Will Both Azure Dedicated HSMs in High Availablity Config be Zeroized in Case of Tamper Detection?

Joan Wu 1 Reputation point
2021-06-01T05:09:42.833+00:00

As mentioned in Azure Dedicated HSM FAQ, Dedicated HSM will be zeroized when there is a tamper event detected.

  1. What is the Dedicated HSMs are in High Availability config? Will both HSMs be zeroized?
  2. If so, how does dedicated HSM support business continuity?

https://learn.microsoft.com/EN-US/azure/dedicated-hsm/high-availability

----------------

Q: What happens if there is a security breach or hardware tampering event?
Dedicated HSM service uses Thales Luna 7 HSM appliances. These devices support physical and logical tamper detection. If there is ever a tamper event the HSMs are automatically zeroized.

----------------

Azure Dedicated HSM
Azure Dedicated HSM
An Azure service that provides hardware security module management.
25 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2021-06-07T21:41:42.647+00:00

    @Joan Wu
    Thank you for your post and I apologize for the delayed response!

    Dedicated HSM will be zeroized when there is a tamper event detected. What if the Dedicated HSMs are in High Availability config? Will both HSMs be zeroized?

    • From my understanding, only the HSM where the tamper event was detected will be zeroized. This is because Microsoft deploys HSM devices in different datacenters within a region to ensure provisioning multiple devices does not lead to those devices sharing a single rack. For more info.

    The following diagram shows a highly available architecture. It uses multiple devices in a region and multiple devices paired in a separate region. From our documentation, each device shouldn't be sharing a single rack, therefore if there was a tamper event, only the affected HSM(s) will be zeroized.
    103080-ha-diagram.jpg

    What happens if there is a security breach or hardware tampering event?

    • A fan unit removal will cause a tamper event. In this case, When a component failure occurs, Microsoft will use the most appropriate process to address the component level issue in a way that causes minimal interruption and lowest risk to our customers service availability. Any more serious failure of the device will result in that device being replaced by a new device from the free pool. The customer simply includes the new device in the existing HA pair for it to synchronize and return to full operational state. The failed device will have its data bearing devices removed and shredded on site at the data center. For more info.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments