Let's answer first why ? Why a HSM should be used?
We all know security has sort of become a myth. Specially in today's interconnected, big data, cloud crazy world. The questions is How to secure data ? documents ? keys? passwords?
Very sensitive applications have to protect several different forms of data and in some industries (banking, health, complaint heavy ones) we absolutely can not overlook the possibility of security compromises.
Solutions with various encryption technologies came up when the field of security was burgeoning but they were only safe as long as the keys are safe . How do you keep the keys safe? Store your software key in some software? NAAA!! that won't work.
Store them in tapes like Millitary ? NAAA!! that won't work
Store them in a tamper proof hardware with multiple level of authentications? May be !! atleast to some extent!
That's where Hardware Security Module HSM comes into play (added bonus it can help you clear your industry's security compliance needs )
Now that we know why ( and there are more use cases here if you still need more reasons) the nest question is what to look for in an HSM?
Lets list the technical factors that might help :-
We all know security has sort of become a myth. Specially in today's interconnected, big data, cloud crazy world. The questions is How to secure data ? documents ? keys? passwords?
Very sensitive applications have to protect several different forms of data and in some industries (banking, health, complaint heavy ones) we absolutely can not overlook the possibility of security compromises.
Solutions with various encryption technologies came up when the field of security was burgeoning but they were only safe as long as the keys are safe . How do you keep the keys safe? Store your software key in some software? NAAA!! that won't work.
Store them in tapes like Millitary ? NAAA!! that won't work
Store them in a tamper proof hardware with multiple level of authentications? May be !! atleast to some extent!
That's where Hardware Security Module HSM comes into play (added bonus it can help you clear your industry's security compliance needs )
Now that we know why ( and there are more use cases here if you still need more reasons) the nest question is what to look for in an HSM?
Lets list the technical factors that might help :-
- Performance - encryption/decryption/key generation/signing, symmetric, asymmetric, decide based on your application needs
- Redundancy - consider the failover cases, how often can it happen? How easy is it to replace it? Assess the impact of it on your operations and have a plan in place and in case that happens or look for a more robust one. Dual NIC or not , down time e.t.c are questions to be asked.
- Backups - No matter how robust HSM is you can not afford to not think about backups because of the very real possibility of loosing access to your data forever. Consider how easy it is to backup your data (in a secure way ofcourse) , restore your data in HSM.
- Scalability - Most HSMs have limit on slots available, number of keys you can stores, number of users you can add e.t.c e.t.c Have the scale in mind. What if you need to scale up or down ( for cost cutting)
- Procedures - Lets face it .. using HSM is not gonna make things simple .. its gonna make them more complex. The real cost of using HSM is felt in operations because of the complexity that is introduced.A good HSM will come with a detailed usage manual which describes how things should be done to make sure its used correclty. It's not the hardware which matters, but how you use it. So consider APIs, Device management options , customer support , policy level controls , configuration options e.t.c
- Physical/Logical Security - Ofcourse all HSMs should be able to tackle physical or logical hacking in to the hardware/software of HSM. Most HSMs as a result have tamper proof cases, hardcase , multiple level of authentications and "wipe everyhting" attitude for intrusion attacks.
- Complaince - If you have any compliance requirements make sure HSM supports it.
