Do Large Companies Require HSMs to Stay Secure?
Do Large Companies Require HSMs? KeyNexus Aims to Help You Answer this Question
In a previous blog post, we discussed Hardware Security Modules (HSMs). As we pointed out, there are a number of pros and cons involved in using HSMs, as well as in using cloud-based or hybrid alternatives. This week, we want to turn to discussing one of many possible use cases involving the same question: when do large companies require HSMs? In particular, we want to think about HSMs in the context of large-scale enterprises, including government agencies. For these types of organizations, data security and key management is a major concern, as they often hold particularly sensitive data, such as personal or payment information, and are therefore the targets of cyber attacks.
Let’s take a hypothetical large government agency (LGA) in the United States. LGA has new encryption guidelines, which require them to encrypt every document stored in their file system. It has key personal and financial information for approximately 100 million people. Given the volume of information they hold, there are potentially billions of encryption keys involved. LGA also must ensure that the key management system they choose meets the strictest government standards, including FIPS 140-2. In meeting these new encryption requirements, LGA faces several problems: cost, logistics and simplicity of use. In this case, if they choose a traditional HSM vendor, they could require thousands of HSMs. This will come at a significant cost, including the initial purchase, setup and maintenance. With various other factors – including client growth, changes in encryption guidelines, etc. – they will also potentially face costs related to scaling in the future. With all of these inconveniences, LGA should ask themselves: do large companies require HSMs at all?
By using KeyNexus, LGA would gain the type of flexibility, scalability and performance that HSMs can’t offer, while also avoiding the overhead that comes with thousands of HSMs. At the same time, where LGA may want or need to keep their HSMs to maintain trust, KeyNexus has the capacity to integrate with existing or new HSMs, offering a hybrid approach. With either option, our Unified Key Manager would be able to create, store and manage encryption keys for their encrypted data. This would include the ability to store billions of keys, and to easily scale to LGA’s needs as it faced client growth or an increase in the volume of personal information that they processed and stored. Set up and deployment would be cost-efficient and easy: as a software platform, LGA would simply need to download and install our UKM in their deployment environment of choice. Any necessary software upgrades would also be quick and easy: with a request, KeyNexus could provide LGA with upgrades in a fraction of the time required to upgrade an HSM. With a flexible architecture, LGA would have the option to distribute workloads in the Cloud to streamline functionality. Finally, KeyNexus would provide LGA with compliant encryption key management. At the most basic level, our UKM conforms to FIPS 140-2 Level 1 standards and provides the separation of encryption and key management roles. If LGA requires a higher level of protection, we offer FIPS 140-2 Level 3 standards via a microHSM, produced in conjunction with our partner CSPi. KeyNexus UKM also complies with various regulations that LGA might be facing, including healthcare (HIPAA and HiTech) and financial services (PCI-DSS and GLBA). With our UKM’s logging and auditing options, LGA would also be able to keep up with any regulatory changes they might face in the future.
Ultimately, KeyNexus offers a flexible, scalable, easy to use, cost-efficient, and compliant alternative to traditional HSMs. If you find yourself asking “Do large companies require HSMs?”, consider turning to KeyNexus for our bevy of solutions and expertise. For more information on how KeyNexus can provide you with alternatives to traditional HSMs, contact us or request a demo.