Last updated: 15 May 2019
All HSMs, whether on-premises or cloud based, should meet basic requirements, such as:
● Secure storage of cryptographic material
● Secure cryptographic execution (key generation, management etc.)
● Strong separation of duties
● Strong segregation of logical data and credentials especially for multi-tenant
● Certified physical and logical security mechanisms
● Mechanisms for event logging and audit reporting
● Secure APIs to access the HSM (PKCS#11, RESTful and others)
But, not all HSMs are created equal. They have different levels of functionality, security, ease of use, etc. – all of which can have a knock-on effect on your TCO.
Here are some of the features you may want to put high on your priority list:
Security: Certifications such as FIPS and Common Criteria are the easiest way to spot-check the security of a device. However, remember that although the certification means the hardware meets specific criteria, it doesn’t necessarily guarantee security.
Consider the reputation of the HSM vendor and its customers, and their focus on physical and logical security as well as certifications such as ISO27001 and SOC2.
Geographic Location: Compliance requirements may dictate where data can reside, and how that data can be shared, even within an organization.
Crypto Agility: Industry standard algorithms are generally recommended over proprietary, but some use cases mandate the use of specific algorithms or algorithm families. Organizations such as NIST, ANSI industry boards like GSMA or ETSI might specify certain algorithms/interfaces. Talk to your vendor about their support for future technologies such as Quantum.
Random Number Generation (RNG): The use of certified random number generators can be a factor for compliance with certain regulations or requirements, so check that the vendor uses an approved or certified process.
Key Backup: The backup of key material should only be done to an environment with the desired security level as is provided by HSM. The ability to manage remote backups or key material replication is also an important factor.
User Interface: Most of the HSM administration is done via command line, although “Crypto Management” interfaces are often also available to facilitate activities. This dictates a familiarity with HSMs that most organizations do not have, and even large organizations with onsite HSM teams to manage their existing appliances may not choose to expand their capacity when their requirements change.
Application Integration: Choose a vendor with multiple proven integrations that will serve you well into the future as your IT operations grow and compliance requirements change.
Automation: In addition to building the HSM infrastructure, for the smooth deployment and on-going management of the solution, it is recommended to find a service that offers automation of at least some of the processes such as deploying the clients, integrating the clients and managing on-going updates.
Key migration: The ability to transfer existing keys into the new environment is important in maintaining continuity of service for your applications. Some HSMs can provide simple migration capabilities today.
Outside of these technical “must haves” you might also find it beneficial to consider the application or use case that the HSM is to be used for. On-premises HSMs are more suited to high volume transactional requirements, where the latency of cloud could constrict performance and response times. However, the majority of use cases for most businesses should be able to benefit from using cloud based HSM services
However, with all this being said, certainly one of the most critical decision criteria is the availability of and/or the cost of funding the solution. Over the past two years Gemalto has seen that organizations are finding it increasingly important to look at the long term TCO and balance that with up-front investments. For many smaller businesses or even department/project oriented requirements, budget availability can be a highly significant decision factor in selecting the appropriate solution. This can also apply to large organizations such as tier-1 banks for example, that although they have onsite expertise to manage their existing HSMs, may consider expanding their options through cloud-based HSM services in order to take advantage of the benefits of a cloud service.
Gemalto is the leading provider of general purpose hardware security modules (HSMs) worldwide. Our SafeNet HSM product family represents the highest-performing, most secure, and easiest-to-integrate HSM solution available on the market today. And now together with SafeNet Data Protection On Demand, a cloud-based as a service, it offers you a choice of the best HSMs on the market, in the cloud, on premises or as hybrid combination.
To find out more about how to choose the right option for your organization’s crypto security, download the latest white paper: On-Premises HSM vs cloud-based HSM using SafeNet Data Protection On Demand: A TCO Comparison.