It seems that the whole world is moving to cloud. Some companies are just taking their first baby steps – lifting and shifting their on-prem workloads into IaaS to save them having to maintain their own data centers and give them more flexibility. Others are re-factoring their workloads to take full advantage of PaaS for greater agility and cost optimization. But nearly all are adopting SaaS as their first choice for off-the-shelf business applications and tooling.
The Many Advantages of SaaS
The popularity of SaaS is due to its many compelling benefits:
- Easy to evaluate product capabilities before purchase
- No CapEx investment required – simply pay-as-you-go
- OpEx cost savings from sharing a multi-tenanted infrastructure with no maintenance, backups, or patching required
- Faster return on investment
- Security and high availability baked in
- Accessibility from anywhere
- Seamless scalability as your needs grow
Securing Data in the Cloud
As more and more sensitive data is migrated to the cloud, it is critical to encrypt or tokenize that data in case it is stolen. While public cloud services provide various native data security offerings, including key management system (KMS) and hardware security module (HSM), these are very limited in capability and are also cloud-specific, making them difficult to manage in a multi-cloud environment. Moreover, the Schrems II ruling in the EU Court of Justice calls into question whether, to be compliant with GDPR, your encryption keys should be entrusted to the same cloud providers that hold your data.
Besides, many companies regard their KMS and HSMs as their “crown jewels”, underpinning the security of their data across multiple environments, and are reluctant to move them out of their own data centers. They may have reasonable concerns about loss of control, limited customization, performance, availability, and security.
How can these concerns be addressed to enable companies to reap the benefits of SaaS for data security?
Data Security as-a-Service
These are the things you should look out for when selecting a SaaS data security solution:
- Broad range of capabilities (e.g., KMS, HSM, secrets management, tokenization)
- Ease of use, enabling a self-service model for IT and line-of-business teams
- Cloud-agnostic (i.e., ability to work with a wide range of IaaS, PaaS, and SaaS)
- Broad API support
- Hardware-based security, compliant with FIPS 140-2 Level 3
- No ability for the vendor (even a malicious sysadmin) to access customer keys/data
- Customization options
- High availability, with a defined SLA
- Seamless scalability, without manual intervention
- High throughput and low latency, wherever your workload resides
The problem is finding a solution that ticks all these boxes, which has been an impossible task – until now.
Fortanix DSM SaaS – Raising the Bar on Data Security as a Service
Capabilities and Ease of Use
Fortanix DSM SaaS is a unified data security solution, providing KMS, HSM, secrets management, and tokenization within a single product, managed through a single pane of glass. This provides significant TCO savings, as well as enabling a self-service model for each IT or line-of-business team to manage their own keys without being cryptography experts.
Fortanix DSM SaaS integrates directly with cloud native KMS and HSM tools, supporting BYOK, BYOKMS, and BYOE for public clouds and third-party SaaS applications, enabling you to manage all your encryption keys from a centralized point with appropriate controls, compliance policies, and audit logs.
Fortanix DSM SaaS supports industry standard cryptographic APIs such as KMIP, PKCS#11, JCE, and CAPI/CNG, as well as providing comprehensive and powerful REST APIs for DevOps and automation, and also bespoke integrations with numerous third-party applications.
Security and Control
Fortanix DSM SaaS is built using our own FIPS 140-2 Level 3 compliant hardware appliances, trusted by banks and Fortune Global 500 enterprises worldwide, and managed in accordance with SOC 2 Type 2 and PCI-DSS. Customer keys and data never leave the selected region (USA, EU, UK, APAC, Australia). We also utilize the latest confidential computing technology to secure customer keys and data, not only at rest and in motion, but also in use – so that attackers (including even malicious admins) are unable to access anything sensitive. Neither Fortanix nor any cloud provider has any access to customer keys or data, even if subpoenaed.
Fortanix DSM SaaS allows you to define your own compliance policies, such as Cryptographic Policies, Quorum Approval Policies, and Key Policies. You can also integrate it with your own enterprise tools, such as SSO, AD, and SIEM. Furthermore, you can write your own “plugin” scripts to implement bespoke integrations, business logic, etc. (or use our library of pre-written plugins) – all running within secure enclaves and inside the FIPS security boundary.
Fortanix DSM SaaS uses an active-active clustering architecture spanning multiple data centers to ensure high availability (with a defined SLA) and provide DR capabilities. Software updates are performed without downtime.
Fortanix DSM SaaS provides seamless scalability. Customers can consume additional keys and bandwidth as required, without worrying about hardware-defined boundaries or limits.
Fortanix DSM SaaS offers high cryptographic throughput, and latency is minimized by having worldwide points of presence and high-speed connectivity into major cloud service providers. For the most performance- or latency-critical applications, the Fortanix DSM Accelerator client can be deployed locally to your workload.