What Is A Hardware Security Module? - TechTarget

  • Home
  • Data security and privacy
  • Share this item with your network:
By
  • Elizabeth Davies
  • Cameron McKenzie, TechTarget

What is a hardware security module (HSM)?

A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

These devices can be plugin cards or be embedded in other hardware, including smart cards, appliances and other external devices. They can be connected to a network server or used as a standalone device offline. They are also offered as cloud services.

Businesses use HSMs to keep cryptographic functions related to transactions, identities and applications separate from regular operations and to control access to those functions. For example, a company might use an HSM to secure trade secrets or intellectual property by ensuring only authorized individuals can access the HSM to complete a cryptography key transfer.

How do HSMs work?

Securing the keys in a cryptographic system is critical to maintaining a secure system. However, managing the lifecycle of those keys is a challenge. And that's where HSMs come in. They manage all aspects of a cryptography key's lifecycle, including the following six steps:

  1. Provisioning. Keys are created by an HSM, another type of key management system or a third-party organization that does this. A true random number generator should be used to create keys.
  2. Backup and storage. A copy of a keys should be made and securely stored, in case the key is compromised or lost. They can be stored in the HSM or on external media. Private keys must be encrypted before being stored.
  3. Deployment. This involves installing the key in a cryptographic device such as an HSM.
  4. Management. Keys are controlled and monitored based on industry standards and an organization's own internal policies. The encryption key management system handles key rotation where new keys are deployed as existing keys expire.
  5. Archiving. Decommissioned keys are put in offline, long-term storage for when they may be needed to access existing data that was encrypted with that key.
  6. Disposal. Keys should be securely and permanently destroyed only after it is determined that they are no longer needed.

The hardware security module protects cryptographic keys and handles the encryption and decryption processes.

Diagram of cryptographic key lifecycle
HSMs manage the entire lifecycle of cryptographic keys.

HSMs also can create and verify digital signatures. All access transactions involving an HSM are logged to create an audit trail. The devices enable businesses to move sensitive information and processes from paper documentation to a digital format. Multiple HSMs can be used together to deliver public key management and minimize impact on an application's speed.

Important HSM features

The following are hardware security module features that contribute to their security:

  • Secure design. HSMs use specially designed hardware that adheres to government standards such as Federal Information Processing Standardization (FIPS) 140-2, Common Criteria and the HSM requirements of the Payment Card Industry (PCI).
  • Tamper resistant. HSMs undergo a hardening process to make them resistant to illicit tampering and unintentional damage.
  • Secure operating system. They have a security-focused operating system.
  • Isolated. They are located in a secure physical area of the data center to prevent unauthorized access. Some organizations opt to store their HSMs in a third-party data center, rather than keeping them on site.
  • Access controls. HSMs control access to the devices and the data they protect. They are designed to show signs of tampering; some HSMs become inoperable or delete cryptographic keys if tampering is detected.
  • APIs. HSMs support a range of application programming interfaces (APIs) that enable application integration and the development of custom applications, including the Public-Key Cryptography Standard and Cryptography API Next Generation.

How are HSMs used?

Any business that handles valuable or sensitive information should consider using a hardware security module. That type of information includes credit or debit card data, intellectual property, customer data and employee information.

HSMs secure data generated by a range of applications, including the following:

  • websites
  • banking
  • mobile payments
  • cryptocurrencies
  • smart meters
  • medical devices
  • identity cards and personal identification numbers (PINs)
  • digital documents

These devices are also used for several purposes, including digital signing, key generation and management, ensuring compliance, simplifying audits, and securing data and digital identities.

The PCI uses specialized HSMs that provide the added security features required for financial transactions. The applications these devices support include PIN management; provision of payment card and mobile app credentials; and verification capabilities for PINs, payment cards and other functions.

diagram of the digital signature process
Digital signatures are created using a private key to encrypt the signature. The recipient uses the signer's public key to decrypt the signature,

Cloud computing and HSMs

The advent of cloud computing has complicated the process of securing sensitive data, as more of it has moved to the cloud. On-premises HSM devices cannot always be used in cloud environments. Cloud service providers can require customers to use HSMs hosted in their data centers. If a provider allows the use a device on premises, connectivity issues can introduce unwanted latency into the system.

Cloud vendors initially provided their own key management services. However, those weren't always usable across hybrid cloud and multi-cloud environments. Customers were left having to deal with the complexities of multiple key management tools to accommodate their hybrid and multi-cloud strategies.

Key management as a service (KMaaS) has emerged as a way to secure encryption keys across different cloud environments. These services offer centralized, on-demand HSM-level tools without the need to provision hardware. As a business expands and diversifies the cloud services it uses, it can turn to the same KMaaS to deploy and manage the encryption keys it needs across various cloud vendors' services.

KMaaS products adhere to the same standards as on-premises HSMs and support a variety of APIs. With these systems, encryption key management functions take place at a digital edge node, minimizing latency and improving application performance.

AWS, Google, IBM and Microsoft all offer cloud KMaaS products, along with smaller companies such as Entrust and Thales.

Data security and privacy compliance

Hardware security modules are at the center of data security and privacy issues. Because of this, they are under increased scrutiny, as business and other organizations face increasing threats in these areas. More specialized HSMs must comply with a range of standards and regulations, including the following:

  • European Union's General Data Protection Regulation;
  • PCI Data Security Standard;
  • Domain Name System Security Extentions;
  • FIPS 140-2; and
  • Common Criteria.

The takeaway

Hardware security modules are a central piece of data security in the enterprise. They provide the centralized key generation, management and storage businesses need, as well as authentication and digital signing capabilities. HSM technology has proven to have the flexibility needed to keep up with the move to the cloud and the increasing threat environment organizations face today.

Learn more about all aspects of data protection and compliance in our comprehensive guide to data security.

This was last updated in July 2021

Continue Reading About hardware security module (HSM)

  • Which is safer: An HSM appliance or a virtual appliance?
  • CloudHSM offers premium level of cloud security
  • Use modern cloud security best practices
  • Symmetric vs. asymmetric encryption: Decipher the differences
  • Operational best practices for encryption key management

Related Terms

What is email spam and how to fight it? Email spam, also known as 'junk email,' refers to unsolicited email messages, usually sent in bulk to a large list of recipients.... See complete definition What is SSH (Secure Shell) and How Does It Work? SSH (Secure Shell or Secure Socket Shell) is a network protocol that gives users -- particularly systems administrators -- a ... See complete definition What is threat detection and response (TDR)? Complete guide Threat detection and response (TDR) is the process of recognizing potential cyberthreats and reacting to them before harm can be ... See complete definition

Dig Deeper on Data security and privacy

  • What is machine identity management?
    SeanKerner By: Sean Kerner
  • Cloud security: Finding the right provider to protect your data
  • Progress OpenEdge widens & deepens developer infrastructure services
    AdrianBridgwater By: Adrian Bridgwater
  • encryption key management
    RahulAwati By: Rahul Awati
Sponsored News
  • What to Look for in a Server Vendor in 2024 –Dell Technologies and Intel
  • Best Practices: Preparing for the Inevitable Healthcare Cyberattack –Commvault + Microsoft
  • See More
Vendor Resources
  • Square deploys Entrust nShield HSMs to fight cyber attackers on its own terms –Entrust, Inc.
  • HSMs: A Critical Component of an Enterprise’s Cybersecurity Strategy –Entrust, Inc.
Latest TechTarget resources
  • Networking
  • CIO
  • Enterprise Desktop
  • Cloud Computing
  • Computer Weekly
Search Networking
  • 14 common network protocols and their functions explained

    Networking makes the internet work, but neither can succeed without protocols. Common network protocols and their functions are ...

  • 5 principles of change management in networking

    Network change management includes five principles, including risk analysis and peer review. These best practices can help ...

  • A guide to Li-Fi technology

    Li-Fi is an emerging wireless technology that uses visible light to transmit data instead of radio frequencies. Though still ...

Search CIO
  • Quantum computing technology pushes for IT advantage

    Tech and funding issues remain. But work on error handling, an expanding software stack and the growth of quantum ecosystems are ...

  • CHIPS and Science Act funds TSMC, Intel projects

    President Joe Biden finalized CHIPS and Science Act funding for TSMC and Intel, although at a lesser amount for Intel than its ...

  • How to create an IT succession plan for key tech roles

    IT departments should view succession planning as an ongoing component of their strategy rather than an afterthought. Our free ...

Search Enterprise Desktop
  • How to choose between Windows 10 IoT and Linux

    Choosing between Windows IoT and Linux for IoT device management might seem like an obvious choice, but six core factors could ...

  • How to create a custom Windows 11 ISO file

    With a custom Windows 11 ISO file, IT departments can streamline deployment and apply new version of Windows to repair OS ...

  • How to make the most of Windows Autopatch with Intune

    IT administrators can use Intune to manage numerous settings related to Windows OSes and business apps. The Windows Autopatch ...

Cloud Computing
  • A conference guide to AWS re:Invent 2024

    Explore the latest news, product releases and technology updates, as well as analysis and expert advice from AWS re:Invent 2024 ...

  • 12-step checklist for cloud migration success

    Ready to move your on-premises apps to the cloud? From rehosting vs. redesigning to testing and monitoring, follow these key ...

  • Microsoft Launches Azure Local for Hybrid Cloud, edge uses

    Along with Azure Local, Microsoft launched a migration tool for enterprises that want to ditch their VMware by Broadcom VMs.

ComputerWeekly.com
  • Fierce competition and consolidation causing FTTP altnets to struggle

    Survey finds that with the accelerated fibre roll-out by UK broadband majors, UK’s individual suppliers face significant ...

  • Stage is set for legal battles over Big Tech dominance

    Having lost its case to drop a £7bn collective claim, Google is facing increased legal scrutiny on a number of fronts over its ...

  • Nokia and Du deliver successful transport network slicing trial

    Further expansion of advanced wireless across the Middle East sees leading UAE operator test standalone network to gain benefits ...

Close

Từ khóa » Hsm Flow