This article describes why every organisation needs a hardware security module (HSM).
What is a hardware security module (HSM)?
An HSM is an effective tool to enhance the security of your organization and provide advanced protection for your sensitive data. It is a device that can handle digital keys in a secure way. It enables strong authentication and performs encryption and decryption functions for digital signatures. The effectiveness and reliability of HSM is verified by international security certificates, so the owners of the HSM can rest assured that their data and processes are protected by proven methods and technologies.
Why would you need an HSM?
Do you store, generate, or manage sensitive data at your organisation? Do you have to meet special regulations regarding this data like GDPR, eIDAS, and PSD2? Has your infrastructure ever been attacked? Have you ever had to pay the cost of a data breach and suffer the additional consequences including loss of customers and damaged reputation? Or are you one of the lucky ones who has yet to experience such an event? Cybersecurity experts have been warning organisations for years that it is only a matter of time for each organisation. So, it’s worth exploring how you can make sure that the attackers cannot access your valuable data even if they can infiltrate your systems.
State-of-the-art HSM can provide enhanced security for the data as they enable encryption of databases or on the level of applications. It offers best practice security solutions for other future-proof business solutions like credential management, authentication or SSL/TLS, the cryptographic protocols that secure communications over a computer network. It can be used for creating local and remote qualified signatures and qualified seals, if it meets the requirements of eIDAS. It is useful tool for code signing, to confirm the identity of the author of the software and to guarantee the code has not been altered or corrupted after it was signed. It can also provide the proper and secure background for document signing that is necessary for electronic invoicing.
Why is an HSM beneficial?
The high level of security provided by an HSM can be useful for any organisation that generates, stores, and manages sensitive data – which basically covers all organisations that possess intellectual property and/or work with customers and employees and handles the personal data of these individuals. The amount of data keeps growing rapidly: In 2020, 64.2 zettabytes of data was created or replicated, and this number is expected to grow by 23% yearly over the 2020-2025 period.
The data and the business processes need protection from malicious attackers, and organisations are obliged to provide enhanced security for this type of data to meet regulations and compliance standards. Organisations’ financial information also needs strong protection, as well as other confidential business information, intellectual property, and patented materials, among others.
Organisations in all fields have their special use case for an HSM. There has been a growing requirement for digitalization in the governmental sector in the past years, therefore public administration organisations need special solutions for managing personal data safely during electronic administration and they also must provide transparency for the citizens. Financial institutions require a high level of safety for financial transactions as well as reliable identification, strong authentication (eIDAS/CC) and legal certainty (PSD2). Protection of patient data and intellectual property is a high priority in the healthcare & pharmaceutical sector. As IT security threats are growing worldwide, utilities and energy providers require more and more serious solutions to ensure business continuity and data security. Local and networked IIoT (Industrial Internet of Things) devices used in factories need high level protection including encryption and authentication, therefore HSM guarantees the proper level of security for industry stakeholders by securing both IIoT devices and the critical phases of the manufacturing process. Data safekeepers and companies involved in blockchain technologies also need to ensure the highest level of security for their customers and themselves.
Finally, Qualified Trust Service Providers (QTSP) also use HSM for special purposes, including securing Public Key infrastructures (PKI) and offering digital signature services. The demand for easy-to-use solutions is higher than ever, and new regulations allow for more convenient, yet secure services. So those QTSP’s gain a competitive advantage that can utilize these new opportunities and can launch new services like easily available, yet secure digital signatures.
What type of HSMs are available?
There are two main types of HSMs:
- Payment HSM designed for payment and transaction purposes and
- General purpose (GP) HSM to generate, store and manage keys, encrypt, and decrypt data and create and verify digital signatures.
HSM can be used on-premises and remotely. Most of the significant cloud providers offer cloud based HSM services that enable organisations to generate and use their own encryption keys in the cloud infrastructure. While this way has its own advantages, there might be performance issues and latency issues. With proper support, it is easier and safer to maintain your own solution.
Some HSMs fulfil the requirements of eIDAS, the regulation of the European Parliament and the Council, which specifies the conditions and requirements of electronic identification and trust services for electronic transactions in the internal market. This means that QTSPs can run their qualified electronic signatures based on that HSM.
How do you choose the right HSM?
When you consider which HSM is the ideal for you, the most important factors are
- the use case and
- the level of security required for the tasks you want to perform with the device.
The secure operation of the HSM is usually verified by internationally recognized certification.
The two most common certifications are FIPS 140-2 and Common Criteria. FIPS 140-2 is mandated in the US for many federal agencies using cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. In many European countries, on the other hand, Common Criteria certifications are required in such cases. Many public organisations are not obliged to use solutions with such certifications but choose to do so anyway to ensure the security and reliability of the purchased product.
The Federal Information Processing Standard Publication 140 (FIPS 140) is a US government computer security standard used to approve cryptographic modules. It coordinates and determines the requirements for cryptographic modules that include both hardware and software components. The standard defines four levels of different security aspects to cover a wide range of potential applications and environments. Organisations can define their needs in the levels of security and then choose a solution that fits their expectations, which is guaranteed by the certification.
Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It provides a framework in which computer system users can specify their security requirements through different Protection Profiles (PP) for different products, using different documents and assurance and functional requirements. The solutions can be evaluated in different levels of depth and rigor, and this is described by the Evaluation Assurance Levels (EAL) ranging from 1 to 7.
How do you deploy an HSM?
To deploy and maintain an HSM you need special skills and knowledge in the fields of IT security, cryptography, and computer networks. The device needs to be set up and installed in the infrastructure, connected with the existing systems using an encrypted, secure communications channel and configured properly.Usually, you can get support from the HSM vendor or its partners. They dedicate attention and focus to each customer, aiding you along the way from choosing the right HSM and setup to the deployment and the special needs and requirements that might emerge later during the operation.