Friday, November 2, 2018
The Online Trust Alliance (OTA) named 2017 “the worst year ever in data breaches and cyber incidents around the world.” In fact, OTA’s Cyber Incident & Breach Trends Report found that there were almost 160,000 cyber incidents targeting businesses in 2017. Because many cyber incidents are not reported, the firm estimated the actual number could be closer to 350,000. With such a high number of incidents, businesses should be looking at various security options. One such option is a hardware security module (HSM).
What is an HSM?
An HSM is a specialized, tamper-resistant hardware equipped with crypto-processing that allows a user to manage and protect their sensitive data. HSMs are physical devices that usually come in the form of a plug-in card or external device that attach directly to a computer. “The idea of an HSM is to provide extra security for sensitive data,” said Vik Davar, director of technical business development at Palo Alto Networks, in a recent Fuel webinar. “This type of device is used to provision, store and protect cryptographic keys for critical crypto functions such as encryption, decryption, and authentication for the use of applications, identities and databases.”
Why use HSMs?
The National Institute of Standards and Technology (NIST) has developed standards for cryptographic security modules, which defines four increasing qualitative levels of security. According to Davar, HSMs meet the highest NIST validation levels. He also notes that many HSMs can run protected code within the HSM, which protects against advanced persistent threats, insider attacks and hacking. Additionally, because an HSM generates a key in the hardware that doesn’t leave, it is easy to track so companies know exactly who used it and when it has been used.
HSMs are effective at segmenting important data and storing it safely. In fact, some believe that HSMs would have prevented the Stuxnet worm and the Heartbleed bug. The Heartbleed bug occurred in April 2017 and exposed vulnerability in the popular OpenSSL cryptographic software library, allowing a hacker to scrape SSL keys from the compromised server. Meanwhile, if the encryption key had been stored in an HSM instead of in software, the world might not have heard of Stuxnet.
The majority of cybersecurity teams are using HSMs but there are still a surprising number of businesses that could benefit from them. In its 2018 Global Encryption Trends Study, Thales found that 57 percent of IT and security practitioners worldwide in 2017 considered HSMs to be important or very important to their encryption or key management program or activities. The survey found that companies had different reasons for deploying HSMs. For example, 43 percent deployed HSMs due to SSL/TLs, while 41 percent deployed them for application-level encryption.
Regardless of why they are deployed, HSMs offer significant upside for companies looking for extra protection and no costly data breaches.
Interested in learning more about HSMs? Check out this recent Fuel webinar, “Protecting the Interconnected Organization.”
More to Explore
Check out these Fuel blog posts for further reading:
- ‘Embracing a Mindset of Lifelong Learning’: A Q&A with George Finney, New Fuel Board Member
- Setting up SSH on a Non-Standard Port Using Certificate Authentication