Hardware security modules (HSMs) are in high demand. HSM usage has increased steadily over the last eight years, rising from 26% in the fiscal year 2012 to 49% in 2020. The HSM market is expected to reach $2.75 billion by the end of 2026.
What exactly is an HSM, and what does it do? Why are so many businesses utilizing HSMs? What are the practical applications of HSMs in enterprise environments?
Let’s talk about it.
1. What Is A Hardware Security Module (HSM)?
A hardware security module (HSM) is a physical device that adds additional protection to sensitive data. This device stores cryptographic keys for critical functions like encryption, decryption, and authentication for applications, identities, and databases.
These devices can be standalone or embedded in other hardware, such as smart cards, appliances, and other external devices. They can be linked to a network server or used as an offline device. They are also available as cloud services.
A business can use a payment hardware security module to separate and control access to cryptographic functions related to transactions, identities, and applications from regular operations. For example, a company may use an HSM to protect trade secrets or intellectual property by ensuring that only authorized individuals can access the HSM to complete a cryptography key transfer.
2. How Using an HSM Can Help Your Business
You may be wondering why a hardware security module is required. Why, after all, should you go through the trouble and expense of configuring an HSM when you can use the built-in functionality of your web server?
For starters, using an HSM provides significantly more secure key storage than using a traditional web server. When businesses use their web servers to run multiple applications, it creates vulnerabilities that cybercriminals can exploit.
HSMs are devices that have limited applications and attack vectors. Here’s why:
- These devices are used by public certificate authorities and registration authorities to generate, store, and manage sensitive keypairs.
- Companies with private PKIs use these devices to use and store the keys used to sign PKI certificates, software codes, and documents.
3. How Do HSMs Work?
Securing the keys in a cryptographic system is critical to keeping the system secure. Managing the lifecycle of those keys, on the other hand, is difficult. This is where HSMs come in. They oversee all aspects of a cryptography key’s lifecycle, including the six steps listed below:
Provisioning
An HSM, another type of key management system, or a third-party organization creates keys. To generate keys, a true random number generator should be used.
Backup And Storage
A duplicate should be made and securely stored if a key is compromised or lost. They can be kept in the HSM or on external storage media. Before storing private keys, they must be encrypted.
Deployment
This entails putting the key into a cryptographic device, such as an HSM.
Management
Keys are controlled and monitored following industry standards and internal policies. The encryption key management system manages key rotation, which involves the deployment of new keys as existing keys expire.
Archiving
Decommissioned keys are placed in long-term offline storage if they are required to access existing data encrypted with that key.
Disposal
Only after it has been determined that keys are no longer required should they be securely and permanently destroyed.
The hardware security module safeguards cryptographic keys and handles encryption and decryption.
4. HSM Types
Transaction and Payment HSM
Specific HSM devices for payment transaction protection, including the use of a PIN (generation, management, validation, and translation of the PIN Block in POS and ATM transactions), the protection of electronic fund transfers (EFT), the generation of data for magnetic strips and EMV chips in card production and personalization processes, the processing of payment transactions with debit and credit cards, and the validation of cards, users, and cry These devices typically provide cryptographic support for most card brands’ payment applications, and their interconnection interfaces are typically more limited than generic use HSMs.
General Purpose HSM
HSM devices that support API interconnectivity via Public-Key Cryptography Standard (PKCS) #11, Microsoft Cryptographic Application Programming Interface (CAPI), Cryptography API Next Generation (CNG), Java Cryptography Architecture (JCA), Java Cryptography Extension (JCE), and others, as well as a variety of standard encryption algorithms (symmetric, asymmetric, and hash functions). These devices are commonly used in PKI environments, HTTPS channels, DNSSEC, general sensitive data protection, and crypto wallets, among other applications.
5. Validation of The Security Levels of HSM Devices
FIPS (Federal Information Processing Standard) 140-2 (Security Requirements for Cryptographic Modules): It is a standard for validating the performance of cryptographic hardware. And, it is recognized globally in both the public and private sectors. This certification establishes four levels of security, from the least stringent (Level 1) to the most stringent (Level 4).
Common Criteria (ISO/IEC 15408): The Common Criteria for Information Technology Security Evaluation is an internationally recognized IT product and system security certification standard. It was created in the 1990s by Canada, France, Germany, the Netherlands, the United Kingdom, and the United States. Evaluated products under Common Criteria are classified into levels (Evaluation Assurance Level – EAL), with EAL 1 being the least stringent and EAL 7 being the most stringent.
Payment Card Industry (PCI) PTS HSM Security Requirements (PCI HSM): The PCI HSM standard is part of the PCI SSC PIN Transaction Security (PTS) group of standards, and it specifies the security controls that must be implemented during the manufacturing, shipment, use, and dismantling of HSM devices used in financial transactions.
Bottomline
Hardware security modules are a critical component of enterprise data security. They provide businesses with centralized key generation, management, and storage, as well as authentication and digital signing capabilities. HSM technology has proven flexible enough to keep up with the cloud transition and the increasing threat environment that organizations face today.