惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
M
MIT News - Artificial intelligence
罗磊的独立博客
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Stack Overflow Blog
Stack Overflow Blog
The GitHub Blog
The GitHub Blog
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
宝玉的分享
宝玉的分享
N
News and Events Feed by Topic
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
F
Full Disclosure
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
H
Hacker News: Front Page
L
LangChain Blog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
B
Blog RSS Feed
H
Heimdal Security Blog
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 三生石上(FineUI控件)
V2EX - 技术
V2EX - 技术
V
Vulnerabilities – Threatpost
Help Net Security
Help Net Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
W
WeLiveSecurity
T
Tenable Blog
D
DataBreaches.Net
Martin Fowler
Martin Fowler
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
S
Secure Thoughts
O
OpenAI News
L
LINUX DO - 热门话题
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Jina AI
Jina AI
J
Java Code Geeks
Know Your Adversary
Know Your Adversary
IT之家
IT之家
Latest news
Latest news
Cloudbric
Cloudbric

Security & Identity

Cloud CISO Perspectives: How AI leverages deep context as the defender’s advantage | Google Cloud Blog Introducing k8s-aibom on GKE for automated AI bills of materials | Google Cloud Blog Contributing to U.K. financial sector resilience as a critical third party | Google Cloud Blog Meet the 33 cybersecurity startups joining the Gemini Startup Forum | Google Cloud Blog Drive proactive security, prioritize risks with Google Threat Intelligence and Wiz ASM | Google Cloud Blog Shift into high gear with agents: Securing the software-defined vehicle | Google Cloud Blog New IDC study: How Mandiant transforms security into a competitive advantage | Google Cloud Blog Google Cloud confirmed to offer a safer choice for EU public sector organizations with Dutch DPIA approval | Google Cloud Blog Cloud CISO Perspectives: How Google Cloud Security uses AI internally | Google Cloud Blog Securing agentic AI: What's new in VPC Service Controls | Google Cloud Blog Verifiable trust in the AI era: What’s new in Confidential Computing | Google Cloud Blog Choice, compliance, and collaboration: Europe’s path to open digital sovereignty | Google Cloud Blog Driving the UK’s next chapter: From AI potential to agentic reality | Google Cloud Blog Google named a Leader in IDC MarketScape SIEM 2026 Vendor Assessment | Google Cloud Blog Cloud CISO Perspectives: The 4 lessons that guided AI Threat Defense | Google Cloud Blog Powering the next era of Confidential AI Detecting and containing AI-powered threats with Google Security Operations agents Cloud CISO Perspectives: How to build an AI-ready security program for the public sector Introducing Google AI Threat Defense to help you outpace the adversary Cloud CISO Perspectives: How Google + Wiz changes multicloud strategy for CISOs Why cloud infrastructure is the foundation for digital health in 2026 Beyond source code: The files AI coding agents trust — and attackers exploit What's new in IAM: Security, governance, and runtime defense Google named a Leader in the 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies Introducing Agent Gateway ISV ecosystem for security and governance Cloud CISO Perspectives: At Next ‘26, why we’re multicloud and multi-AI Next ‘26: Redefining security for the AI era with Google Cloud and Wiz | Google Cloud Blog Introducing Google Cloud Fraud Defense, the next evolution of reCAPTCHA | Google Cloud Blog Next ‘26: Announcing new partner-supported workflows for Google Security Operations | Google Cloud Blog Cloud CISO Perspectives: How CISOs can pursue technical and cultural resilience (Q&A) | Google Cloud Blog Essential AI and cloud security now on by default Securing AI inference on GKE with Model Armor A Leader in Forrester Wave Sovereign Cloud Platform 2026 See beyond the IP and secure URLs with Google Cloud NGFW Cloud CISO Perspectives: RSAC: AI, security, and the workforce of the future How to build AI agents with Google-managed MCP servers Bringing dark web intelligence into the AI era RSAC ’26: Supercharging agentic AI defense with frontline threat intelligence IAP integration with Cloud Run Why context is the missing link in AI data security Welcoming Wiz to Google Cloud: Redefining security for the AI era Cloud CISO Perspectives: New Threat Horizons report highlights current cloud threats Google named a Leader in IDC MarketScape: U.S. SLG Professional Security Services Introducing the Google Cloud recommended security checklist Cloud CISO Perspectives: How Google approaches critical security topics, from fundamentals to AI Sovereignty and European competitiveness: A partnership-led approach to AI growth Cloud CISO Perspectives: New AI threats report: Distillation, experimentation, and integration Delivering a secure, open, and sovereign digital world Cloud CISO Perspectives: 5 top CISO priorities in 2026
Introducing Single-tenant Cloud HSM for more data encryption control
Amit Bapat, Jai Rad · 2026-02-03 · via Security & Identity

Organizations that handle sensitive data in highly-regulated sectors often face a difficult choice: Build and manage physical hardware to meet strict compliance needs, or use cloud services that might not offer the specific level of isolation they require. 

These organizations, often in financial services, defense, healthcare, insurance, and government, require a key management service to provide cryptographic assurances that no one else — including their cloud provider — can access their keys. The key management service also needs to be highly available and scalable to ensure that protected sensitive data is accessible by business critical applications without disruption.

To help meet these rigorous standards without taking on the burden of physical hardware management, we are introducing Single-tenant Cloud HSM, a new service that provides a dedicated, highly-available cluster of hardware security module (HSM) partitions where you retain full control over your cryptographic keys.

Single-tenant Cloud HSM is generally available today in the U.S. and European Union today with competitive pricing. We plan on adding more regions and capabilities throughout the year.

Control your keys with hardware-enforced isolation

Single-tenant Cloud HSM is designed for workloads that require FIPS 140-2 Level 3 validation, isolation from other users, and greater security controls on the HSM. Unlike multi-tenant solutions, this service ensures you are the sole tenant on a partition of a physical HSM. The hardware itself enforces cryptographic isolation, meaning your keys are separated from other customers and from Google operators.

To ensure you maintain control over your data, the service includes several critical security features:

  • Full ownership: You control the root key and root key access for your partition.

  • Quorum-based administration: Sensitive operations are rooted in hardware and require quorum approval, preventing any single individual from making unauthorized changes.

  • Revocation: You have the ability to revoke Google’s access at any time. This action will result in all the keys in the instance becoming unavailable and the data encrypted with those keys inaccessible.

Reduce operational overhead without sacrificing security

Managing physical HSMs usually involves significant work, from procurement to maintenance. With Single-tenant Cloud HSM, Google manages the provisioning, configuration, monitoring and compliance of the hardware. This allows you to focus on security policies rather than hardware maintenance. The service is also designed for high availability and redundancy, allowing you to provision in minutes and scale as your workloads grow.

How does Single-tenant Cloud HSM work?

To understand the level of control you have, it helps to look at the authentication flow. You own and manage your Administrative user credentials directly. You can generate these key pairs on a hardware token like a YubiKey or with another key management system of your choice.

To prevent unauthorized access, you must set up multiple users and configure your instance to require a quorum (M of N). This ensures that a specific number of authorized users must agree to grant or revoke permissions.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_Single-tenant_Cloud_HSM_high-level_archi.max-1100x1100.png

Figure 1: Single-tenant Cloud HSM high-level architecture.

With this setup, your administrators can:

  • Authorize Google to perform cryptographic operations on your Single-tenant Cloud HSM Instance.

  • Revoke Google's authorization at any time.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_Single-tenant_Cloud_HSM_Revoking_Googles.max-1100x1100.png

Figure 2: Single-tenant Cloud HSM: Revoking Google’s access.

In summary:

  • Each Single-tenant Cloud HSM instance is a dedicated and cryptographically isolated cluster of HSM partitions for your exclusive use.

  • Each Single-tenant instance provides the same redundancy and high availability as multi-tenant Cloud HSM.

  • You can revoke Google’s authorization to an instance, making all keys in that instance unavailable and it can only be restored after granting the authorization again.

Features and benefits

Meeting compliance and security standards: Single-tenant Cloud HSM is built for customers who want to run cloud workloads that meet stringent security and regulatory standards. Single-tenant Cloud HSM uses FIPS 140-2 Level 3 validated Marvell LiquidSecurity HSMs (models CNL3560-NFBE-2.0-G and CNL3560-NFBE-3.0-G) with firmware versions 3.4 build 10. 

The Single-tenant Cloud HSM service has obtained compliance with numerous regulations and certifications including FedRAMP, DISA IL5, ITAR, SOC 1/SOC 2/SOC 3, HIPAA and PCI DSS. These standards and certifications help customers in highly-regulated market segments meet their regulatory and compliance needs for key management and data protection.

Set up your instance in minutes: You can set up a Single-tenant Cloud HSM instance quickly using standard gcloud commands for all administrative operations. Once you have established the necessary quorum for administrative access, you can provision a complete cluster in approximately 15 minutes.

Scale automatically with high availability: Single-tenant Cloud HSM instances span multiple zones to ensure reliability, matching the availability standards of Cloud HSM. The service also scales automatically to handle your peak traffic loads, ensuring consistent performance without manual intervention.

Integrated with the tools you already use: You can use Single-tenant Cloud HSM with your existing workflows immediately. It works with existing Cloud Key Management System (KMS) APIs, allowing you to use Customer-Managed Encryption Keys (CMEK) to protect data across Google Cloud services. It also integrates with Cloud Logging and Cloud Monitoring, giving you analytics, alerts, and visibility into your key usage.

Get started

Please check out our documentation to learn how you can begin provisioning your dedicated cluster from the Google Cloud console today, and learn more about how Cloud HSM can help you meet security and regulatory compliance goals.

Posted in