Cavium has announced the immediate availability LiquidSecurity, its latest generation of Hardware Security Module (HSM). The product is targeted at enterprise and cloud data centre owners who need to secure multiple channels of communication.
The LiquidSecurity HSM family comes in two form factors, a PCIe adapter and a prebuilt appliance. Both are Federal Information Processing Standards (FIPS) 140-2 Level 2 and 3 certified and come with Cavium’s LiquidSecurity HSM Software. The top end version of each form factor is capable of supporting 32 HSM partitions each of which can support up to 1,000 users per partition.
According to the press release, there are six key features of the LiquidSecurity family:
- SSL handshake offloads for 32 domains – LiquidSecurity family has 32 FIPS 140-2 Level 3 Partitions. Each partition functions as an independent and fully secure HSM.
- Dual FIPS boundary – With the appliance version of the family a dual FIPS 140-2 boundary is also available that provides an added layer of security.
- Storage for up to 1M keys is supported with multiple appliances in a scalable manner.
- Tens of Thousands of 2048 bit RSA Ops/sec – LiquidSecurity HSM family provides market leading performance to meet the needs of multiple domains or virtual appliances. This performance is at least 10 times higher than any other solution on the HSM market today. This product family also supports 10 Gbps bulk encryption. In addition, multiple LiquidSecurity HSM modules can be pooled together to offer highest performance for mega data centers.
- Hardware support for 2048 bit RSA key pair generation –robust key generation within the FIPS boundary is a critical component of the overall security this product family provides.
- Scalability – For the most demanding applications up to 20 LiquidSecurity HSM appliances can be seamlessly connected through the native 10 Gigabit Ethernet ports.
Cavium claims cloud is driving the need for FIPS support
According to the Cavium press release, the move away from private data centres and into the cloud is driving the need for cloud owners to provide FIPS support. It highlights three different fields, eCommerce, Healthcare and Government that, in their own data centres, are already extensive users of FIPS level security. For them to move to the cloud they expect cloud service providers (CSP) to deliver that same level of security.
These are not the only markets where increased security, especially around cryptographic keys, is required. Enterprise customers who currently maintain their own keys are discovering that when they move to the cloud, they are experiencing problems protecting their data using private keys. A major part of the problem is the multi-tenancy nature of the cloud.
Cavium claim the: ‘LiquidSecurity HSM family is the first solution in the market that offers a no-compromise solution that effectively addresses the performance, cost, multi domain and comprehensive feature requirements of the Transaction Security market. It offers 10-30x higher performance and 10x greater storage when compared to existing solutions.’
According to a quote in the press release from Bob Wheeler, Principal Analyst at The Linley Group: “With government and enterprise applications moving to virtualized public and private clouds, the demand for secure, multi-domain, high performance/storage HSM solutions is increasing rapidly. Cavium’s LiquidSecurity HSM family meets these requirements by delivering an innovative and comprehensive security solution to the market.”
One of the new services that Cavium is claiming LiquidSecurity HSM can deliver in the cloud is Crypto as a Service (CaaS). With both A10 Networks and KEMP technologies both planning to integrate LiquidSecurity with their respective Application Delivery Controllers (ADC) it will be interesting to see who brings a LiquidSecurity based CaaS solution to market first.
LiquidSecurity launch partners
Cavium has a long history of working with a number of security and network partners. At launch it has lined up a number of these partners who have made announcements over their plans for LiquidSecurity.
A10 Networks has announced that they intend to integrate the LiquidSecurity HSM into their A10 Thunder ADC product line. This will give them a solution that not only accelerates application delivery but also adds encryption and key management as part of that solution. According to Raj Jalan, CTO of A10 Networks:
“As A10’s customers move their application infrastructure to the cloud, they require the same level of security available in their physical networks. They expect FIPS-certified SSL key management to help ensure that their SSL keys and certificates are not compromised. A10’s partnership with Cavium and our integration with LiquidSecurity provide our customers with a secure and cost-effective solution for SSL key management.”
F5 intend to integrate the Cavium LiquidSecurity HSM into the F5 SSL Everywhere reference architecture to provide FIPS 140-2 key and certificate protection especially for hybrid environments. According to Indrajit Roy, VP of Product Management F5 Networks:
“Integration between Cavium and F5 further enables customers to more effectively and seamlessly transition SSL workloads between physical, virtual, and cloud environments while maintaining the same levels of visibility, security, and control seen in the data center. We are excited to extend our joint efforts with Cavium to deliver SSL Everywhere in support of hybrid application delivery.”
KEMP technologies have announced that they, like A10 Networks, will deploy the LiquidSecurity HSM in their cloud-based ADC. This is to enable customers to expand their secure transaction capabilities across private, public and hybrid clouds. According to Peter Melerud, CMO of KEMP Technologies:
“Crypto As A Service is becoming important for KEMP as its VLM series of cloud ADCs get deployed in IaaS providers. Cavium’s LiquidSecurity HSM Family provides the much needed solution for this space. We are excited about the opportunity to work with Cavium to bring this integrated solution to the market.”
ExtraHop has announced that it intends to integrate LiquidSecurity HSM into the ExtraHop wire data analytics platform. According to Erik Giesa, SVP of Marketing and Business Development at ExtraHop:
“ExtraHop has long used Cavium’s key technology to deliver SSL decryption at up to 40 Gbps and 64,000 TPS across our line of physical appliances. With LiquidSecurity HSM, the possibility of delivering the same high-performance decryption across our line of virtual appliances to provide real-time wire data analysis across cloud and virtualized environments makes for a powerful combination.”
Conclusion
The Computer Security Resource Centre (CSRC) maintains a list of all companies offering FIPS 140-1 and FIPS 140-2 cryptographic modules and it’s a long one. Many of the companies on the list are using modules from other vendors as part of their products. The release of Cavium LiquidSecurity HSM as both a PCIe card and an appliance will soon see it on the list alongside their existing Nitrox product line.
With companies beginning to move more and more of their applications and data to cloud, there is an increasing need for CSPs to differentiate themselves. With the ability to support up to 32 HSM partitions and to link multiple appliances together to create a high performance clustered environment, Cavium should have little difficultly increasing its market penetration of the cloud market.
