George Wainblat

George Wainblat

George Wainblat joined Unbound in June 2017 as Director of Product Management. George brings a wealth of experience in leading multi-disciplinary product, engineering and business units at global hi-tech companies as well as startups.

Unbound Key Control is now available on Azure Marketplace

Introduction

Unbound UKC is the first software-only key management and key protection system that delivers hardware level security guarantees. Unlike traditional software approaches that rely on obfuscation algorithms, whitebox cryptography, or security-by-obscurity techniques, Unbound UKC draws its strength from the Unbound vHSM (Virtual Hardware Security Module) technology, which is backed by a rigorous security proof made possible by mathematically proven multiparty computation (MPC) algorithms. Unbound UKC combines the high-level security once only attainable with hardware, with software’s innate agility, scalability and efficiency crucial for today’s digital businesses.

Unbound UKC– The first Cloud vHSM and Key Management on Azure Marketplace

Today we are excited to announce the launch of Unbound Key Control (UKC) on the Microsoft Azure™ Marketplace.

With Unbound UKC, organizations can control their own keys in the cloud, and eliminate the risk of cryptographic keys exposure, protecting their customers and stakeholders from a wide range of cyber security risks. Unbound’s UKC is open for use for any cloud and on-premise application. Leading fortune 500 organizations are already using Unbound UKC to protect keys in cloud and hybrid deployments, on AWS, Azure and other cloud service providers.

Now, customers can purchase Unbound UKC directly from the Marketplace to manage and control keys in both the Azure Cloud Service and custom applications and their associated APIs, providing a complete solution for the largest pain points of using hardware security modules (HSM) and key management systems to protect keys in the cloud.

Unbound UKC is the first offering of its kind in Azure, allowing the customers to securely create and manage their keys in a pure software solution, that provides hardware-grade security with full control of the encryption keys.

Features and Benefits

  • Mathematically proven security guarantee – the key material never exists in the clear throughout its lifecycle including creation, in-use and at-rest
  • Multi-site, Hybrid IT support: Control and manage keys anywhere – on-premises, in the cloud – any cloud service provider
  • Fully elastic and scalable enterprise key management
  • Full deployment, provisioning and management automation
  • Support all industry standard HSM and Key Management APIs as well as all standard crypto algorithms
  • REST APIs for crypto and management for superb developer experience

Use Cases

Unbound UKC supports any General Purpose HSM and KMIP use cases including:

  • Database Encryption
  • Application Level Encryption
  • Code Signing
  • Blockchain Key Management
  • Public Key Infrastructure
  • Authentication
  • Document Signing
  • SSL/TLS
  • Cloud Application Security Broker (CASB)

Azure Services Integrations

In addition to seamless integration with every general purpose HSM/KM use cases using standard APIs, Unbound UKC provides the following integrations with Azure native services:

  • Encryption in Transit – secure data when you transfer it into or out of Azure Storage in order to prevent a wide range of man-in-the-middle attacks. UKC support integration with HTTPS for transit encryption.
  • Encryption at Rest – there is a need to protect data stored in databases from threats such as access by rogue admin or malware exfiltration.
    UKC support integration with TDE for SQL Server on Azure VM (IaaS).
  • Client-side Encryption – enables to encrypt the data before it is transferred into Azure Storage in a client application, and to decrypt the data after it is transferred out of storage, in order to protect the data during the entire transfer, from on-premise to the cloud.

Unbound is currently working on additional integrations with Azure native services.

Deployment Scenarios

Based on Unbound’s vHSM technology, the first to truly abstract key management, Unbound UKC is now available in Azure marketplace in pay as you go model, deployed on a standard Azure virtual machine. You have the flexibility to choose the location of the nodes for the UKC cluster (in one or more of Azure regions) and to rapidly create an Azure deployment that meets your unique requirements.

Unbound UKC can be deployed in two different topologies, described in detail below:

  • Both nodes deployed on Azure
  • One node deployed on premise, one node deployed on Azure

Control Your Own Keys (CYOK) – Azure Cloud

  • Deployment – In this CYOK option, both UKC nodes are deployed in Azure
  • Key Material – is never present in the cloud in any form. All crypto operations including key generation and key usage are performed without ever reconstructing the full key, not even in the memory
  • High Availability (HA) – UKC fully supports by the addition of pairs for redundancy. HA is supported in any Azure region and availability zone across the globe. Keys are automatically
  •  synchronized between all nodes of the UKC cluster regardless of its location around the globe
  • Backup and Restore – delivered by UKC in a simple process that can be fully automated. The backup and restore process is fully control by the customer, without any involvement of the cloud service provider
  • Auditing – while this setup allows usage of keys by cloud applications but allows you full auditing and control, thus ensuring key material is never in the clear either in the cloud or on-premises
  • Smooth and Protected – This deployment option provides the customer both ease in deployment and installation, as both nodes are on Azure cloud, and mathematically proven guarantee that the key material is never exposed in the cloud, providing peace of mind

CYOK Hybrid

This deployment option, designated for the most sensitive use cases, includes all the benefits of CYOK topology. On top of it, the keys are fully resilient and cannot be compromised by any adversary on the cloud – not even by a rogue insider / admin or a subpoena.

It provides unmatched levels of control for cryptographic keys in the cloud, in an easy to deploy and maintain solution without any hardware dependencies.

Licensing

Unbound UKC licensing is usage based (according to hourly fee), the customer is billed based on the extent of the marketplace offering use, and only pay for the compute resources you use on Azure.

If you’re new to Unbound UKC, you can try it on Azure Marketplace for 30 days as a free software trial, only paying for Azure compute resources.

Availability

Unbound UKC is available now on the Microsoft Azure Marketplace. Interested customers can begin the journey to protect their keys today.

You can find more detailed guidance on deploying Unbound UKC in Azure in this Solution Brief.

To learn more about running Unbound UKC on Azure, visit Microsoft’s Azure™ Marketplace.

Subscribe to BLOG