Let's assume we have an internal environment consisting of some distributed systems, one central system and an internal PKI. The central system is serving a cluster of HSMs that shall be accessable by network in a securely controlled way. On the distributed systems, there are different application services run by separated technical users that want to make use of the hardware-based cryptography offered by the central system. The distributed systems don't have access to local HSMs.
Each connection from an application service to the central HSM-service is secured by mutual-auth TLS using certificates from the internal PKI. While the central system's tls private key can be protected by the local HSMs, the applications services' tls keys have to be software keys and protected somehow by the local access control system.
In this setup we are concerned about a single malicious administrator on the distributed systems using/copying the private key of an application service to perform cryptographic operations on sensitive data of that application.
Is there any elegant solution to protect agsinst this threat?
Currently, we can only think of the following approaches:
a) Of course we could provide local HSMs to each distributed system. However, this should be incredibly expensive regarding the amount of distributed systems and would also require to establish a responsability for a more complex infrastructure.
b) Someone had the idea to somehow use local TPMs to protect the application services' keys from the administrator and also keep them separated. I'm not sure if I really understand this approach but for me it sounds like a missunderstanding of what a TPM is capable to do.
c) The access control system and the monitoring should be configured such that any access to a key from an administrator's session is raising an alert. Of course, this also requires a concept that reduces the power of an administrator so he cannot manipulate. Not to mention a concept of how to handle such alerts properly.
So I would like to know if you know an elegant solution to this problem. I assume this should be a standard problem in the era of cloud computing. Maybe you have some further ideas.
Thank you!