Does Your Company Need an HSM?
Does Your Company Need an HSM? Here Are a Few Things to Consider:
Hardware Security Modules (HSM) have been the standard for cryptographic processing for the last 20 years. But with the emergence of virtual, cloud-based and software-defined systems, there has been a shift away from the physical, on-premise HSMs to virtual HSMs (vHSMs) and cloud-based key management services. The question you need to ask: does your company need an HSM? In other words, is an HSM best for my organization’s current operational and security goals? Unfortunately, there is no simple answer – it depends entirely on your organizational needs.
On the one hand, HSMs provide excellent security for sensitive data. They are dedicated data encryption resources: a self-contained, tamper-resistant server dedicated to cryptographic processing, which can be physically locked down and set up to destroy all keys if there are security breaches. This type of protection is precisely why certain industries are legally obligated to have HSMs. HSMs also fit into economies of scale for larger organizations, and the added security is particularly appealing to protect sensitive customer or proprietary data. Since HSMs are deployed as an on-premise rack-mounted solution, and generally involve significant complexity and professional services to deploy, they have historically served predominately regulated, on-premise, enterprise environments which, until the last 5 years, have been the standard.
On the other hand, HSMs are complicated, logistically difficult and costly. As physical units, they require shipping, installation and configuration to set up. And if one of your HSMs breaks down, you will need to order a new one, and go through the same set-up routine, leaving you at increased risk in the meantime. All of this is costly in terms of money, time and energy. There is also the problem of adaptability. As a physical unit, an HSM is what it is: when you take it out of the box, it has a set amount of memory, and can only perform a limited number of tasks and transactions per unit time with no upgradability. The only way to go beyond the out-of-box specs is to purchase more of the same hardware or undertake a full hardware upgrade. Finally, new technology and services have made them somewhat outdated. In many cases, organizations are using services that already encrypt their data, making the “full-service” (and full cost) nature of HSMs unnecessary and undesirable. Likewise, HSMs sacrifice flexibility for maximized security: HSMs can’t let keys out, which means only a limited number of people will have access to encryption keys.
The bottom line is that HSMs fit some organizational needs, and not others. But KeyNexus offers products that can satisfy your key management needs for HSMs and virtual or hybrid systems.
KeyNexus’ virtual HSMs (vHSM) solve many of the problems associated with traditional HSMs. As a software platform you simply need to download and install to be fully ready to go. Adaptability and scalability are also simple and efficient. KeyNexus can be embedded in different hardware platforms, such as switches, network interface cards and IoT devices. By embedding KeyNexus into your hardware device, your customers receive the benefits of an HSM without the overhead that accompanies it. Upgrades are also quick and easy: with a simple request, KeyNexus can provide you with new software in as little as 20 minutes. Moreover, KeyNexus’s Unified Key Manager can be used for 100s of use cases at once, as opposed to the limited functionality of HSMs. An approach like this equates to future-proofing your key management strategy, ensuring you are ready for the next key management use case that comes over your horizon.
If you require a traditional HSM, KeyNexus has partnered with CSPi on a new product that aims to bridge the HSM-cloud divide: the ARIA microHSM. Running KeyNexus’ UKM software and offloading the encryption and key management onto a Myricom SIA, the microHSM replaces the need for a standalone HSM appliance, while improving application performance, decreasing network latency and enabling deployment within any server. It also runs industry standard KMIP technology. The benefits relative to a traditional HSM include a 50% decrease in cost, and a performance increase up to 10 times. Moreover, running on KeyNexus software, the microHSM has all the benefits of virtual systems in terms of adaptability and scalability.
Whatever you data security needs, HSMs, vHSMs and hybrid systems all offer a number of pros and cons. Figuring out which system is best requires assessing your organizations needs. For information on the products KeyNexus’ offers that can fit your HSM, vHSM or hybrid needs, contact us.