This page provides an overview of the Bare Metal Rack HSM solution.
Overview
Bare Metal Rack HSM is an infrastructure-as-a-service offering that lets you deploy racks of customer-owned hardware security modules (HSMs) next to your Google Cloud workloads. Your HSMs are deployed in PCI-compliant facilities to meet your security, compliance, and low-latency requirements.
To support moving your workloads to the cloud, Google hosts your HSMs, providing physical and network security, rack space, power, and network integration for a monthly fee.
Bare Metal Rack HSM lets you contract directly with Google for placement of your HSMs. HSMs are placed within specified colocation facilities and connect to Google Cloud.
The Bare Metal Rack HSM solution is supported in colocation facilities with active peering fabrics. These facilities meet and exceed Google's standards for data center security and provide low-latency, highly available service.
Comparison with Bare Metal HSM
Both Bare Metal Rack HSM and Bare Metal HSM let you host your own HSMs in Google Cloud facilities. The primary difference between the Bare Metal Rack HSM and Bare Metal HSM solutions is scale. The following table summarizes the key differences between these solutions:
Bare Metal HSM | Bare Metal Rack HSM |
---|---|
Google hosts your HSMs on a per-device basis. | Google hosts your HSMs on a per-rack basis. |
You have logical access to your HSMs but no physical access. | You have logical access to your HSMs and can schedule escorted physical access. |
Intended for small deployments of 10-15 HSMs | Intended for large rack-level deployments of 100 or more HSMs |
If you're not sure which of these solutions is right for your needs, reach out to your account representative.
Operational model
- Onboarding process
- Contract: Minimum of 12 months. Premium Support is required.
- Procurement and configuration: Your organization acquires, configures, and ships HSMs to Google.
- Rack and stack and connect: Google deploys your HSMs and configures the Partner Interconnect connection.
- Validation and handoff: Confirm the engineering solution and accessibility to the HSMs, test the solution, and sign off.
- Support model
- Google provides support for rack and stack, hosting, smart hands, compliance, and Partner Interconnect connection.
- Work with your HSM vendor for support for HSM software, licensing, tools, and troubleshooting.
- You have physical access to your racks as needed.
- Decommission process
- You file a request for decommissioning.
- You must erase all data and initialize all HSMs to factory default.
Compliance requirements
This offering is limited to HSMs that are FIPS 140-2 Level 3 certified or better, and is not a generalized hosting or colocation service. The Bare Metal Rack HSM solution is hosted in facilities that are fully compliant with PCI-DSS, PCI-3DS, and SOC 1, 2, and 3. Google will support your AOC for PCI-PIN, PCI-P2PE, and SOC compliance in all regions.
Separation of responsibilities
It's your responsibility to obtain and provision HSMs and ship them to the appropriate Google Cloud regions. The HSMs used are your choice, but they must comply with the HSM equipment requirements.
Google pre-configures the racks, top-of-rack switches, and connectivity. The switches are from different vendors for each pair of racks. For the Bare Metal Rack HSM solution, you have your own dedicated racks and switches. Google provides a racking service for your HSMs and works with you to validate the Partner Interconnect connection. Each rack has redundant power supplies.
Accessing Bare Metal Rack HSMs
You have logical management access to your HSMs and are responsible for their maintenance and management. You maintain full control of your HSMs.
Google doesn't have logical access to your HSMs, but provides and maintains the racks, switching, and connection. Google has no access to the data or keys on your HSMs.
Google provides a remote hands service. With notice, you can schedule an escorted visit to the facility. You are responsible for your own compliance and audit requirements.
At the end of your contract or the HSM's end of life, you submit a request to decommission the HSMs and erase all data or restore the HSMs to factory settings. After the HSMs are erased or reset and legal clearance is obtained, the HSMs will be shipped back to you or destroyed if they can't be shipped back.
HSM equipment requirements
This section details the physical requirements for HSMs and associated cables for hosting HSMs in a Google facility.
The number of HSMs that may fit in a rack depends on the number of ports available in the current model of the top-of-rack switch, the number of rack units taken up the HSM model, and the power draw of the HSMs.
Power
- Dual AC power supplies (16A max per power supply).
Power distribution
- 208V line to line (for United States based locations).
- Rack PDU providing C13 or C19 receptacles and outlets.
Power cables (to be provided by you)
- Rack PDU cable end should be C14 or C20 connector types.
- 2 x 6 feet or 2 meter (preferred length) power cables.
Network
- Network interface controller: Dual 1g copper NICs (if applicable).
Network cables (to be provided by you)
- 2 x 6 feet or 2 meter (preferred length) CAT-5e or better patch cables.
Physical dimensions
- Rack depth: 42 inches deep.
- Rack unit spacing: Standard EIA-310 19" rack mount with square hole mounts. You can occupy up to 4 rack units per HSM.
Security
- The HSMs must not be equipped with cameras or wireless networks such as Bluetooth.
- The HSM must be FIPS 140-2 Level 3 certified or better.
The HSM must be new equipment.
The HSM must be fully remotely manageable.
There are no requirements for weight or cooling.
Deployment overview
To qualify for a 99.99% uptime SLA, you must meet the following requirements:
- Deploy HSMs in a minimum of two Google Cloud regions.
- Deploy a minimum of four HSMs per region (at least two HSMs per rack in at least two racks).
You provide Google with the MAC address for each HSM network interface and its assigned IP address. This information helps Google verify server-to-top-of-rack cabling and aids troubleshooting during the deployment process.
Network requirements will be discussed in more detail with your account representative during the onboarding process.
Network topology
A pair of racks at a single location is covered by a 99.9% uptime SLA.
A full deployment across two locations provides a 99.99% uptime SLA.
Applications should be designed to take advantage of this redundancy model. An application should be able to fail over from zone 1 to zone 2 within a single location, from HSM to HSM or from rack to rack.
Enabling the Global Routing feature lets HSMs at either location reach Google Cloud resources in any region.
A single Partner Interconnect connection failure isn't an SLA violation.
The following high-level diagram shows the required connectivity to achieve a 99.99% SLA on the service.
- Each region deployment contains a minimum of two racks for your use, and one switch per rack.
- The top-of-rack switches are provided by Google and are from different vendors.
- Each top-of-rack switch has a 10G Partner Interconnect with redundant VLAN attachments for Partner Interconnect to redundant Cloud Routers.
- Each HSM should have a minimum of 2 1GE copper network interfaces with redundant connections to both top-of-rack switches. Both the management and data interfaces should have their own redundant connections to both top-of-rack switches.
- You provide the IP address allocations for the HSM networks.
- Top-of-rack switches advertise their locally attached subnets to the pair of Cloud Routers.
- You enable global dynamic routing in your virtual private cloud (VPC) to allow access to the HSMs from any Google Cloud region where you've deployed resources. Global dynamic routing is also required to qualify for 99.99% availability.
- BGP between the top-of-rack switches and the Cloud Routers in your project exchange reachability information to route between Google Cloud project resources and the HSMs.
Networking requirements
You must complete the following steps for each set of racks in a region to enable your HSMs to be hosted with Google:
Create a redundant pair of Cloud Routers per region using ASN16550. For detailed instructions, see Creating Cloud Routers.
Create two redundant pairs of VLAN attachments with Partner Interconnect per region using the Cloud Routers from the previous step. Create the attachments with the pre-activate option enabled. There should be a total of four attachments per region. If the attachments were created without the pre-activation option enabled, you can activate the connections manually.
For more information about Partner Interconnect and pre-activation options, see Partner Interconnect overview.
Enable global dynamic routing in the VPC network.
- To achieve 99.99% availability, use the steps in Establishing 99.99% Availability for Partner Interconnect.
Deployments in a single region have 99.9% availability until the second region is available. For this case, see Establishing 99.9% Availability for Partner Interconnect
Configure firewall rules as needed to allow traffic between your premises and project resources.
Contact Google
This product is only available for customers with specific business and technical requirements. This product is available in limited regions globally.
If you're interested in Bare Metal Rack HSM with Google, reach out to your account representative for additional assistance.