Hardware security modules are a desirable service feature of cloud-based systems and services. In some instances, despite a preference to restrict access to secure data, operation of the hardware security modules may require exposing limited access credentials to the service provider. For instance, access credentials for accessing the hardware security module may need to be provided to a service provider service (or service operated by the service provider on behalf of some customer) that makes use of the secrets stored in the secure data store of the hardware security module. A user of the hardware security module may give limited access credentials to the service provider process, but at least without physical access to the hardware security device, the user has no way to revoke those credentials, leaving the access to secrets stored by the secure storage susceptible. For example, if the service provider cuts the user's access, the service provider process will still have access to the hardware security module until the credentials expire (a disconnected user is unable to revoke the access credentials provided to the service provider).
Short-lived (e.g., extremely short-lived) credentials may be used, but they would need to be continually sent to the service provider by the user, and sending the credentials is both inconvenient and adds the risk of potential exposure of the credentials.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.