Hardware Security Modules (HSMs) have been the standard for encryption for the last 20 years. But with the emergence of computing that spans on-prem, cloud and edge environments, there has been a shift away from physical, on-premises HSMs to software-based key management systems. With that said, are HSMs still relevant? Is an HSM best for an organization’s current data protection needs? Unfortunately, there is no simple answer – it depends entirely on the actual use case and requirements.
On the one hand, HSMs provide excellent security for sensitive data. They are dedicated data encryption resources: self-contained, tamper-resistant servers, specifically for cryptographic processing, which can be physically locked down and set up to destroy all keys in the event of a security breach. In many cases, keys can’t be removed from an HSM, and it is for this reason that certain industries are legally obligated to use them. Since HSMs are deployed as an on-premises, rack-mounted solution, and generally involve significant complexity and professional services to deploy, they have historically served regulated, on-premises, enterprise environments, such as financial services and healthcare.
On the other hand, HSMs can be complicated, difficult to set-up, and costly. As physical units, they require shipping, installation, and configuration. If an HSM breaks down, it must be replaced, and go through the same set-up routine, leaving organizations vulnerable unless redundant, highly available systems have been put in place. All of this costs money, time and energy. There is also the challenge of adaptability. As a physical unit, an HSM is what it is; when organizations take it out of the box, it has a set amount of memory, and can only perform a limited number of tasks and transactions per HSM. The only way to go beyond the out-of-box specs is to purchase more of the same hardware or undertake a full hardware upgrade. Finally, new encryption workloads, such as those that are cloud native, have made HSMs somewhat outdated.
The bottom line is that HSMs fit some organizational needs, and not others. StorMagic SvKMS can satisfy a range of key management needs from cloud deployments, to hybrid on-premises/cloud, and even integrating with and extending the capabilities of HSMs.
StorMagic SvKMS solves many of the problems associated with traditional HSMs. As a software platform, it can be deployed in many environments, and it is both adaptable and easy to scale. SvKMS can be embedded in different hardware platforms, such as switches, network interface cards and IoT devices. By embedding SvKMS into a device, customers receive the benefits of an HSM without the overhead that typically accompanies it. Moreover, SvKMS can be used for hundreds to thousands of use cases at once, as opposed to the limited functionality of HSMs that may be dedicated to one use case. An approach like this equates to future-proofing an organization’s key management strategy, ensuring they are ready for the next key management use case that requires the powerful data protection that encryption enables.
If an organization is obligated to use a traditional HSM, SvKMS supports integration with popular vendors, including nCipher, Thales and Utimaco. Running SvKMS in tandem with an HSM extends the key protection functionality of the HSM, by allowing SvKMS to protect its keys with the “root” keys on the HSM. This added level of assurance is ideal for highly regulated industries that may need the compliance level of FIPS 140-2 Level 3, yet also want the flexibility and scalability that comes from the robust key management functions available in SvKMS.
Whatever an organization’s data protection requirements — from cloud-based applications, to on-premises datacenters, and out to the edge — HSMs, software-based key managers, and hybrid configurations offer several pros and cons. Figuring out which system is best requires assessing an organization’s needs. For more information on how SvKMS can help meet your data protection goals, check out the product data sheet, or contact us.