Inhaltsverzeichnis
Cloud integracija
Ciljana skupina: Cloud arhitekti, DevOps
Fokus: HSM integracija, upravljanje tajnama, Multi-Cloud
Integracija PQ-sposobne PKI s Cloud HSM i servisima za upravljanje tajnama.
Pregled
flowchart TB
subgraph ONPREM["ON-PREMISES"]
CA[CA Server]
HSM[HSM]
end
subgraph AZURE["AZURE"]
AKV[Azure Key Vault]
AHSM[Managed HSM]
end
subgraph AWS["AWS"]
ACM[AWS Certificate Manager]
KMS[AWS KMS]
CHSM[CloudHSM]
end
subgraph MULTI["MULTI-CLOUD"]
HV[HashiCorp Vault]
end
CA --> AKV & ACM & HV
HSM -.->|Backup| AHSM & CHSM
HV --> AZURE & AWS
style HV fill:#e8f5e9
style AKV fill:#e3f2fd
style ACM fill:#fff3e0
Usporedba Cloud providera
| Značajka | Azure Key Vault | AWS KMS | HashiCorp Vault |
| ———- | —————– | ——— | —————– |
| HSM FIPS 140-2 | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| PQ podrška | Još ne | Još ne | Da, putem pluginova |
| Upravljanje certifikatima | Da, nativno | Da, ACM | Da, PKI Engine |
| Multi-Cloud | Ne | Ne | Da |
| Troškovi | Srednji | Visoki (CloudHSM) | Open Source + Enterprise |
Scenariji
| Scenarij | Cloud | Tip HSM-a |
|---|---|---|
| Azure Key Vault | Azure | Managed HSM |
| AWS KMS + CloudHSM | AWS | CloudHSM |
| HashiCorp Vault | Multi-Cloud | Transit SE |
Stablo odlučivanja
flowchart TD
A[Potreban Cloud HSM?] --> B{Primarni Cloud?}
B -->|Azure| C[Azure Key Vault]
B -->|AWS| D[AWS KMS/CloudHSM]
B -->|Multi-Cloud| E[HashiCorp Vault]
B -->|On-Prem + Cloud| F[Vault + Cloud integracija]
C --> G{FIPS Level 3?}
G -->|Da| H[Managed HSM]
G -->|Ne| I[Standard Key Vault]
D --> J{Budžet?}
J -->|Visok| K[CloudHSM]
J -->|Srednji| L[KMS]
style E fill:#e8f5e9
style H fill:#e3f2fd
style K fill:#fff3e0
Hibridna strategija
Preporuka: On-Premises Root CA + Cloud Intermediate za Cloud workloadove
| Komponenta | Lokacija | Obrazloženje |
| ———— | ———- | ————– |
| Root CA | On-Premises (HSM) | Najviša sigurnost |
| Intermediate (Cloud) | Azure/AWS/Vault | Blizina workloadovima |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |
Povezana dokumentacija
- Kubernetes Cert-Manager - K8s integracija
- CA Backup - Cross-Cloud Backup
- Konfiguracija - OpenSSL Setup
« <- Operatorski scenariji | -> Azure Key Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 01:34
