====== Integrazione Cloud ======

<WRAP round info>
**Destinatari:** Architetti Cloud, DevOps \\
**Focus:** Integrazione HSM, gestione secret, Multi-Cloud
</WRAP>

Integrazione della PKI abilitata PQ con HSM cloud e servizi di gestione secret.

----

===== Panoramica =====

<mermaid>
flowchart TB
    subgraph ONPREM["🏢 ON-PREMISES"]
        CA[Server CA]
        HSM[HSM]
    end

    subgraph AZURE["☁️ AZURE"]
        AKV[Azure Key Vault]
        AHSM[Managed HSM]
    end

    subgraph AWS["☁️ AWS"]
        ACM[AWS Certificate Manager]
        KMS[AWS KMS]
        CHSM[CloudHSM]
    end

    subgraph MULTI["☁️ MULTI-CLOUD"]
        HV[HashiCorp Vault]
    end

    CA --> AKV & ACM & HV
    HSM -.->|Backup| AHSM & CHSM
    HV --> AZURE & AWS

    style HV fill:#e8f5e9
    style AKV fill:#e3f2fd
    style ACM fill:#fff3e0
</mermaid>

----

===== Confronto provider cloud =====

| Caratteristica | Azure Key Vault | AWS KMS | HashiCorp Vault |
|----------------|-----------------|---------|-----------------|
| **HSM FIPS 140-2** | Livello 3 (Managed HSM) | Livello 3 (CloudHSM) | Livello 2 (Transit) |
| **Supporto PQ** | ❌ Non ancora | ❌ Non ancora | ✓ Tramite plugin |
| **Gestione certificati** | ✓ Nativo | ✓ ACM | ✓ PKI Engine |
| **Multi-Cloud** | ❌ | ❌ | ✓ |
| **Costi** | Medi | Alti (CloudHSM) | Open Source + Enterprise |

----

===== Scenari =====

^  Scenario  ^  Cloud  ^  Tipo HSM  ^
| [[.:azure-keyvault|Azure Key Vault]] | Azure | Managed HSM |
| [[.:aws-kms|AWS KMS + CloudHSM]] | AWS | CloudHSM |
| [[.:hashicorp-vault|HashiCorp Vault]] | Multi-Cloud | Transit SE |

----

===== Albero decisionale =====

<mermaid>
flowchart TD
    A[Necessario HSM Cloud?] --> B{Cloud primario?}
    B -->|Azure| C[Azure Key Vault]
    B -->|AWS| D[AWS KMS/CloudHSM]
    B -->|Multi-Cloud| E[HashiCorp Vault]
    B -->|On-Prem + Cloud| F[Vault + Integrazione Cloud]

    C --> G{FIPS Livello 3?}
    G -->|Sì| H[Managed HSM]
    G -->|No| I[Key Vault Standard]

    D --> J{Budget?}
    J -->|Alto| K[CloudHSM]
    J -->|Medio| L[KMS]

    style E fill:#e8f5e9
    style H fill:#e3f2fd
    style K fill:#fff3e0
</mermaid>

----

===== Strategia ibrida =====

<WRAP round tip>
**Raccomandazione:** Root-CA on-premises + Intermediate cloud per workload cloud
</WRAP>

| Componente | Posizione | Motivazione |
|------------|-----------|-------------|
| Root-CA | On-Premises (HSM) | Massima sicurezza |
| Intermediate (Cloud) | Azure/AWS/Vault | Vicinanza ai workload |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |

----

===== Documentazione correlata =====

  * [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] – Integrazione K8s
  * [[..:disaster-recovery:ca-backup-restore|Backup CA]] – Backup Cross-Cloud
  * [[it:int:pqcrypt:administrator:konfiguration|Configurazione]] – Setup OpenSSL

----

<< [[..:start|← Scenari per operatori]] | [[.:azure-keyvault|→ Azure Key Vault]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>cloud azure aws vault hsm operator}}