Microsoft strives to produce innovative products and services that meet customers' evolving needs. Thales nShield HSMs are certified to support a wide range of Microsoft security solutions and deliver the industry’s most operationally efficient key management framework.
Thales enables Microsoft customers to utilize cryptographic security to enhance their business as well as satisfy evolving compliance requirements. Thales and Microsoft together facilitate the secure adoption of new technologies and delivery models including virtualization and cloud computing. Thales eSecurity is a Gold Certified Microsoft partner.
Thales nShield HSMs safeguard the certificate issuance, management, and validation processes for organizations looking to extend the security of Microsoft Active Directory Certificate Services (AD CS) PKI. Using nShield HSMs, all key generation and certificate signing operations are executed within the tamper-resistant confines of the hardware module. Private keys are securely stored and never accessible outside the HSM. Microsoft published guidance on Securing PKI:
Protecting CA Keys and Critical Artifacts, states that using an HSM is one of the strongest controls one can implement to provide strong protection of CA and other high value keys.
Thales nShield HSMs create tight controls around the management and use of the keys used to protect sensitive data at rest and in use across Azure-based on-premises and client applications. Microsoft Azure Key Vault safeguards the critical cryptographic keys used in the cloud to keep data secured. Used with Microsoft Azure Information Protection (AIP), the data exchanged within collaborative work environments is protected by embedding enforceable security policies right on the data assets, regardless of the data type.
AIP uses Thales HSMs to ensure that keys are always under customer control. Microsoft AIP with Bring Your Own Key (BYOK) gives organizations control and visibility of the use of their keys, and neutralizes the perception that sensitive data maintained in the cloud is vulnerable.
While most content can be served by securely stored keys in Azure, some sensitive content can never leave the customers’ own security perimeter. To manage this sensitive data, AIP also offers Hold Your Own Key (HYOK). The HYOK option is enabled by an on-premises component, with key management provided through the Thales HSMs.
Thales key management for Microsoft SQL Server 2016, 2014, 2012 and 2008 extends and enhances security by providing protection and lifecycle management for database encryption keys. nShield HSMs utilize Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) and cell-level encryption modes for protection and consolidation of database application keys. This provides high assurance key archival for long-term data access as well as facilitate periodic rotation of encryption keys as required by regulations such as PCI DSS.
In addition to the resources linked on this page, several detailed integration guides are available for Thales-Microsoft solutions – please visit Knowledge Base for a full listing.
Solution Brief : Protect Sensitive Data at Rest and in Use Across on-Premises and Azure-Based Client ApplicationsDownload
Solution Brief : Thales Microsoft Active Directory Certificate ServicesDownload
Solution Brief : Secure Certificate Registration: Thales High Assurance for Microsoft NDESDownload
Solution Brief : Enhanced Security: Thales High Assurance for Microsoft RMSDownload
Solution Brief : Thales Enhances Security of VMs Deployed Within Microsoft Windows Server 2016Download