How do I select a hardware security module for my business?
Protecting your data has never been more important, and the best way to do it is by using encryption keys. These keys should then be stored inside a hardware security module which secures and manages them.
To select a suitable hardware security module for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
David Close, Chief Solutions Architect, Futurex
When selecting a hardware security module, there are so many factors for consideration that it can be hard to keep things straight.
First and foremost, however, you should ask yourself these questions:
- Are there compliance requirements I must meet, such as PCI HSM?
- Do my applications require a specific cryptographic interface, such as PKCS #11, Java, or Microsoft CNG?
- How many different applications in my ecosystem require HSMs? Can I use multitenancy or HSM virtualization to reduce my overall rack footprint and cost?
- Do my applications use public clouds such as AWS, Azure, or Google? If so, will a cloud HSM or cloud payment HSM meet my needs?
- How should I structure my team? Should I focus their energy more on hands-on administration work, or on using vendor-provided tools to automate the process of HSM management?
- Looking toward the future, when will my organization need to deploy post-quantum algorithms? For IoT manufacturers with long-lifespan devices, this may be sooner than you think!
It’s easy to get wrapped up in granular specifications like RSA signing speed or encryption key storage capacity, but first and foremost, you must make sure your HSM selection meets your strategic goals. If you carefully consider the above questions with your long-term needs in mind, you’ll find yourself in a great position.
John Grimm, VP of Strategy and Business Development, Entrust
It’s easy to get lost in speeds and feeds, certification and compliance lists, and low-level specification details when comparing different HSM offerings. And it’s extremely hazardous to do so, where the playing field for HSMs – and the criteria for evaluating them — has changed significantly from years past.
The fundamental truth about HSMs is that they are not standalone products; they provide high assurance protection and management for private keys for applications that perform encryption or digital signing. The more applications you have that do encryption or digital signing, the greater the ROI you can achieve on an investment in HSMs.
And that’s exactly why a strong, diverse, well-supported and well-maintained technology partner ecosystem has become a top differentiator for HSM offerings. Does the HSM have certified, current, documented integrations with a range of leading providers in foundational use cases like PKI, encryption, digital signing, and TLS/SSL? And what about more modern use cases like cloud, BYOK and key management, and containers/Kubernetes? Emerging use cases matter too: secrets management, blockchain, IoT and more.
Broad application support reduces security risk and maximizes ROI, and coupled with deployment flexibility (not just cloud or on-premise, but the ability to change seamlessly between the two) and proven worldwide customer support are critical selection criteria to help position you for success with HSMs.
Ambuj Kumar, CEO, Fortanix
Traditional HSMs are purpose-built for specific use cases. This results into security fragmentation. Enterprises often have 2-3 different HSMs, key management, and encryption solutions each solving only part of the problem at a premium price with costly maintenance and additional costs for every new application.
To add to the woes, these systems do not integrate with public cloud/hybrid infrastructures, requiring customers to maintain separate solutions for on-premises applications and public cloud. Today’s already overburdened application teams, database administrators, data analysts, and security administrators don’t have time or patience to use outdated technology.
For decades, businesses in highly regulated industries have been locked into HSM appliances that are costly to operate, difficult to scale and lack the modern RESTful programming interfaces required by application developers to quickly bring new applications to market and migrate them to the public cloud.
The Federal Information Processing Standard (FIPS) 140-2 Level 3 certification from the National Institute of Standards and Technology (NIST) enables businesses to replace legacy encryption technologies for protecting the most sensitive data in the U.S. Government, technology, financial services and healthcare industries.
At a minimum, adopt an HSM that offers FIPS 140-2 level-3 compliance, secret management, key management, and cloud integration.