Introducing Single-tenant Cloud HSM to support more data encryption control

Organizations that handle sensitive data in highly-regulated sectors often face a difficult choice: Build and manage physical hardware to meet strict compliance needs, or use cloud services that might not offer the specific level of isolation they require. 

These organizations, often in financial services, defense, healthcare, insurance, and government, require a key management service to provide cryptographic assurances that no one else — including their cloud provider — can access their keys. The key management service also needs to be highly available and scalable to ensure that protected sensitive data is accessible by business critical applications without disruption.

To help meet these rigorous standards without taking on the burden of physical hardware management, we are introducing Single-tenant Cloud HSM, a new service that provides a dedicated, highly-available cluster of hardware security module (HSM) partitions where you retain full control over your cryptographic keys.

Single-tenant Cloud HSM is generally available today in the U.S. and European Union today with competitive pricing. We plan on adding more regions and capabilities throughout the year.

Control your keys with hardware-enforced isolation

Single-tenant Cloud HSM is designed for workloads that require FIPS 140-2 Level 3 validation, isolation from other users, and greater security controls on the HSM. Unlike multi-tenant solutions, this service ensures you are the sole tenant on a partition of a physical HSM. The hardware itself enforces cryptographic isolation, meaning your keys are separated from other customers and from Google operators.

To ensure you maintain control over your data, the service includes several critical security features:

• Full ownership: You control the root key and root key access for your partition.

• Quorum-based administration: Sensitive operations are rooted in hardware and require quorum approval, preventing any single individual from making unauthorized changes.

• Revocation: You have the ability to revoke Google’s access at any time. This action will result in all the keys in the instance becoming unavailable and the data encrypted with those keys inaccessible.

Reduce operational overhead without sacrificing security

Managing physical HSMs usually involves significant work, from procurement to maintenance. With Single-tenant Cloud HSM, Google manages the provisioning, configuration, monitoring and compliance of the hardware. This allows you to focus on security policies rather than hardware maintenance. The service is also designed for high availability and redundancy, allowing you to provision in minutes and scale as your workloads grow.

How does Single-tenant Cloud HSM work?

To understand the level of control you have, it helps to look at the authentication flow. You own and manage your Administrative user credentials directly. You can generate these key pairs on a hardware token like a YubiKey or with another key management system of your choice.

To prevent unauthorized access, you must set up multiple users and configure your instance to require a quorum (M of N). This ensures that a specific number of authorized users must agree to grant or revoke permissions.

With this setup, your administrators can:

• Authorize Google to perform cryptographic operations on your Single-tenant Cloud HSM Instance.

• Revoke Google's authorization at any time.

In summary:

• Each Single-tenant Cloud HSM instance is a dedicated and cryptographically cluster of HSM partitions for your exclusive use.

• Each Single-tenant instance provides the same redundancy and high availability as multi-tenant Cloud HSM.

• You can revoke Google’s authorization to an instance, making all keys in that instance unavailable and it can only be restored after granting the authorization again.

Features and benefits

Meeting compliance and security standards: Single-tenant Cloud HSM is built for customers who want to run cloud workloads that meet stringent security and regulatory standards. Single-tenant Cloud HSM uses FIPS 140-2 Level 3 validated Marvell LiquidSecurity HSMs (models CNL3560-NFBE-2.0-G and CNL3560-NFBE-3.0-G) with firmware versions 3.4 build 10. 

The Single-tenant Cloud HSM service has obtained compliance with numerous regulations and certifications including FedRAMP, DISA IL5, ITAR, SOC 1/SOC 2/SOC 3, HIPAA and PCI DSS. These standards and certifications help customers in highly-regulated market segments meet their regulatory and compliance needs for key management and data protection.

Set up your instance in minutes: You can set up a Single-tenant Cloud HSM instance quickly using standard gcloud commands for all administrative operations. Once you have established the necessary quorum for administrative access, you can provision a complete cluster in approximately 15 minutes.

Scale automatically with high availability: Single-tenant Cloud HSM instances span multiple zones to ensure reliability, matching the availability standards of Cloud HSM. The service also scales automatically to handle your peak traffic loads, ensuring consistent performance without manual intervention.

Integrated with the tools you already use: You can use Single-tenant Cloud HSM with your existing workflows immediately. It works with existing Cloud Key Management System (KMS) APIs, allowing you to use Customer-Managed Encryption Keys (CMEK) to protect data across Google Cloud services. It also integrates with Cloud Logging and Cloud Monitoring, giving you analytics, alerts, and visibility into your key usage.

Get started

Please check out our documentation to learn how you can begin provisioning your dedicated cluster from the Google Cloud console today, and learn more about how Cloud HSM can help you meet security and regulatory compliance goals.