We don’t give up and look at other options. One of them is AMI that you could instantiate and run with user privileges (i.e. without access to internal implementation). We have a complete simulator of the secure hardware that doesn’t provide the level of security we like but it provides:
- identical API for applications – one-call API that is quite easy to integration with applications;
- ideal test environment for new applications and trying the system.
Another option is to run an SaaS for user registration and key management inventory. That is another great feature of our system. One can manage keys easily with a general-purpose inventory system.
The last option is to run a metering system on AWS – it would be a visualisation of usage data from CloudHSMs. CloudHSM raw logs are signed by secure hardware so it is possible to cryptographically verify origin of the data. We initially thought about it as a billing tool but it turns out that it may be interesting as an independent externally verifiable metering system.
The world of AWS is quite interesting anyway, somewhat rigid in certain aspects while very flexible generally. It appears there are only a few companies on British islands that can provide a direct link to AWS – one of the two available options how to connect reliable to external servers (a VPN connection is the other option).