows for secure management and monitoring of your entire cloud payment HSM environment, audit logs, and tracking account activity from a single location. Existing VirtuCrypt customers will already have accounts on the VIP, but new customers will need to create a new account on the VIP Dashboard.

Cryptoverse

Utilizing a PKI managed by VirtuCrypt, a Cryptoverse isolates which services the public cloud applications have access to. A Cryptoverse is used to ensure mutual authentication and strong encryption with all endpoints, whether those are cloud HSM services, incoming connections to VirtuCrypt, access points like load balancers and edge systems, or client applications. Services are segregated by their Cryptoverse and users must download client keys and certificates for remote applications to authenticate to different services.

CryptoTunnel

A CryptoTunnel defines the connection parameters to VirtuCrypt. It consists of a name, the Cryptoverse used to authenticate incoming clients, the service that the tunnel will be routed to (the cloud HSM), the incoming channel (Internet, public cloud, etc.), the public cloud provider, the region of the public cloud that will be operated in, and any information that must be whitelisted.

VirtuCrypt Access Point (VAP)

A VirtuCrypt Access Point (VAP) is a VirtuCrypt-owned Virtual Private Cloud. Virtual Private Clouds allow for a logically separated section of the public cloud where an organization, in this case VirtuCrypt, defines its own virtual network. The VAP enables access to VirtuCrypt from a public cloud in a secure manner without directly transiting the Internet, and it also offers connectivity for a range of other access methods. These access methods include connections from and between different public cloud provider regions (US/Canada, Europe, Latin America, for example), access from on-premises applications using a VPN, or hybrid environments.

Endpoints/PrivateLink

The endpoint allows your organization to access VirtuCrypt in the public cloud. An endpoint must be designated on the VirtuCrypt Access Point to create the communication channel between the public cloud and the VirtuCrypt cloud payment HSM.

VirtuCrypt follows a standardized onboarding process which has been validated by independent third-party auditors for adherence to compliance. Our test and production environments follow similar workflows for onboarding and setup, with the exception being that production environments have stricter requirements.

By working with VirtuCrypt to establish your data security infrastructure, security is established from the source, thus removing the chance that any process-related risks or errors have occurred. The onboarding process is designed with compliance, security, and ease of use in mind.

The following steps are required to complete onboarding with VirtuCrypt:

  • Completion of forms and due diligence to validate personnel
  • Creation of a VIP account
  • Download client certificate
  • Network setup and validation
  • Load major keys and network keys

To deploy the VirtuCrypt cloud payment HSM service, several options are available:

  • Native deployment through the public cloud (AWS Marketplace, for example)
  • Futurex hybrid: on-premises payment application and on-premises Futurex HSMs
  • Full VirtuCrypt cloud option #1: on-premises payment application and VirtuCrypt cloud payment HSMs
  • Full VirtuCrypt cloud option #2: public cloud payment application and VirtuCrypt cloud payment HSMs

The process begins by signing up for a VirtuCrypt service on the public cloud provider. The VirtuCrypt products currently offered are cloud payment HSMs for acquiring, issuing, and P2PE. Because the HSM is licensed through an online subscription, the cloud HSMs fall under the Software-as-a-Service category.

After signing up for a service, users are directed to a VIP registration page. Customers either create a new VIP account or sign into an existing account if they are already a VirtuCrypt customer. VirtuCrypt associates the service with the account, placing the service status into a pending state while the data is connected through the backend. Once the service has been successfully connected to the VirtuCrypt account, the user must create a CryptoTunnel.

Once the CryptoTunnel has been established, the VirtuCrypt Intelligence Portal will reach out to the specified region’s VirtuCrypt Access Point. Once the VirtuCrypt Intelligence Portal has contacted the VAP, a load balancer will be set up, also creating an endpoint with a VAP ID that points to VirtuCrypt.

Finally, in order to connect the VirtuCrypt Access Point to the CryptoTunnel, the VAP site-to-site VPN must be established. Once the site-to-site VPN is securely established, the communication between the cloud payment HSM in VirtuCrypt and the payment application hosted in the customer’s VPC at the public cloud provider can begin.

One important feature of an integrated public cloud and cloud payment HSM infrastructure is the ability to use a single cloud HSM with connections from multiple public cloud regions. This entails having a cloud service from a public cloud provider running in multiple availability regions that connect to one or more instances of VirtuCrypt.

In previous infrastructure models, applications could only connect to their VirtuCrypt cloud HSMs directly over the Internet or through a customized site-to-site VPN. With this new architecture, multiple payment applications can simultaneously connect to VirtuCrypt cloud payment HSMs through the public cloud from regions spanning the globe. In turn, this increases high availability capabilities, not only creating an environment where system updates and maintenance can be accomplished without taking core systems offline, but also one where organizations that are becoming increasingly globally connected can thrive from a secure, low latency, highly scalable, and failure-resistant infrastructure.

The migration of enterprise workloads to the cloud is not slowing down, and financial services providers are no exception. With many organizations already moving their payment applications to public clouds, the question of HSM integration and whether to move these to the cloud as well is a vital one that takes careful thought and consideration.

Whether exploring VirtuCrypt cloud payment HSMs for testing and development, deploying a hybrid environment paired with existing on-premises Futurex HSMs, or fully transitioning all cryptographic processing for acquiring, issuing, and P2PE to the cloud, it is clear that cloud HSMs can provide significant advantages.

Through the models offered from VirtuCrypt, organizations have many options for customizing their HSM redundancy, throughput, and functionalities. As public cloud usage continues to rise, we will likely see more and more financial services providers taking steps like this to increase security and flexibility for their end customers.

VirtuCrypt cloud hsm

Want to learn more?

Contact a Solutions Architect today.

Give us a call