VirtuCrypt’s cloud HSM infrastructure can be deployed in either a hybrid environment or a full cloud environment. No model is objectively better than the other, but organizations should carefully consider their short-term and long-term goals when deciding how to integrate cloud HSMs into their cryptographic ecosystem.
Hybrid
The hybrid model contains both on-premises Futurex HSMs and VirtuCrypt cloud HSMs. Organizations with large onpremises HSM estates may prefer a hybrid model. It lets them slowly transition to the cloud over time.
Hybrid models also provide failover, in which cloud HSMs only process traffic when on-premises HSMs are unavailable. Another advantage of hybrid infrastructures is scalability. If an organization is faced with unexpectedly high volume, cloud HSMs can supply extra capacity to prevent slowdowns or outages.
Full VirtuCrypt Cloud
In a full cloud model, an organization would host their entire HSM ecosystem within VirtuCrypt. With VirtuCrypt, organizations can spin up cloud HSMs on-demand with the full encryption and key management capabilities of a physical HSM. These organizations reap the benefits of hosting their HSMs in the cloud – complete flexibility, customizability, and reduced cost – as well as maintain the high standard of hardware security.
This option is often used by organizations in a transitional state. They may want to move their applications to the cloud, but they can’t immediately begin the process due to technical or business reasons.
Public Cloud with VirtuCrypt
VirtuCrypt natively integrates with public cloud providers such as AWS, Microsoft Azure, and Google Cloud. This allows for easy onboarding, flexible integration, and secure communication. With Futurex’s global data center presence, organizations get wider availability through different regions, lower latency, as well as better data center failover and monitoring by region.
To integrate VirtuCrypt with applications running in public clouds, the user must register for a VirtuCrypt cloud HSM on the respective cloud provider marketplace, or if not available, sign up for an account directly with VirtuCrypt. After signing up for a service, users are directed to a VIP registration page. Customers either create a new VIP account or sign into an existing account if they are already a VirtuCrypt customer. VirtuCrypt associates the service with the account, placing the service status into a pending state while the data is connected through the backend. After the service is successfully connected to the VirtuCrypt account, the user must create a CryptoTunnel, which is a secure, TLS-authenticated connection between on-premises apps, cloud-hosted applications, and cloud HSMs.
Once the CryptoTunnel is established, the VirtuCrypt Intelligence Portal will reach out to the specified region’s VirtuCrypt Access Point (VAP). A VAP uses a single set of cloud HSMs across multiple regions within a single public cloud provider. After the VirtuCrypt Intelligence Portal has contacted the VAP, a load balancer will be set up, also creating an endpoint or PrivateLink with a VAP ID that points to VirtuCrypt.
Redundant Backup
Data loss, by natural disaster or malicious attack, represents a dire cost to organizations. Establishing a redundant backup of data acts as insurance against such an occurrence, keeping company data safe and secure. To make sure critical data is not lost, it is best practice to integrate a failover system that efficiently mirrors production data.
VirtuCrypt’s facilities are fully redundant across multiple secure data centers. In the event of an outage, applications can be configured to automatically failover to a backup site, either from on premises HSMs to VirtuCrypt, or from one VirtuCrypt cloud HSM to another.
