12 Nov HSM vs vHSM – a retrospective from the field
Just a few years ago I found myself on a large public sector programme where for the first time in my career, I was testing a Public Key Infrastructure build with a blue-chip Systems Integrator for a Global MPLS Network.
The scale and the ask of the project were huge – the schedules were slipping (before we had even considered the scale of this particular sub project) and all of a sudden my colleagues and I found ourselves having to quickly get our heads around a global deployment of a new (at the time) elliptic curve, hardware-based Public Key Infrastructure (PKI) solution.
PKI is a framework of cybersecurity and encryption components that sit on a network between a server and the client. A PKI usually has two different cryptographic keys – one public, one private. The public key is normally available to any user that connects to the server, whilst the private key is uniquely generated when a connection is made. The PKI System as a whole works to maintain the Confidentiality and Integrity of the data and information that it protects.
It is generally acknowledged that asymmetric encryption is more secure than symmetric encryption given that one of the keys is always kept private, although this can come at a cost (the keys are longer for example, which can contribute to slower encryption speed).
To quote Rumsfeld “there were many unknown unknowns” at the time of this particular project. Unverified rumours had it at the time that this was the first global deployment of this encryption algorithm of its kind (PRIME) which naturally created a lot of anticipation and amongst the programme team. Like with anything, fear and uncertainty ultimately lead to programme slippage and unrecovered costs for the supplier.
The physical topography of the network, when combined with a technologically ground-breaking hardware-based encryption standard brought its own challenges – I remember a particular part of the design taking months to work through various control gates of governance boards due to the physical nature of hardware born encryption. We were subjected to a key signing ceremony for the first time which required certain key members of both the customer and their delivery team, and the supplier to turn up to a secret data centre in the middle of nowhere early on a Monday morning, and witness the generation of the keys in the muchly fabled “key signing ceremony”.
The project did eventually deliver. A little over schedule and budget but a robust and resilient system nonetheless which is still (to my knowledge) operational today. However, this was in 2015 and since then key encryption technology has developed considerably, especially when it comes to Virtual Hardware Security Module security (vHSM).
Fast forward to today and the digital world is expanding more rapidly than ever. With 20 billion networked devices and data anticipated to grow 10x between now and 2025, massive expansion of the information highway, and more cloud connected devices than ever, organisations using traditional HSMs are severely limited in their ability to protect and control their sensitive information and cryptographic keys, given the following limiting factors:
Lack of scalability Scaling beyond existing HSM capacity requires purchase of new hardware which can take weeks or months to deploy (see above).
Limitation of scope Businesses adopting public cloud services are bound to the provider’s infrastructure and have limited ability to use or control HSMs in those environments.
Lack of speed and agility Any modification to existing deployed HSMs are lengthy and expensive and in many cases result in complete hardware replacement.
Managing cryptographic keys consistently in hybrid or on-prem public/private cloud environments is a challenge, And, when different cloud service providers and on-prem sites are thrown in the mix, along with different key management systems, not to mention the different levels of trust and or HSM models that can be deployed across the estate (multiple geographic locations for instance) businesses are often forced to manage keys within silos, which contributes to a fragmented security infrastructure which is undoubtedly insecure, costly and highly inefficient to operate.
Thankfully there are now a number of options to free you from the shackles of traditional hardware-based HSM servers. With our key control solution, you are free to grow in ways that were not possible before, rapidly delivering digital applications with robust and resilient security and privacy built in. By implementing virtual HSM, you gain elasticity and control, agility, scalability and quick responsiveness, all of which are critical for success in the digital era.
We are here to help and offer a free initial consultation with our sales team to help you overcome your hardware invoked PKI hurdles.
We will be at London Google Cloud Next on Thursday 21st November, drop us a line at [email protected] if you would like to catch up!