nShield as a Service

Subscription-based access to dedicated nShield Connect HSMs, enabling cloud-centric strategies while maintaining the strict security controls required for business-critical applications.

nShield as a Service

As enterprises increasingly adopt “cloud first” strategies, gone are the days of automatically hosting critical IT infrastructure on premises. While this business shift may result in improved scalability, flexibility and resilience, it also creates tension when cloud applications rely on hardware security modules (HSMs). Traditionally housed in on-premise data centers and managed by an on-site security team, HSMs help customers meet regulatory or certification requirements and are an important part of an organization’s critical infrastructure. Given the increasing demands on enterprise security teams, finding skilled security professionals to administer HSMs is an ongoing challenge.

nShield as a Service is a subscription-based solution for generating, accessing and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 Level 3 certified nShield Connect HSMs. The solution delivers the same features and functionality as on-premise HSMs combined with the benefits of a cloud service deployment. This allows customers to fulfill their cloud first objectives and leave the maintenance of these appliances to the experts at nCipher.

Because nShield as a Service benefits from the same unique Security World architecture as on-premise nShield deployments, customers can easily migrate their cryptographic operations from on-premise to the cloud or use a hybrid approach, mixing both cloud-based and on-premise nShield HSMs.

Align crypto security with cloud strategy

Customers are able to advance their cloud-centric strategies without sacrificing security. nShield as a Service delivers FIPS 140-2 Level 3 protection of the keys that underpin their business-critical applications and data.

Unparalleled flexibility and scalability

Business applications and developers can access secure cryptographic functionality from anywhere across the enterprise. Customers use the same Security World key management architecture as-a-service or on-premises, allowing them to easily and efficiently scale their HSM operations as required.

Secure code execution for cloud-based workloads

The unique CodeSafe secure execution capability gives customers on-demand access to expanded secure computing capacity. nShield as a Service allows customers to seamlessly migrate their secure code execution from an on-premise HSM to the cloud.

Deployment options

nShield as a Service is available as either a self-managed or fully-managed service.

nShield as a Service deployment options and features

Description Self-managed Fully-managed
Customer has access to dedicated nShield Connect hardware hosted in secure data centers
The nShield Remote Administration kit lets you securely connect to and interact with your cloud-based nShield HSM(s)
Maintenance & Support
  • Service monitoring
  • Pre-tested upgrades/patches applied during annual or emergency maintenance windows
  • 24/7 support
Full Management of installation
  • Security Officer role fulfilled by trusted nCipher /Entrust Datacard personnel
    • Security World creation
    • HSM enrollment
    • Signing ceremonies
  • Policy and process development
  • Under ISO 27001 compliant policies & procedures
  • All operational staff BS7858 cleared
  • Firmware upgrades, completed with customer consent

  • IPsec tunnel w/ pre-shared keys
  • Between customer Cloud IP space(s) and dedicated, managed nShield HSM environment
  • Transparent to client hosts
  • Takes entire path out of control scope

Certified hardware solutions

nShield as a Service is built with nShield Connect XC HSMs, which help our customers to demonstrate compliance while also giving them the assurance that their HSMs meet stringent industry standards.

nShield Features

nShield as a Service delivers the same features as on-premises nShield HSMs, including CodeSafe, Web Services Option Pack and Database Option Pack.

Security compliance:

  • FIPS 140-2 Level 3
  • Common Criteria Certification against EN 419 221-5 Cryptographic Module for Trust Services (expected Q4 2019)

Safety and environmental standards compliance:

  • UL, CE, FCC, RCM, Canada ICES
  • RoHS2, WEEE

High transaction rates

nShield as a Service features high elliptic curve cryptography (ECC) and RSA transaction rates. ECC, one of the most efficient cryptographic algorithms, is particularly favored where high speed and lower processing power are important.

RSA Signing Performance (tps) for NIST Recommended Key Lengths
2048 bit 8600 tps
4096 bit 2025 tps
ECC Prime Curve Signing Performance (tps) for NIST Recommended Key Lengths
256 bit Up to 14,400
Wide support for APIs, cryptographic algorithms and Operating Systems

Supported APIs

  • PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI and CNG

Supported Cryptographic Algorithms

  • Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph), Secp256k1,
  • Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES
  • Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160
  • Full Suite B implementation with fully licensed ECC including Brainpool and custom curves

nShield HSMs offers support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use ECC or South Korean algorithms, optional activation licenses are needed.

Operating Systems

  • Microsoft Windows 7 x64, 10 x64; Windows Server 2008 R2 x64, 2012 R2 x64, 2016 x64
  • Red Hat Enterprise Linux AS/ES 6 x64, 6 x86, 7 x64, 5 x64 (libc6.5) (partial support); SUSE Enterprise Linux 11 x64 SP2, 12 x64,
  • Oracle Enterprise Linux 6.8 x64 and 7.1 x64

Virtual environment support: Microsoft Windows Hyper-V Server 2012 R2, 2016, VMware ESXi 6.5, Citrix XenServer 6.5, Azure, AWS, Google Cloud Platform

Datasheet : nShield as a Service

nShield as a Service is a subscription-based solution for generating, accessing and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2-certified nShield Connect HSMs. Download the datasheet to learn more.


Datasheet : nShield Connect

nShield Connect HSMs are certified, networked appliances that deliver cryptographic key services to applications distributed across servers and virtual machines.


White Paper : The nCipher Security World Architecture

The nCipher Security World architecture supports a specialized key management framework that spans the entire nShield family of general purpose hardware security modules (HSMs). Whether deploying high performance, shareable, network-attached HSM appliances, host-embedded HSM cards or USB-attached portable HSMs, the Security World architecture provides a unified administrator and user experience and guaranteed interoperability whether the customer deploys one or hundreds of devices.

Хотели бы работать у нас? Ознакомиться
Обратитесь к нашему специалисту Контакты