Should you move your Code Signing to the cloud? 

In the world of software development, ensuring the integrity and authenticity of software before it reaches the end user is crucial. One of the key tools used to achieve this is the code signing certificate. This article provides an overview of what code signing certificates are and discusses the differences between using cloud-hosted Hardware Security Modules (HSMs) and self-hosted token-based solutions for managing these certificates. 

What is a Code Signing Certificate and how does it work? 

A code signing certificate is a digital certificate used by software developers to sign software programs, applications, and scripts. This signature confirms the identity of the software publisher and ensures that the code has not been altered or corrupted since it was signed and ultimately protects users from running compromised software. 

When a developer signs their software with a code signing certificate, they use a private key to create a unique signature based on the code itself. This signature is then appended to the software. When users download or launch the signed software, their system verifies the signature using the corresponding public key provided by the certificate. If the signature is valid and the certificate is trusted, the software is considered secure to run. 

Stricter key management requirements; the deprecation of PFX 

There have been many examples of compromised code signing certificates (typically stored as PFX) being abused by malicious actors.  

For this reason, as of June 2023, CA/Browser Forum, the regulatory body responsible for setting rules for CAs, mandated that code signing certificates could no longer be issued as PFX files – the file format that neatly packages private key with certificates. Instead, private keys are now required to be generated and stored in more secure environments such as FIPS 140-2 compliant HSMs, which provide better protection against extraction and unauthorized use.  

These new rules underscore the importance of robust key management and are part of broader efforts to ensure the security of digital certificates. Organizations involved in software development and distribution must now adjust their practices to comply with these heightened security measures and in doing so, choosing whether or not to go with a cloud-hosted solution. 

  

Comparing the options; to cloud or not to cloud? 

Cloud-Hosted HSM 

Cloud-hosted HSM solutions, like Azure Key Vault or AWS Secrets Manager, offer the flexibility of the cloud with the security of dedicated HSMs. In this model, the HSM is maintained by a third-party provider in a secure data centre. The key benefits include: 

Scalability: Easily scale up as the demand for more digital signatures increases without the need for physical hardware management. 

Accessibility: Access the HSM from anywhere, which is particularly useful for teams distributed across different locations. 

Cost-Effectiveness: Reduce the overhead costs associated with maintaining physical security, hardware, and compliance on-premises. 

However, relying on a third-party service provider involves trusting that provider to manage and secure your private keys appropriately, which might be a concern for organizations with extremely sensitive information. 

  

Self-Hosted HSM Solutions 

Self-hosted token-based solutions involve using physical devices such as USB tokens produced by SafeNet/Thales, are managed and maintained by the organization itself.  
The primary advantages are: 

Control: Full control over the security environment, with the ability to enforce custom security policies and access controls. 

Physical Security: Since the HSMs or tokens are physically located within the company’s premises, there is a direct control over the physical security of the devices. 

Offline Capability: These devices can operate offline, providing an added layer of security against network-based attacks. 

The main drawback is the cost of scaling and maintaining these devices, especially amongst geographically distributed teams. The need for specialized knowledge to manage the hardware and software of HSMs also puts an extra burden on an organisations system administrators & IT technicians. 

Some Certificate Lifecycle Management vendors, like our partner, AppviewX, offer platforms that can simultaneously provide the enhanced security of self-hosted HSMs and the convenience of cloud-hosted solutions. However, these platforms, like SIGN+, are targeted at large enterprise customers and not for small & medium-sized organizations. 

Conclusion 

When choosing between cloud-hosted HSMs and self-hosted token-based solutions for managing code signing certificates, the benefits of cloud-hosted solutions make them a particularly attractive option for many organizations. Cloud-hosted HSMs offer scalability, cost-effectiveness, and ease of access, which are critical advantages in today’s fast-paced software development environments. These solutions allow organizations to easily scale their operations without the overhead associated with maintaining physical hardware. Additionally, the flexibility of accessing secure signing capabilities from any location can significantly enhance a development team’s productivity and responsiveness. 

While self-hosted solutions provide total physical control and the possibility of enhanced security through offline operation, the logistical and financial burdens can be substantial. Cloud-hosted HSMs, by providing robust security measures, including advanced encryption and strict access controls, effectively mitigate many of the risks associated with key management.  
As such, for organisations looking to streamline operations and maintain high security with less physical infrastructure, cloud-hosted HSMs represent a compelling choice. This alignment with modern cloud strategies supports an agile, secure software development lifecycle, making it a preferred method for managing code signing certificates in an increasingly digital world.