Overview
Fortanix-Data-Security-Manager (DSM) is an integrated HSM/KMS solution that provides the flexibility to support multiple deployment options to best meet customer's needs for security, latency, and operational simplicity. Regardless of how the solution is deployed, the functionality and integration capabilities remain the same, and all keys can be managed from a single pane of glass.
On-prem
Fortanix DSM can be deployed on-prem using our FIPS 140-2 Level 3 compliant FX2200 physical hardware appliance. To provide customer with maximum operational flexibility (for example, full range of algorithms and key lengths) and access to the latest feature releases and security patches, the appliances should be configured to operate in non-FIPS mode. The on-prem option offers the best security while giving customers complete control over the solution (for example: scaling, backups, software updates, and so on).
Public/Private Cloud
Fortanix DSM can be deployed in VMware or public cloud using our FIPS 140-2 Level 1 compliant virtual appliance. This provides the same control over the solution as on-prem, but without having to host physical hardware within data centers. When deployed in an SGX-compatible environment (for example: Azure Confidential Computing VMs), the security is arguably similar to FIPS 140-2 Level 2 or 3.
SaaS
Fortanix DSM SaaS is a cluster of FIPS 140-2 Level 3 compliant FX2200 physical hardware appliances hosted in Equinix data centers and managed by Fortanix. Its a globally deployed service. Refer to this article to see all its global locations. To provide our customers with maximum operational flexibility and frequent feature releases, the appliances always run the latest DSM software version (which may not be FIPSvalidated) and are configured to operate in non-FIPS mode. With DSM SaaS, you can be up-and-running within minutes, without the hassle of managing your own cluster of appliances.
Single-Tier Hybrid
A mixed cluster of virtual appliances across multiple clouds and/or physical appliances is possible, provided they are all operating in an Intel SGX environment or all operating in a non-SGX environment. This may be useful for minimizing latency across multiple environments and regions.
Dual-Tier Hybrid
With any of the options above, a subset of the keys may be stored externally in a separate DSM cluster, DSM SaaS Account, or third-party HSM, while retaining the ability to manage all keys from a single pane of glass. This is typically used in the following scenarios:
A public/private cloud (FIPS 140-2 Level 1) deployment is preferred, but some keys must be generated/stored/processed in a FIPS 140-2 Level 2 or Level 3 environment (for example, using Fortanix FX2200 hardware appliances or DSM SaaS), or
Any deployment where some keys must be generated/stored/processed in a FIPS 140-2 Level 3 environment operating in strict "FIPS mode" (i.e. a FIPS-validated version of the DSM software restricted to using NIST-approved algorithms and key lengths) – this can be achieved using on-prem Fortanix FX2200 hardware appliances with the appropriate software versions and configured to operate in FIPS mode.