Do Hardware Security Modules (HSMs) Make Sense For Your Enterprise?

Hardware security modules, normally referred to as HSMs, have been getting a great deal of attention in the cybersecurity space over the last several years. This recent recognition is well-deserved, as HSMs offer some of the strongest security among any physical devices available to the public.
 
While many enterprises have already invested in HSMs, not all businesses have done the same. There are still many organizations that store cryptographic data and private key material in the cloud, on end-user workstations, or some combination of those places, with only software-level protection. This creates major security vulnerabilities and simply isn’t the recommended approach to cryptographic key management. If this situation sounds familiar to you, an HSM might be just the solution you need.
 
This blog post will provide an overview of hardware security modules, discuss some of the most prominent HSM vendors, and help you decide if an HSM could improve security in your business environment.
An image of four employees working on computers with a large cybersecurity shield in the background

An Overview of Hardware Security Modules (HSMs)

For those who are not yet familiar, hardware security modules (HSMs) are just what they sound like: hardware appliances designed to provide superior security to a business’s most sensitive data, such as root of trust keys, code signing keys, and root certificates.
 
Most often, HSMs are customer-managed physical devices stored on-premise at your company’s office or in a data center. In other cases, HSMs can be cloud-based and managed virtually. Some HSM and cloud vendors also offer fully-managed HSM services, which include use of HSM devices in addition to services like PKI and key management.
 
While a variety of HSMs are available on the market today, they almost all provide 3 primary features: hardened security, strong resistance to tampering, and detailed record keeping of who is accessing the cryptographic data stored in the HSM.

Hardened Security

If an attacker gains access to your business’s most critical data, like a root certificate or a code signing key, the consequences can be catastrophic. That’s why it’s so essential to store sensitive cryptographic material in hardware security modules.
 
HSMs are crafted to be the most secure physical devices available to private companies. Virtually all HSMs are FIPS 140-2 certified, normally at Level 2 or Level 3 but sometimes certified at Level 4, the highest tier, for companies that need unparalleled security.

Tamper Resistance

According to FIPS 140-2, the National Institute of Standards and Technology publication that establishes specific standards for hardware security devices, an HSM must use tamper-evident coating or seals in order to receive certification as a Level 2 (or higher) device. (Please note that FIPS 140-3 was published in March 2019, superseding FIPS 140-2, but these standards are not yet applicable, as they are scheduled to take effect on September 22, 2020.)
 
The special coating or seal must be placed on the exterior of the physical device, such that the coating or seal “must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module.” Thus, even if your HSM isn’t stored on-premise, you can be sure that nobody is gaining access to your company’s private key material.

Detailed Access Logs

For an HSM to qualify as a FIPS 140-2 Level 3 certified device, it must contain an “audit mechanism to record modifications, accesses, deletions, and additions of cryptographic data.” This includes attempts to access cryptographic data so you can view unsuccessful attempts of unauthorized users to gain access to the material stored on the HSM, alerting you to attacks.
 
These 3 characteristics are what make HSMs such a worthwhile investment for securing mission-critical cryptographic data.

Does an HSM Make Sense For My Enterprise?

Now that you have a better understanding of what exactly a hardware security module is, you might be wondering whether or not an HSM makes sense for your enterprise. The answer is almost certainly yes.
 
In today’s competitive landscape, virtually every company has a significant digital presence, consisting of everything from websites and social media to servers, mobile apps, and more. Underneath the enterprise’s digital environment are the cryptographic keys that keep that environment secure. Cryptographic keys are used in far too many use cases to enumerate, but for those looking for a high-level questionnaire, we’ve provided one here.
 
If the answer to any of the following questions is yes, you should consider using an HSM:
 
  • Do you use TLS to protect your servers (e.g. your website over HTTPS)?
  • Do you have servers that you access via SSH?
  • Do you have a corporate VPN?
  • Do you use or are planning to move to a zero-trust environment?
  • Do you digitally sign documents?
  • Do you sign code (e.g. mobile apps, desktop apps, etc.)?
  • Do you sign or encrypt emails?
  • Do you sign or encrypt backup files?
  • Do you encrypt data in your databases?
  • Do you process or store sensitive data (e.g. PCI, PII, HIPAA, GDPR, classified, etc.)?
  • Do you manage or make use of a PKI?
 
Chances are that your enterprise is actively utilizing a number of these cryptographic key use cases. If you’ve answered yes to any of these questions and you’re not already using an HSM to secure private key material, you should consider investing in one soon.

Challenges With Hardware Security Modules

Although hardware security modules offer an impressive level of security for your private keys, they also come with a few challenges. In particular, enterprises using HSMs often face challenges with performance and integrations.

Performance

Hardware security modules are designed to protect cryptographic private keys, ensuring a high level of security for those keys. At the same time, this increased security can slow down the digital signature process, particularly for large data use cases such as code signing or document signing.
 
DevOps teams that use an agile development approach need to sign code often, and they need to be able to do it quickly. HSMs keep private keys protected but can degrade performance when signing clients use naive approaches such as file upload and download. This degraded performance can cause hiccups in the CI/CD pipeline and lead to tangible losses in revenue.

Integrations

A second major challenge for enterprises using HSMs is a lack of integrations with common tools and platforms. While native client integrations vary among different HSM vendors, they often do not support every tool used throughout an enterprise environment.
 
If an enterprise is using tools that aren’t already integrated with their HSM, they’re compelled to develop a custom integration in-house. However, HSMs expose limited interfaces (typically PKCS11, JCE, or CAPI/CNG), which makes it difficult and costly to build those custom integrations. This leads some organizations to forgo the integrations altogether and simply leave private key material on end-user workstations. This may bring benefits in terms of performance but it also introduces major security risks.

GaraSign: The Perfect Complement To Any HSM Device

Garantir recognized these common challenges with usage of hardware security modules and developed the perfect solution: GaraSign.
 
GaraSign complements HSMs by creating an additional layer of security while dramatically increasing performance through a client-side hashing architecture and offering more than a dozen native client integrations. This makes it easy to place GaraSign directly into any enterprise environment, without any custom development. Integrations include Apple, Microsoft, Java, RPM, Linux, GPG, OpenSSL, and more.
 
If you’d like to learn more about GaraSign, reach out to the Garantir team to set up a call. We provide free hosted proofs-of-concept so that you can experience first-hand how GaraSign can improve the security and performance of digital signatures throughout your enterprise without having to host software or open firewalls.
 

1041 Market Street #302

San Diego, CA 92101

(858) 751-4865

info@garantir.io

Copyright © 2020 Garantir LLC. All Rights Reserved.