What is a Hardware Security Module (HSM)?

HSMs (hardware security modules) are the cornerstone of enterprise data security. They keep IT infrastructure safe from cyberattacks and breaches and the tremendous costs those entail. That being said, it’s fairly common for people to have questions about what they actually do, or what they even are. After all, if an HSM is doing its job, you shouldn’t have to know every little thing about how it works.

In this post, we’ll do our part to demystify HSMs. We’ll keep the explanations simple and straightforward and provide links to resources that explain them in more detail. So, sit back, relax, and let’s talk HSMs!

Hardware security module (HSM) overview

HSM stands for hardware security module. HSMs are cryptographic devices that serve as physically secure processing environments. In a physically secure environment, you can perform cryptographic operations with the lowest possible risk of cyberattacks or data breaches. The types of cryptographic operations an HSM can perform are usually determined by the manufacturer, and can range from encrypting data to managing the health of cryptographic infrastructure as a whole. If there’s any cryptographic operation you need done, an HSM is the most secure way to do it.

• Encrypting data: payments, applications, databases, etc.
• Creating and managing encryption keys for hundreds of applications
• Issuing digital certificates to authenticate devices, users, websites, and more
• Generating digital signatures to validate messages, software, financial transactions, etc.
• Managing infrastructure with load balancing, monitoring, alerting, and device clustering

If you’ve ever used a software program that does those things, you might wonder how an HSM is any different. While both a hardware security module and a software encryption program use algorithms to encrypt and decrypt data, scrambling and descrambling it, HSMs are built with tamper-resistant and tamper-evident casing that makes physical intrusion attempts near-impossible. This protects your data all the way from the network to the actual server rack.

Physical security and compliance

We’ve mentioned that HSMs use strong physical security features. But the strength and degree of physical security aren’t simply left to the manufacturer's preference.

Instead, there are several national and international regulatory bodies that define strict data security standards. Two of the most common standards are those of the Payment Card Industry (PCI) and the Federal Information Processing Standards (FIPS), the latter of which is developed by the National Institute of Standards and Technology (NIST). PCI defines standards like PCI HSM (for the physical security of HSMs) and PCI PIN (for the security of personal identification numbers). Whereas FIPS 140-2 specifies requirements to be satisfied by cryptographic modules.

To comply with these standards, an organization simply needs to deploy HSMs that are certified under them. For their part, the HSM manufacturer must design their devices to meet the rigorous physical and logical security demands of these standards so as to be validated under them. Some of the tamper-evident categories that these standards require include sensitivity to changes in temperature and electrostatic discharge. Even the epoxy used to encapsulate the HSM card on the circuit board is subject to strict regulation. For example, it must be opaque, hard enough to resist penetration attempts, must show evidence of penetration attempts, and must be adhesive enough to resist any attempt to pry it loose from the circuit board.

Who uses HSMs?

The biggest users of hardware security modules are organizations that need to protect sensitive data. This could include a software developer that wants to encrypt files and applications, a bank that needs to secure mobile payments, or a government organization that must protect personally identifiable information (PII) for private citizens.

Beyond encryption: HSM use cases

Now, we’ve said that HSMs perform encryption. But encryption is just the tip of the iceberg. In reality, HSMs are capable of performing nearly any cryptographic operation an organization would need. As far as encryption goes, there are two main categories: payments and general-purpose. HSMs process payment transaction data and manage the encryption keys involved. They also can be used to issue card and mobile EMV credentials.

Hardware security modules also specialize in key management: logically managing the encryption keys used to encrypt and decrypt data. This involves using algorithms to create encryption keys, distributing those keys to different applications, and setting policies that determine when keys should be retired from use and deleted. Users can also configure HSMs to generate asymmetric key pairs: a public key used to encrypt data and a private key used to decrypt it. They can secure the private key and establish a certificate authority (CA). A CA is a digital entity that can issue and sign digital certificates, which prove that digital objects and users on a network are who they say they are.

In short, hardware security modules can bring about total network security for organizations of any size and scale.

A brief history of hardware security modules

Now that we’ve explained hardware security modules (HSMs) and their functions, you may be surprised to learn that they’ve been around since the early 1970s. At this time, HSMs typically encrypted ATM and PIN pad messages.

How do we know this? Well, to put it simply, we were there.

Not long after the first HSMs were invented, Futurex would enter the cryptographic market itself, supplying cryptographic solutions to enterprise payments organizations. Decades of strident research and development would culminate in the Vectera HSM, the first HSM on the market to offer virtualization.

Virtualization allows users to create completely separate instances of HSMs within the secure environment of the host HSM, multiplying the use you get out a single HSM. We went on to make further contributions to the development of HSMs by combining all of our key management solutions into a powerful all-in-one appliance: the KMES (or Key Management Enterprise Server). In its current form, the KMES Series 3 manages and encrypts keys, creates and manages CAs, and more.

HSMs in the cloud

While many organizations deploy physical hardware security modules on-premises, it is increasingly common to deploy HSMs through a cloud service. Cloud HSMs are based on their physical counterparts, and offer the same levels of functionality and compliance. Cloud HSMs are often deployed and managed from a single web interface, which helps streamline cryptographic infrastructure overall.

Futurex’s VirtuCrypt cloud HSM service uses an OpEx- based licensing model to help organizations reduce the costs associated with deploying HSMs. Cloud HSMs are a great option for both large enterprise looking to streamline and centralize infrastructure as well as small-to-medium organizations that are looking to deploy cryptography for the first time.

The capabilities of cryptography in the cloud extend to the previously mentioned key management, too (at least with our VirtuCrypt platform). VirtuCrypt users can deploy cutting-edge cloud solutions like bring your own keys (BYOK). BYOK allows an organization to retain exclusive access to its encryption keys, making it so that their public cloud service provider cannot access their keys.

A similar use case is external key management (EKM). EKM is similar to BYOK, but involves a third party managing an organization’s keys on its behalf, while still giving that organization exclusive control.

Conclusion

We hope this article has answered your questions about HSMs, what they do, and why organizations need them—or at least made the concept a little less cryptic. If you have any further questions about this post or about cryptography, feel free to contact our subject matter experts.

HSM FAQs