Cloud Integration

Target audience: Cloud Architects, DevOps
Focus: HSM integration, Secrets Management, Multi-Cloud

Integration of PQ-enabled PKI with cloud HSM and secrets management services.

Overview

flowchart TB subgraph ONPREM["ON-PREMISES"] CA[CA Server] HSM[HSM] end subgraph AZURE["AZURE"] AKV[Azure Key Vault] AHSM[Managed HSM] end subgraph AWS["AWS"] ACM[AWS Certificate Manager] KMS[AWS KMS] CHSM[CloudHSM] end subgraph MULTI["MULTI-CLOUD"] HV[HashiCorp Vault] end CA --> AKV & ACM & HV HSM -.->|Backup| AHSM & CHSM HV --> AZURE & AWS style HV fill:#e8f5e9 style AKV fill:#e3f2fd style ACM fill:#fff3e0

Cloud Provider Comparison

Feature	Azure Key Vault	AWS KMS	HashiCorp Vault
———	—————–	———	—————–
HSM FIPS 140-2	Level 3 (Managed HSM)	Level 3 (CloudHSM)	Level 2 (Transit)
PQ Support	Not yet	Not yet	Via plugins
Cert Management	Native	ACM	PKI Engine
Multi-Cloud	No	No	Yes
Cost	Medium	High (CloudHSM)	Open Source + Enterprise

Scenarios

Scenario	Cloud	HSM Type
Azure Key Vault	Azure	Managed HSM
AWS KMS + CloudHSM	AWS	CloudHSM
HashiCorp Vault	Multi-Cloud	Transit SE

Decision Tree

flowchart TD A[Cloud HSM needed?] --> B{Primary cloud?} B -->|Azure| C[Azure Key Vault] B -->|AWS| D[AWS KMS/CloudHSM] B -->|Multi-Cloud| E[HashiCorp Vault] B -->|On-Prem + Cloud| F[Vault + Cloud Integration] C --> G{FIPS Level 3?} G -->|Yes| H[Managed HSM] G -->|No| I[Standard Key Vault] D --> J{Budget?} J -->|High| K[CloudHSM] J -->|Medium| L[KMS] style E fill:#e8f5e9 style H fill:#e3f2fd style K fill:#fff3e0

Hybrid Strategy

Recommendation: On-premises Root CA + Cloud Intermediate for cloud workloads

Component	Location	Rationale
———–	———-	———–
Root CA	On-premises (HSM)	Highest security
Intermediate (Cloud)	Azure/AWS/Vault	Proximity to workloads
End Entity	Cloud	Auto-provisioning
Backup	Multi-Cloud	Disaster recovery

Inhaltsverzeichnis