Distributed computer systems provide increasingly effective ways of providing numerous types of services. As the complexity and ubiquity of distributed computer systems increases, however, maintaining data security becomes more challenging. There is a constant struggle to address security vulnerabilities at least as fast as they discovered. This struggle is exacerbated by the speed at which computer systems and their use evolve and the rate at which the stakes increase. At the same time, in many contexts, the security of data is of great importance. Many people, for example, trust companies with data that is intended to be kept private except in relatively few circumstances. Security breaches, consequently, can have harmful effects on an organization's operations, from a loss of trust and goodwill to an inability to do business due to a system malfunction caused by a security breach.
Over the years, many strategies have been developed to address the ever increasing threats to data security. Data encryption, for example, can provide an effective way of preventing unauthorized access to data. As a result, complex devices have been developed to securely store cryptographic information. While such devices often perform well for various purposes, integrating the devices into various infrastructure strategies can present many challenges. Further, such devices often require a significant investment, which can be an obstacle to many organizations.
Secure storage devices such as, e.g., hardware security modules (HSMs) provide a service to customers via a computing resource provider that remotely hosts various computing resources that are remotely managed and operated by the customers. A customer of the computing resource provider may utilize services of the computing resource to maintain a private network, such as a virtual local area network (VLAN) hosted by the computing resource provider. The VLAN may, for instance, be supported by infrastructure operated by the computing resource provider.
A secure connection, such as a virtual private network connection over an Internet protocol security (IPsec) tunnel, may connect the remotely hosted network to a network that is hosted on the premises of the customer. Traffic to and from the remotely hosted network may be managed by the computing resource provider so that, from the perspective of devices in the customer's on-premises network, communications with devices in the remotely hosted network occur as if the devices of the remotely hosted network are located in the customer's on-premise network. For example, communications to devices in the remotely-hosted network may be addressed by the customer devices to addresses in a space of network addresses managed by the customer (e.g., to network addresses in a subnet of a network managed by the customer). The computing resource provider may use various techniques, such as network address translation (NAT), to route network communications over its own network to their proper destinations.