What Is a Hardware Security Module? HSMs Explained – Hashed Out by The SSL Store

admin on September 24, 2021 Leave a Comment

Hardware security modules are specialized computing devices designed to securely store and use cryptographic keys. Lets break down what HSMs are, how they work, and why theyre so important to public key infrastructure

Demand for hardware security modules (HSMs) is booming. Data from Entrusts 2021 Global Encryption Trends Study shows that HSM usage has been steadily increasing over the last eight years, increasing from 26% in fiscal year 2012 to 49% in 2020. According to data from 360 Market Updates, the HSM market is expected to reach $2.75 billion by the end of 2026.

What is an HSM and what does it do? Why are so many companies using HSMs? And what are the practical uses for HSMs in enterprise environments?

Lets hash it out.

Encrypted data isnt secure if the keys you use to encrypt it are exposed this is where HSMs can save the day. Hardware security modules (HSMs) are tamper- and intrusion-resistant hardware components that organizations use to protect and store their cryptographic keys while still making them available for use by authorized users. Their purpose is to control access and limit risk to your companys sensitive private keys.

HSMs enable your employees to use of your organizations private keys without needing direct access to them. Basically, your software (for example, hosted on a web server) can execute cryptographic functions and authentication without loading a copy of your private key into memory on your web server (where it could be vulnerable to attack). The cryptographic functions are all done within the confines of an HSMs secure environment. Performing these operations within this secure little bubble keeps your sensitive data from becoming compromised by keeping the private keys hidden away in a secure location.

To better understand this concept, think of an HSM like a vending machine. A vending machine stores drinks and food items within an isolated internal environment. Its designed to accept user inputs (i.e., your item selections) and generate outputs (i.e., pop out a tasty snack), and you cant access the inside of the vending machine or alter its functions.

Similarly, an HSM accepts user inputs and generates outputs (such as signed certificates or software) without users (or applications) seeing, accessing, or altering your cryptographic keys. Thats because its functions are executed within the confines of its secure environment, and no key can be wholly exported, extracted or removed from an HSM in a readable format. So, like a vending machine, you can use it to get your desired output but you cant see or access the internal workings of the device and all of its individual components that made it possible.

Heres a quick overview of how hardware security modules work:

You may be wondering why you need to use a hardware security module at all. I mean, why should you go through the hassle and cost of setting up an HSM when you can simply use your web servers built-in functionalities?

Well, for one thing, an HSM provides significantly more secure key storage than what youd get from using a traditional web server. When companies use their web servers to run many applications, this can result in vulnerabilities that cybercriminals can exploit. HSMs are devices with limited usages and attack vectors. This is why:

Using an HSM helps you secure your private code signing keys and avoid exposure issues like what HashiCorp faced earlier this year. On April 22, HashiCorp informed customers that the GPG private key they use to sign official product downloads and updates was exposed as the result of a third-party (Codecov) security incident.

Basically, the crux of the situation is that an unauthorized user exploited a vulnerability that gave them the ability to export sensitive data from Codecovs continuous integration (CI) environments. HashiCorps CI environment which housed the companys GPG private key and other sensitive secrets among were among those exposed CI environments. If HashiCorp stored their key in a secure HSM instead of the CI, then it wouldnt have been exposed.

There are also many other purposes and uses that HSMs serve in terms of PKI and general cybersecurity. You can use an HSM to:

Heres a breakdown of the top 10 HSM use cases in 2021, according to data from Entrust and the Ponemon Institute:

Having options for secure cryptographic storage is important for all businesses, particularly as their needs evolve with the growth of their operations. The good news is that HSMs vary in terms of both their physical sizes and applications. Some HSMs are small plug-in cards or USB devices while others are large external devices and appliances that companies store on premises within secure locations.

Hardware security modules can be very cost-prohibitive for many businesses. A 2018 article in SecurityToday.com says that the cost of deploying a single HSM can range upwards of $40,000 and that price doesnt include other related costs such as additional hardware, support, and maintenance. So, doing everything yourself may not be a viable option.

But just because your company cant afford to buy one or more of these devices outright doesnt mean that you cant still enjoy the advantages of using HSMs. Some vendors (such as Thales and Amazon Web Services) now offer cloud-based HSM products and services.

There are a few different options when it comes to using cloud HSMs:

The idea here is rather than having to buy an expensive physical appliance that you need to protect on site, you can instead rent a dedicated physical appliance or pay for access to the functionalities of one controlled by a third-party vendor for less cost.

As you can imagine, there are advantages and disadvantages to each approach, but youre ultimately the one who needs to decide which approach is best for your organization or business. Just be sure to carefully read the service level agreement (SLA) to ensure theyre what you need.

Of course, there is a way you can have your cake and eat it, too meaning that you can use an HSM without having to buy or rent one. This is possible when you partner with a managed PKI (mPKI) service provider. For example, DigiCert is an mPKI provider whose platform was built using an HSM. When you use their platform, you can capitalize on their secure HSM on the backend without having to buy or rent this expensive hardware.

If you think that an HSM sounds a lot like a trusted platform module, or TPM, there are a couple good reasons.

But are these two devices the same? No. TPMs are device-specific components within individual devices whereas HSMs are external devices with wider applications at handling operations relating to many or all devices and applications across an organizations network.

TPMs are basically computer chips that physically attach to individual devices motherboards to secure their PKI keys while keeping them separate from the devices CPU memory. They help to ensure device integrity and provide an isolated environment for the devices cryptographic operations.

HSMs, on the other hand, are hardware devices that arent limited to individual machines. Theyre intended for use at-scale by applications and servers across your organization.

To learn more about what trusted platform modules are and how they work, be sure to check out our other article relating to that specific topic.

The National Institute of Standards and Technology (NIST) Special Publication Recommendation for Key Management: Part 2 Best Practices for Key Management Organizations (SP-800-57 part 2, rev 1) describes hardware security modules as critical key management components. Theyre part of the physical infrastructure that makes secure key storage and cryptographic operations possible.

HSMS are used by organizations across virtually all industries, some of which include:

Thats quite a spread in terms of industries, am I right? This variation is, in part, due to the fact that hardware security modules come in two main varieties (which well explore momentarily) for organizations various usages.

Hardware security modules are typically used for securely storing cryptographic keys and payment-related information. However, their uses span the gamut in terms of current and future applications. Here are some of the ways youll currently find HSMs in use globally:

When we talk about HSMs here at Hashed Out, were typically talking about general purpose HSMs. However, its important to note that this isnt the only category of HSMs Thales Group describes a second category of HSM devices as Payment HSMs. Now that we know what HSMs are and some of their applications, lets explore the two types of HSMs a bit more in depth.

General purpose HSMs are those that all types of organizations use as part of their organizations overall cyber security. These are like the devices we described in the What Is a Hardware Security Module (HSM)? section near the beginning of the article.

These devices typically use vendor-neutral APIs to facilitate communication and cryptographic services for your applications. Thats because general purpose HSMs rely on the public key cryptography standards #11 (PKCS#11), which are a group of standards that outline how applications and HSMs can interact and communicate for cryptographic operations. (This enabled interoperability between applications and devices from various manufacturers.)

They also must meet geographic or industry security validation and trustworthiness requirements and standards such as:

As you can probably guess from the name, this second category of HSMs focus on the payment industry and are more specialized. Like general purpose HSMs, payment HSMs are also tamper-resistant hardware components that enable businesses to store and protecting keys and data. However, these keys relate to financial applications and transactions and do jobs such as storing customer PINs

Payment HSMs are designed to meet many different standards and use various interfaces. They also require different protocols and certifications from their general purpose HSM counterparts, some of which include the Payment Card Industry PTS Hardware Security Module (PCI PTS HSM) Modular Security Requirements and FIPS 140-2 validation requirements (level 3 or higher), and various regional security requirements.

For the purpose of this article, were primarily focusing on general purpose HSM functionalities, so were not going to get into the nitty-gritty of payment HSMs here. However, weve put together a quick side-by-side comparison table to help you better understand the differences between the two types of hardware security modules:

We touched on some of the uses of general purpose HSMs within organizational environments. Now, lets explore some practical applications.

A hardware security module provides the foundational security and trust your PKI needs. This is why it should be part of your organizations public key infrastructure from the get-go and not just added later on. (Technically, you can add an HSM to your private PKI architecture later however, it does require a lot of extra work and configurations that you can avoid by making the device part of your initial PKI.)

HSMs allow you to store your organizations cryptographic keys and create the PKI certificates that are necessary to enable user, device and software authentication. Furthermore, the authentication processes themselves can occur within the HSMs internal environment. This keeps the keys secure by not requiring them to be accessed directly, copied or moved.

You can use your hardware security module for cryptographic offloading (such as for SSL/TLS). The purpose of SSL/TLS offloading is to ease the burden on your web server that stems from encrypting and decrypting traffic by shifting those functions to another device (such as a load balancer).

If you opt to store your private keys in an HSM instead of your web server, you can shift the cryptographic functions relating to that traffic to your HSM.

The Open Web Application Security Projects (OWASP) Key Management Cheat Sheet specifies that if you choose to secure your cryptographic keys offline or in devices such as HSMs, you should encrypt them using key encryption keys, or KEKs.

If you want to avoid the costs and responsibilities associated with in-house management of an HSM for your private PKI, then choose an mPKI provider whose platform was built using an HSM. Doing this enables your authorized users to use your organizations HSM-stored keys remotely without accessing or touching the keys. For example, users can sign EV code signing certificates without the necessary risk of keeping individual tokens on hand that could get lost or stolen.

While HSMs are great security tools, they require you to take steps to keep them (and the keys the contain) secure. This includes physical security measures as well as digital access.

The first aspect entails keeping your hardware security modules stored in secure physical locations (such as a secure data center or server room). Your HSM should never be stored in an open or insecure location where unauthorized individuals can access it.

HSMs require strong access controls, policies and processes to keep your cryptographic keys secure and ensure that only authorized users can use it. This way, no unauthorized employees or nefarious external parties (i.e., cybercriminals) can use your cryptographic keys against you to digitally sign data, applications, or certificates.

Also be sure to monitor your HSM event logs. This way, you know who tries to access or use your cryptographic keys and how they used them.

Read more here:
What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store

Related Posts
Posted in Encryption

Comments are closed.