Hosted Private HSM

This topic provides an overview of the Hosted Private HSM solution.

Overview

To support moving your workloads to the cloud, Google hosts customer-owned Hardware Security Modules (HSMs), providing physical and network security, rack space, power, and network integration for a monthly fee.

Hosted private HSMs enable you to contract directly with Google for placement of your HSMs. HSMs are placed within specified colocation facilities and connect to Google Cloud.

The Hosted Private HSM solution is supported in colocation facilities with active peering fabrics. These facilities meet and exceed Google's standards for data center security and provide low-latency, highly available service.

Compliance requirements

This offering is limited to FIPS 140-2 Level 3 (or better) certified HSMs, and is not a generalized hosting or colocation service. The Hosted Private HSM solution is PCI-DSS and SOC compliant in all locations.

Separation of responsibilities

It's your responsibility to obtain and provision HSMs and ship them to the appropriate facilities. The HSMs used are your choice, but they must comply with the HSM equipment requirements.

Google pre-configures the racks, top-of-rack (ToR) switches, and connectivity. ToR switches are from different vendors for each pair of racks. For the Hosted Private HSM solution, you have your own dedicated rack and ToR switch. Google provides a racking service for your HSMs and works with you to validate the interconnect. Redundant power supplies are provided for each rack.

Accessing hosted private HSMs

You have logical management access to your HSMs and are responsible for their maintenance and management. You maintain full control of your HSMs.

Google does not have logical access to your HSMs, but provides and maintains the racks, switching, and interconnect. Google has no access to your data or keys on your HSM.

Google provides a remote hands service. With notice, you can schedule an escorted visit to the facility. You are responsible for your own compliance and audit requirements.

At the end of your contract or the HSM's end of life, the HSM will be shipped back to you or destroyed if it cannot be shipped back.

HSM equipment requirements

This section details the physical requirements for HSMs and associated cables for hosting HSMs in a Google facility.

  • Power

    • Dual AC power supplies (16A max per power supply).
  • Power distribution

    • 208V line to line (for United States based locations).
    • Rack PDU providing C13 or C19 receptacles/outlets.
  • Power Cables (to be provided by you)

    • Rack PDU cable end should be C14 / C20 connector types.
    • 2 x 6 feet / 2 meter (preferred length) power cables.
  • Network

    • Network interface controller: Dual 1g copper NICs (if applicable).
  • Network Cables (to be provided by you)

    • 2 x 6 feet / 2 meter (preferred length) CAT-5e or better patch cables.
  • Physical Dimensions

    • Rack depth: 42 inches deep.
    • Rack unit spacing: Standard EIA-310 19" rack mount with square hole mounts. You can occupy up to 4 rack units per HSM.
  • Security

    • The HSMs cannot be equipped with cameras or wireless networks such as Bluetooth.
    • The HSM must be FIPS 140-2 Level 3 (or better) certified.
  • The HSM must be new equipment.

  • The HSM must be fully remotely manageable.

There are no requirements for weight or cooling.

Deployment overview

For hosted HSMs to meet the requirements for a 99.99% SLA, you must:

  • Deploy HSMs in a minimum of two Google Cloud regions.
  • Deploy a minimum of four HSMs per region (two HSMs minimum in two racks minimum).

You provide Google with the MAC address for each HSM network interface and its assigned IP address. This information helps Google verify server-to-top-of-rack cabling and aids troubleshooting during the deployment process.

Network requirements will be discussed in more detail with your account represantative during the onboarding process.

Network topology

This high level diagram shows one rack using dual-region topology with 99.99% availability:

Network topology for hosted private HSMs

  • Each region deployment contains a minimum of two racks for your use, and one ToR per rack.
  • The ToR is provided by Google and has two different vendors.
  • Each ToR has a 10G Partner Interconnect with redundant VLAN attachments for Partner Interconnect to redundant Cloud Routers.
  • Each HSM has a pair of 1GE copper network interfaces. Interface1 connects to ToR1, and interface2 will connect to ToR2, on different subnets.
  • You provide the HSM subnet addressing for each ToR.
  • ToRs advertise their attached HSM inside the network to the pair of Cloud Routers.
  • You enable global dynamic routing in your Virtual Private Cloud (VPC) to allow access to the HSMs from Google Cloud resources in both regions where they deploy. Global dynamic routing is also required to meet the requirements for 99.99% availability.
  • BGP between the ToRs and Cloud Routers in your project provide reachability information to route between Google Cloud project resources and the HSMs.

Networking requirements

The following steps are completed by you to enable your HSMs to be hosted with Google. For each set of racks in a region:

  1. Create a redundant pair of Cloud Routers per region using ASN16550. See Creating Cloud Routers for more information.

  2. Create two redundant pairs of VLAN attachments with Partner Interconnect per region using the Cloud Routers from the previous step. Create the attachments with the pre-activate option enabled. There should be a total of four attachments per region. If the attachments were created without the pre- activation option enabled, you can activate the connections manually.

    For more information on Partner Interconnect and pre-activation options, see Partner Interconnect overview.

  3. Enable global dynamic routing in the VPC.

  4. Configure firewall rules as needed to allow traffic between your premises and project resources.

Contact Google

If you're interested in hosting your HSMs with Google, reach out to your account representative for additional assistance.