Cloud Integration

Zielgruppe: Cloud-Architekten, DevOps
Fokus: HSM-Integration, Secrets Management, Multi-Cloud

Integration der PQ-fähigen PKI mit Cloud-HSM und Secrets-Management-Diensten.

Übersicht

flowchart TB subgraph ONPREM["🏢 ON-PREMISES"] CA[CA-Server] HSM[HSM] end subgraph AZURE["☁️ AZURE"] AKV[Azure Key Vault] AHSM[Managed HSM] end subgraph AWS["☁️ AWS"] ACM[AWS Certificate Manager] KMS[AWS KMS] CHSM[CloudHSM] end subgraph MULTI["☁️ MULTI-CLOUD"] HV[HashiCorp Vault] end CA --> AKV & ACM & HV HSM -.->|Backup| AHSM & CHSM HV --> AZURE & AWS style HV fill:#e8f5e9 style AKV fill:#e3f2fd style ACM fill:#fff3e0

Cloud-Provider Vergleich

Feature	Azure Key Vault	AWS KMS	HashiCorp Vault
———	—————–	———	—————–
HSM FIPS 140-2	Level 3 (Managed HSM)	Level 3 (CloudHSM)	Level 2 (Transit)
PQ-Support	❌ Noch nicht	❌ Noch nicht	✓ Via Plugins
Cert Management	✓ Native	✓ ACM	✓ PKI Engine
Multi-Cloud	❌	❌	✓
Kosten	Mittel	Hoch (CloudHSM)	Open Source + Enterprise

Szenarien

Szenario	Cloud	HSM-Typ
Azure Key Vault	Azure	Managed HSM
AWS KMS + CloudHSM	AWS	CloudHSM
HashiCorp Vault	Multi-Cloud	Transit SE

Entscheidungsbaum

flowchart TD A[Cloud-HSM benötigt?] --> B{Primäre Cloud?} B -->|Azure| C[Azure Key Vault] B -->|AWS| D[AWS KMS/CloudHSM] B -->|Multi-Cloud| E[HashiCorp Vault] B -->|On-Prem + Cloud| F[Vault + Cloud-Integration] C --> G{FIPS Level 3?} G -->|Ja| H[Managed HSM] G -->|Nein| I[Standard Key Vault] D --> J{Budget?} J -->|Hoch| K[CloudHSM] J -->|Mittel| L[KMS] style E fill:#e8f5e9 style H fill:#e3f2fd style K fill:#fff3e0

Hybrid-Strategie

Empfehlung: On-Premises Root-CA + Cloud Intermediate für Cloud-Workloads

Komponente	Location	Begründung
————	———-	————
Root-CA	On-Premises (HSM)	Höchste Sicherheit
Intermediate (Cloud)	Azure/AWS/Vault	Nähe zu Workloads
End-Entity	Cloud	Auto-Provisioning
Backup	Multi-Cloud	Disaster Recovery

Inhaltsverzeichnis