Hardware Security Module (HSM)
Have you ever noticed a business professional plugging a physical card into his laptop? Chances are that he’s using a hardware security module, an essential tool for ensuring security in an ecosystem laden with cybersecurity threats.
HSMs are used in almost every industry for not only ensuring security but also aligning with government regulations. With the advent of cloud-based solutions, it’s become easier than ever for you to adopt the technology into your workflow. Let’s talk about the HSM, its applications, and related concepts like the Root of Trust.
What Is a Hardware Security Module (HSM)?
An HSM is a physical device that can create digital certificates and generate and manage encryption keys for encrypting and decrypting data. Companies use HSMs because they are resistant to tampering and help secure encryption, and business-grade HSMs comply with high security standards from FIPS 140-2 to Common Criteria.
FIPS (Federal Information Processing Standard) is a benchmark for the effectiveness of cryptographic hardware devices. There are 4 levels of FIPS 140-2 indicating the quality of security, and organizations must balance the needed amount of security with convenience of use.
Common Criteria is an international standard designed to unify national IT security throughout the US, Canada, the UK, France, Germany, Australia, and New Zealand.
On top of maintaining high data security standards, the organizations use HSM technology to achieve operational agility and regulatory compliance. You’ve probably heard of high-profile laws like the medical industry’s HIPAA for protecting patient data and the EU’s GDPR (General Data Protection Regulation) for protecting users’ personal data.
What Is Root of Trust?
At the heart of an HSM is a concept known as the Root of Trust, or the one source that must always be secure and trusted. A hardware Root of Trust is the HSM itself, the device that encrypts, decrypts, and verifies digital signatures in its own secure environment.
Anyone working with public key infrastructures can tell you how critical the Root of Trust is for protecting keys and signing secure code.
Root of Trust matters more than ever in the age of Internet of Things, where individual devices all operate with your network. To ensure that a hacked device doesn’t gain access to your sensitive resources, the HSM is the trusted point where devices can ensure they receive authentic information.
Is It Available As a Service?
Much like other tools, HSMs are now being offered as subscription-based services. These cloud HSMs are typically just as secure as on-premises deployments and come with the added flexibility and accessibility of cloud applications. Some examples are:
- AWS from Amazon
- Google Cloud HSM
- TokenEx
- Azure Key Vault
- OpenSSH
As with other cloud-based services, hosting your HSM with a cloud provider ensures that you’re only paying for the features you need and outsources all the maintenance and updates to that provider.
Applications of HSMs
Because HSMs and digital security are so heavily related, it’s no surprise that businesses in almost every industry have found a use for them. These include:
- IoT devices. Anything from a medical device to a video game console can use HSM technology.
- Digital streaming services, which issue copy protection by digitally watermarking the content.
- Card payments. Banks use hardware security modules for authorizing transactions and verifying PINs. The magnetic stripes you see on some bank cards use HSMs as well.
- Blockchain applications, which have HSMs as a foundation for security. Each participant must have a verified digital signature.
- SSL acceleration. Applications that use HTTPS (SSL/TLS) typically require the host machine to do complex RSA calculations. An HSM can offload this workload using error-checking memory.
- Random number generation. Because the “random numbers” generated by most software can occasionally be predicted, an HSM offers a separate source of entropy that can be more secure than a software-based one.
- Cryptocurrency, where HSMs are often used as wallets.
The industry standard for preventing cryptographic key theft, data breaches, and incorrect business transactions is the hardware security module.
Akeyless as a Virtual HSM
Akeyless Vault is FIPS 140-2 certified, which is approved by the US NIST. It acts as a Virtual Hardware Security Module (or Virtual HSM). Other technologies require an external HSM on top of their tool in order to offer the same security.