en.Wedoany.com Reported - Swiss hardware security module manufacturer Securosys has launched an external key manager proxy for Microsoft Azure. This solution supports external key management in the Azure Key Vault Managed HSM environment, primarily targeting regulated industries such as finance, healthcare, and the public sector, enabling enterprises to retain control over encryption keys while using cloud services.
The key principle of external key management is that "key material never enters the cloud platform." Enterprises generate, store, and manage keys within Securosys Primus HSM or CloudHSM, while the Azure Key Vault Managed HSM side retains external key references, access control, and auditing capabilities. When an Azure service needs to perform cryptographic operations such as key wrapping or unwrapping, the request enters the Managed HSM, is forwarded via the Securosys EKM Proxy to the enterprise-controlled external HSM environment for computation, and the result is returned to the Azure-side service. This allows business systems to continue using the key management interfaces and permission systems within the Azure ecosystem, while the core key material remains within the customer's own or customer-controlled HSM boundary.
This type of solution primarily serves heavily regulated industries. Financial institutions, healthcare organizations, and public sector entities typically need to meet requirements for data sovereignty, key sovereignty, audit trails, and compliance isolation, and cannot rely solely on cloud platform-hosted keys.
The Securosys EKM Proxy acts as a connector in the architecture. It connects Azure Key Vault Managed HSM with the Securosys HSM environment, enabling Azure services to invoke external keys for controlled cryptographic operations. The communication link uses mutual TLS authentication; the Managed HSM and the proxy service must authenticate each other before processing requests. The proxy interface is responsible only for cryptographic operations and does not replace key lifecycle management within the external HSM. Key generation, backup, rotation, destruction, and recovery must still be completed within the Securosys HSM environment, meaning that while enterprises gain control over keys, they also assume greater responsibility for key operations and maintenance.
For enterprise cloud security architecture, external key management is not simply "adding an extra layer of encryption" but rather changing the key control boundary. Traditional customer-managed key models typically still place keys within the cloud platform's key management service, whereas external key management keeps critical key material in the customer-controlled HSM, with the cloud side holding only references and access control information. Regulated enterprises can continue using Azure applications, storage, databases, and cloud services while running core encryption root keys in an independent hardware security module to meet internal risk control, regulatory audit, and cross-border data governance requirements.
This solution also imposes requirements on system latency, network paths, and HSM capacity. When Azure services invoke external keys, the process goes through three stages: Managed HSM, EKM Proxy, and external HSM. Enterprises must ensure proxy service accessibility, correct certificate configuration, sufficient HSM cluster throughput, and the ability to record audit logs on both the proxy and HSM sides. For high-frequency encryption operations, financial transaction systems, healthcare data platforms, and government cloud workloads, external key management deployment still requires validation around availability, failover, key rotation processes, and audit closure.
With the launch of the external key management proxy for Azure, Securosys's HSM capabilities will further integrate into mainstream public cloud security systems. Subsequent implementation will focus on Azure Managed HSM connection configuration, Securosys Primus HSM or CloudHSM deployment, mTLS certificate management, key lifecycle coordination, compliance auditing, and migration solutions for regulated industry customers.










