So, why aren’t businesses using HSMs for all possible use cases? The answer comes down to the ROI on the development hours needed to enable them.
In particular, a business would need to develop cryptographic software to interface with both end-user clients and the HSMs themselves to enable new use cases. HSMs typically expose lower-level cryptographic APIs (e.g. PKCS11, JCE, or CAPI/CNG) which require specialized skills to develop against. Typically, this type of development is not a core competency of the business that needs the solution. As a result, developing this solution in-house is a costly and error-prone endeavor.
Making matters worse, the degraded performance that typically comes with poorly written “bootstrapped” cryptographic software can lead to bottlenecks in the CI/CD pipeline. Use cases involving lots of transactions and/or large volumes of data can further degrade performance on poorly implemented integrations.
Ultimately, most companies opt to not build these types of cryptographic solutions. This decision, in turn, means that most companies aren’t getting the most out of their HSMs and are opening up the door to potential security vulnerabilities.