Most companies have information that require protection on an extremely high level, such as payment card data, personal information, applications and business critical information. A Hardware Security Module is said to provide the highest security possible, so what is a Hardware Security Module, what does it do and how is it used?
What is an HSM?
HSM stands for Hardware Security Module, and is an incredibly secure physical device specifically designed and used for crypto processing and strong authentication. It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect sensitive data.
Why do you need a Hardware Security Module?
There are several reasons but the main one is security, and security on all levels. In industries like the payment industry where you handle card data, this data has to be encrypted in order to comply with PCI DSS. A Hardware Security Module is then best practice and a must. However, from a purely technological perspective, an HSM is incredibly safe. The hardware is to a large extent tamper proof. You cannot break into it, and it will detect and alarm when there is something wrong. If an HSM is stolen and gets switched off, the cryptographic keys will be removed. Thus, it is a secure solution if you need to protect extremely sensitive information.
What are the biggest benefits of using HSM?
It is safe! An HSM protects against hackers and ensures the highest level of security of sensitive data. It also demonstrates trustworthiness and that you take security seriously, which is important when you want to achieve a PCI DSS certification.
You can compare the security level of an HSM to that of a chip that you can find on a debit or credit card. The chip is hardware and signing occurs inside the chip itself. You cannot physically break into the chip. A HSM works in the same way, it is almost impossible to tamper with an HSM.
Can’t you just encrypt and decrypt without using an HSM?
Technically yes, well maybe, but typically this is nothing we recommend, especially to those in industries handling critical information – such as the payment industry. In addition to being best practice to have an HSM to comply with PCI DSS, it is the most secure solution for protecting cryptographic keys and sensitive information.
An HSM is a fairly expensive investment, but in some industries it is a must. For those who don´t want to purchase their own HSM appliance, there are companies who offer HSM as a service – a good alternative for smaller companies.
What security requirements exist for HSMs?
There are strict standards and certification processes for HSMs, this of course due to the critical role they play in securing data. One of the specific security standards is FIPS 140 (Federal Information Processing Standards). The PCI Council has also dedicated a document to HSM, specifying the requirements for the device. Having an HSM signals that you take information security and encryption seriously.
What companies would benefit the most from using a Hardware Security Module?
So far, it has primarily been companies in the payment industry, certification authorities and registration authorities who have had the biggest need to use an HSM. In the payment industry, it has been best practice for companies of all sizes to use an HSM.
When it comes to who would benefit, all organizations that handle extremely sensitive data with a need for high security would benefit from using HSM. What we now see with GDPR and the stricter requirements on safe handling of personal data is that more pressure is being put on companies to ensure that personal data is stored and processed safely. There, an HSM can be a good solution. In the future it may well be that organizations handling personal data will have to comply with similar standards as those who handle card data, thus will have to encrypt personal data and use an HSM.
HSM as a Service
24 Solutions offers HSM as a service, where companies get all the benefits from having an HSM without investing in hardware. Check out our service page to find out more.