Inhaltsverzeichnis
Integrazione Cloud
Destinatari: Architetti Cloud, DevOps
Focus: Integrazione HSM, gestione secret, Multi-Cloud
Integrazione della PKI abilitata PQ con HSM cloud e servizi di gestione secret.
Panoramica
flowchart TB
subgraph ONPREM["🏢 ON-PREMISES"]
CA[Server CA]
HSM[HSM]
end
subgraph AZURE["☁️ AZURE"]
AKV[Azure Key Vault]
AHSM[Managed HSM]
end
subgraph AWS["☁️ AWS"]
ACM[AWS Certificate Manager]
KMS[AWS KMS]
CHSM[CloudHSM]
end
subgraph MULTI["☁️ MULTI-CLOUD"]
HV[HashiCorp Vault]
end
CA --> AKV & ACM & HV
HSM -.->|Backup| AHSM & CHSM
HV --> AZURE & AWS
style HV fill:#e8f5e9
style AKV fill:#e3f2fd
style ACM fill:#fff3e0
Confronto provider cloud
| Caratteristica | Azure Key Vault | AWS KMS | HashiCorp Vault |
| —————- | —————– | ——— | —————– |
| HSM FIPS 140-2 | Livello 3 (Managed HSM) | Livello 3 (CloudHSM) | Livello 2 (Transit) |
| Supporto PQ | ❌ Non ancora | ❌ Non ancora | ✓ Tramite plugin |
| Gestione certificati | ✓ Nativo | ✓ ACM | ✓ PKI Engine |
| Multi-Cloud | ❌ | ❌ | ✓ |
| Costi | Medi | Alti (CloudHSM) | Open Source + Enterprise |
Scenari
| Scenario | Cloud | Tipo HSM |
|---|---|---|
| Azure Key Vault | Azure | Managed HSM |
| AWS KMS + CloudHSM | AWS | CloudHSM |
| HashiCorp Vault | Multi-Cloud | Transit SE |
Albero decisionale
flowchart TD
A[Necessario HSM Cloud?] --> B{Cloud primario?}
B -->|Azure| C[Azure Key Vault]
B -->|AWS| D[AWS KMS/CloudHSM]
B -->|Multi-Cloud| E[HashiCorp Vault]
B -->|On-Prem + Cloud| F[Vault + Integrazione Cloud]
C --> G{FIPS Livello 3?}
G -->|Sì| H[Managed HSM]
G -->|No| I[Key Vault Standard]
D --> J{Budget?}
J -->|Alto| K[CloudHSM]
J -->|Medio| L[KMS]
style E fill:#e8f5e9
style H fill:#e3f2fd
style K fill:#fff3e0
Strategia ibrida
Raccomandazione: Root-CA on-premises + Intermediate cloud per workload cloud
| Componente | Posizione | Motivazione |
| ———— | ———– | ————- |
| Root-CA | On-Premises (HSM) | Massima sicurezza |
| Intermediate (Cloud) | Azure/AWS/Vault | Vicinanza ai workload |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |
Documentazione correlata
- Kubernetes Cert-Manager – Integrazione K8s
- Backup CA – Backup Cross-Cloud
- Configurazione – Setup OpenSSL
« ← Scenari per operatori | → Azure Key Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: il 30/01/2026 alle 01:26
