Cloud & Managed HSM Services

Cloud & Managed HSM Services (Vendor-Neutral)

What we handle for you

  • KMS & Identity: Architecture and hardening for AWS KMS, Azure Key Vault, GCP KMS, IBM/OCI key services; deep integration with IAM/Entra ID (RBAC, conditional access, workload identity, service principals).
  • BYOK/HYOK & Key Lifecycle: Secure key import/export (wrap/unwrap), provenance-preserving re-wraps, rotation schedules, escrow, and dual control / split knowledge.
  • Policy & Governance: FIPS-approved configurations, crypto policies (algorithms, sizes, lifetimes), approval workflows, segregation of duties, and auditor-ready evidence packs.
  • Ceremonies & Operations: Key ceremonies (online/offline), change control, tamper-evident records, monitoring/telemetry, incident runbooks, and HA/DR testing.
  • Procurement & Contracts: Sizing, quotes, SLAs, co-termed renewals, quota management, and vendor ticketing through to resolution.
  • Migrations: On-prem ↔ cloud HSM transitions, cross-cloud moves, and phased cutovers with rollback plans—without service disruption.

Marvell via AWS CloudHSM (LiquidSecurity under AWS CloudHSM)

  • What we deploy: VPC-attached clusters, PKCS#11/JCE/CNG clients, multi-AZ HA, backup/restore strategy.
  • KMS & BYOK/HYOK: Patterns with AWS KMS (external key material, grant policies, key isolation).
  • We manage: Contracts, quotas, scaling plans, CloudWatch/SIEM telemetry, and incident playbooks.

IBM Hyper Protect Crypto Services

  • What we deploy: Dedicated partitions with strong hardware isolation, HA/DR across regions.
  • KMS & Identity: IBM Cloud KMS integrations, IAM policies, service IDs, and secret scopes.
  • We manage: Subscription alignment, support tickets, firmware/config governance, and audit evidence.

Thales via Azure Dedicated HSM Luna 7 A790

  • What we deploy: Single-tenant HSMs with NTLS/STC, partitioning, and workload mapping.
  • KMS & Identity: Tight integration with Azure Key Vault, Entra ID, Managed Identities, and Confidential Computing attestation flows.
  • We manage: Procurement, deployment, logging/monitoring, and DR drills.

Google Cloud — Cloud HSM

  • What we deploy: Regional clusters, signer throughput tuning, key import/wrap pipelines.
  • KMS & BYOK: GCP KMS integrations, EKMs, and CMEK/External Key Manager patterns.
  • We manage: Tenancy/quotas, support cases, cross-region DR, and policy compliance.

Oracle Cloud — OCI Dedicated HSM

  • What we deploy: HSM tenancy and OKMS integration with OCI networking/HA patterns.
  • KMS & Identity: Policies, dynamic groups, compartments, and audit/log routing.
  • We manage: Oracle contracts, phased on-prem → OCI migrations, and operational runbooks.

nCipher via Oracle Cloud nShield as a Service

  • What we deploy: Security World in the cloud, client tooling, partition/OCS/SO management.
  • KMS & Policy: Policy enforcement, access governance, and workload onboarding.
  • We manage: Service terms, cutover plans, incident response procedures, and evidence packs.

Bottom line

Whether it’s AWS, Azure, Google Cloud, IBM, or Oracle, we handle the KMS, identity, BYOK/HYOK, policy, governance, and ceremony side—so you get validated cryptography, clean audits, and predictable operations.