Security Blog

HSM – What is it and who needs one?

HSM stands for Hardware Security Module, and is an incredibly secure physical device specifically designed for crypto processing and strong authentication. It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect sensitive data.

Why do you need a Hardware Security Module?

There are several reasons but the main one is security, and security on all levels. In industries like the payment industry where you handle card data, this data has to be encrypted in order to comply with PCI DSS. A hardware security module is then best practice and a must. However, from a purely technological perspective, an HSM is incredibly safe. The hardware is to a large extent tamper proof. You cannot break into it, and it will detect and alarm when there is something wrong. If an HSM is stolen and gets switched off, the cryptographic keys will be removed. Thus, it is a secure solution if you need to protect extremely sensitive information.

What are the biggest benefits of using an HSM?

It is safe! An HSM protects against hackers and ensures the highest level of security of sensitive data. It also demonstrates trustworthiness and that you take security seriously, which is important when you want to achieve a PCI DSS certification.

You can compare the security level of an HSM to that of a chip that you can find on a debit or credit card. The chip is hardware and signing occurs inside the chip itself. You cannot physically break into the chip. A HSM works in the same way, it is almost impossible to tamper with an HSM.

Can’t you just encrypt and decrypt without using an HSM?

Technically yes, well maybe, but typically this is nothing we recommend, especially to those in industries handling critical information – such as the payment industry. In addition to being best practice to have an HSM to comply with PCI DSS, it is the most secure solution for protecting cryptographic keys and sensitive information.

An HSM is a fairly expensive investment, but in some industries it is a must. For those who don´t want to purchase their own HSM appliance, there are companies who offer HSM as a service – a good alternative for smaller companies.

What security requirements exist for HSMs?

There are strict standards and certification processes for HSMs, this of course due to the critical role they play in securing data. One of the specific security standards is FIPS 140 (Federal Information Processing Standards). The PCI Council has also dedicated a document to HSM, specifying the requirements for the device. Having an HSM signals that you take information security and encryption seriously.

What companies would benefit the most from using an HSM?

So far, it has primarily been companies in the payment industry, certification authorities and registration authorities who have had the biggest need to use an HSM. In the payment industry, it has been best practice for companies of all sizes to use an HSM.

When it comes to who would benefit, all organizations that handle extremely sensitive data with a need for high security would benefit from using HSM. What we now see with GDPR and the stricter requirements on safe handling of personal data is that more pressure is being put on companies to ensure that personal data is stored and processed safely. There, an HSM can be a good solution. In the future it may well be that organizations handling personal data will have to comply with similar standards as those who handle card data, thus will have to encrypt personal data and use an HSM.

 

Related:

HSM service – how does it work?

How does PCI DSS define scope?

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100
  • info@24solutions.com