HSM (Hardware Security Module) is a device specially designed for safeguarding digital keys.
Data security is a comprehensive topic which is becoming increasingly popular among organizations, regardless of their size and business focus, following the announcement and imminent implementation of the GDPR (Global Data Protection Regulation). There is no wand for companies to wield and magically comply with new regulation, however according to recommendations given by GDPR’s creators, encryption seems to be the simplest method for keeping up with a large part of regulatory requirements and establishing data security.
GDPR guidelines repeatedly highlight encryption as an example of good practice and it’s the only technology, alongside pseudonymising and strong authentication, specifically mentioned in the regulation. However, encryption is never described as mandatory, more as a guideline, though it should come as no surprise that the first question any competent agency will ask when data theft occurs is: “Why wasn’t this information encrypted?”. Why is data encryption essential? Although data may be stolen, it is not readable and cannot be used.
Encryption is a complex issue depending on the type of data being encrypted (static or mobile, structured or unstructured, etc.). We’ve already covered some of these topics on our blog, however we should note that encryption is not an overly complex requirement because it is often implemented by checking a single option in a menu. What you should pay extra attention is how to properly manage the encryption process, i.e. digital keys used for encrypting data.
One of the prerequisites is to safeguard the keys themselves – HSM helps us to do just that by performing all crypto operations and storing all relevant keys on the device itself. This ensures that the keys never leave HSM. The hardware is specially designed to protect keys and internal storage from any method of theft, and can destroy all sensitive crypto materials before the worst happens.
One interesting development is that recently discovered bugs (Spectre and Meltdown) pose a significant new risk for digital keys stored in various software solutions and “general-purpose” servers. In addition to the fact that parts of such devices vulnerable to attack are incomparably larger than methods used to attack HSMs, some vulnerabilities have been present for many years without being discovered, which poses the question: was someone already aware of these exploits and tried to use them before they were published? One such case happened a few years ago, and was known as the Heartbleed Bug – serious vulnerability in the popular OpenSSL cryptographic software library made it possible to steal private keys from the memory of seemingly protected servers. Keeping your private keys in HSM devices drastically reduces the ability of attackers to decrypt all SSL sessions
In addition to safeguarding encryption keys, managing crypto operations, and ensuring regulatory compliance, HSM can help protect from a number of currently unknown vulnerabilities (such as the examples mentioned above), and thus reduce administrative tasks, forensics, and critical upgrades needed when they are detected.
For more details, feel free to contact us!.