Hardware security modules (HSMs) are dedicated cryptographic processors that safeguard and manage cryptographic keys, providing a secure environment for performing encryption, decryption, and digital signing operations. These tamper-resistant devices, often connected to a PC or server, act as physical vaults for sensitive cryptographic keys, preventing them from ever leaving the secure enclave and shielding them from unauthorized access or theft. As a result, organizations employ HSMs to ensure the confidentiality, integrity, and authenticity of their data.
HSMs undergo rigorous testing, validation, and certification against the most stringent security standards, such as FIPS 140-2 and Common Criteria. Entrust, a prominent global HSM provider, offers the comprehensive nShield General Purpose HSM product family.
HSMs empower organizations to:
- Meet and surpass established and evolving cybersecurity regulatory standards, including GDPR, eIDAS, PCI DSS, HIPAA, and more.
- Attain elevated levels of data security and instill trust.
- Sustain superior service levels and enhance business agility.
Today's enterprises have a lot to worry about when it comes to maintaining their encryption environments. For instance, organizations need to make sure their cryptographic systems have enough available CPU to perform encryption and hashing, among other cryptographic operations. They must also make sure they can store their encryption keys in a secure manner.
Some enterprises develop their own homegrown solutions to address these challenges, but they risk making a mistake and exposing their encryption assets in the process. As a result, many organizations instead turn to HSMs.
Robust key management is just one of the benefits of using an HSM. As opposed to custom solutions, these devices are built on top of specialized software that's been tested and certified in designated laboratories. Peter Smirnoff wrote for Cryptomathic that HSMs also come equipped with a security-minded operating system and limited accessibility through a network interface.
Why Do You Need a Control Plane for Machine Identities?
For all their advantages, HSMs aren't without their drawbacks. For example, Jim Attridge noted in a paper for the SANS Institute's Infosec Reading Room that these devices can be rather expensive, depending on their level of functionality and security. Attridge further observed that many vendors fail to disclose specifics about their HSM solutions and that updating these devices can prove to be difficult.
These challenges have not diminished the importance of HSMs for security professionals, however. According to its 2018 Global Encryption Trends Study, Thales found that a majority (57 percent) of IT and security practitioners worldwide in 2017 considered HSMs to be important or very important to their encryption or key management program or activities. 2017 marked the fifth consecutive year where the percentage of survey respondents who recognize the importance of HSMs grew. It also marked the fifth year in a row where the global deployment rate of HSMs increased, with 2017 peaking at an all-time high of 41 percent among respondents.
Some countries were more enthusiastic about the value of HSMs than were others. Germany, India, the United States and Japan were particularly excited at 71 percent, 65 percent, 64 percent and 63 percent, respectively. By consequence, the survey found that the enterprises in Germany, the United States and Japan were more likely to deploy HSMs than those in other countries.
In terms of deploying HSMs, enterprises had many reasons for doing so. The greatest percentage of organizations cited SSL/TLS at 43 percent. They were followed by application-level encryption and database encryption at 41 percent and 37 percent, respectively.
Respondents' justifications for planning to deploy HSMs within the next 12 months weren't all that different. The percentage of organizations that cited these factors did vary somewhat, however. Half of survey participants said they planned to facilitate SSL/TLS with their device. 40 percent said application-level encryption was the reason behind their choice, whereas 44 percent intended to use their HSM solution for database encryption.
Thales recognizes the importance of HSMs and other solutions that help safeguard enterprises' encryption environments. That's why it conducts its Global Encryption Trends Survey every year. It's also why it partnered with Venafi, a co-sponsor of Thales' annual study, to help organizations protect their encryption keys and other sensitive data.
Venafi makes it easy to automate private key lifecycle management. This helps organizations enforce strict policy control, achieve compliance and avoid the risks associated with storing keys in files. Venafi Advanced Key Protect works with leading HSM providers to simplify the process of generating and storing keys securely—the keys never leave the HSM.