Destinatari: Architetti Cloud, DevOps
Focus: Integrazione HSM, gestione secret, Multi-Cloud
Integrazione della PKI abilitata PQ con HSM cloud e servizi di gestione secret.
| Caratteristica | Azure Key Vault | AWS KMS | HashiCorp Vault |
| —————- | —————– | ——— | —————– |
| HSM FIPS 140-2 | Livello 3 (Managed HSM) | Livello 3 (CloudHSM) | Livello 2 (Transit) |
| Supporto PQ | ❌ Non ancora | ❌ Non ancora | ✓ Tramite plugin |
| Gestione certificati | ✓ Nativo | ✓ ACM | ✓ PKI Engine |
| Multi-Cloud | ❌ | ❌ | ✓ |
| Costi | Medi | Alti (CloudHSM) | Open Source + Enterprise |
| Scenario | Cloud | Tipo HSM |
|---|---|---|
| Azure Key Vault | Azure | Managed HSM |
| AWS KMS + CloudHSM | AWS | CloudHSM |
| HashiCorp Vault | Multi-Cloud | Transit SE |
Raccomandazione: Root-CA on-premises + Intermediate cloud per workload cloud
| Componente | Posizione | Motivazione |
| ———— | ———– | ————- |
| Root-CA | On-Premises (HSM) | Massima sicurezza |
| Intermediate (Cloud) | Azure/AWS/Vault | Vicinanza ai workload |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |
« ← Scenari per operatori | → Azure Key Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional