What Is a Hardware Security Module | Complete HSM Guide

IT leaders still ask, "What is Hardware Security Module?" when planning zero-trust rollouts. HSMs (hardware security modules) are the cornerstone of enterprise data security. They keep IT infrastructure safe from cyberattacks and breaches and the tremendous costs those entail.

That being said, it's pretty common for people to have questions about what they actually do or even are.

After all, if an HSM is doing its job, you shouldn't have to know every little thing about how it works.

Many security teams start with one question: "What is Hardware Security Module, and why does it matter?" This article answers What is Hardware Security Module in plain language and shows how it protects payments, identities, and cloud workloads.

What Is Hardware Security Module: Quick Definition for CISOs

HSM stands for hardware security module. HSMs are cryptographic devices that serve as physically secure processing environments. In a physically secure environment, you can perform cryptographic operations with the lowest possible risk of cyberattacks or data breaches.

The types of cryptographic operations an HSM can perform are usually determined by the manufacturer and can range from encrypting data to managing the health of cryptographic infrastructure as a whole.

If there's any cryptographic operation you need done, an HSM is the most secure way to do it.

• Encrypting data: payments, applications, databases, etc.
• Creating and managing encryption keys for hundreds of applications
• Issuing digital certificates to authenticate devices, users, websites, and more
• Generating digital signatures to validate messages, software, financial transactions, etc.
• Managing infrastructure with load balancing, monitoring, alerting, and device clustering

If you've ever used a software program that does those things, you might wonder how an HSM is any different.

While hardware security modules and software encryption programs use algorithms to encrypt and decrypt data, scrambling and descrambling it, HSMs are built with tamper-resistant and tamper-evident casing that makes physical intrusion attempts near-impossible.

Physical and logical security for your cryptographic functions protects your data from the network to the actual server rack.

What Is Hardware Security Module in PCI and FIPS Audits

We've mentioned that HSMs use strong physical security features. However, the strength and degree of physical security are not left up to the manufacturer's preference.

Instead, several national and international regulatory bodies define strict data security standards. Two of the most common standards are those of the Payment Card Industry (PCI) and the Federal Information Processing Standards (FIPS), the latter of which is developed by the National Institute of Standards and Technology (NIST).

PCI defines standards like PCI HSM (for the physical security of HSMs) and PCI PIN (for the security of personal identification numbers). Meanwhile, FIPS 140-2 Level 3 specifies the requirements that cryptographic modules must satisfy.

To comply with these standards, an organization simply needs to deploy HSMs that are certified under them. The HSM manufacturer must design its devices to meet the rigorous physical and logical security demands of these standards so that they can be validated under them.

Some of the tamper-evident categories that these standards require include sensitivity to changes in temperature and electrostatic discharge.

Passing a PCI audit starts with answering "What is Hardware Security Module" in the context of tamper-proof design and key custody.

Even the epoxy used to encapsulate the HSM card on the circuit board is subject to strict regulation for opaqueness, tamper evidence, hardness, and adhesion.

Who uses Hardware Security Modules (HSMs)?

Organizations that must protect sensitive data are the most common users of hardware security modules.

This ranges from software developers who want to encrypt files and applications to banks that need to secure mobile payments to government organizations that must protect personally identifiable information (PII) for private citizens.

Hardware Security Module Use Cases

Now, we've said that HSMs perform encryption. But encryption is just the tip of the iceberg.

In reality, HSMs can perform nearly any cryptographic operation an organization would need. As far as encryption goes, there are two main categories: payments and general-purpose.

HSMs process payment transaction data, manage the encryption keys involved, and issue cards and mobile EMV credentials.

Hardware security modules also specialize in key management, which involves logically managing the encryption keys used to encrypt and decrypt data. Key management involves using algorithms to create encryption keys, distributing those keys to different applications, and setting the expiry time limit for when keys should be retired from use and deleted.

Users can also configure HSMs to generate asymmetric key pairs: a public key used to encrypt data and a private key used to decrypt it.

They can secure the private key and establish a certificate authority (CA). A CA is a digital entity that can issue and sign digital certificates, which prove that digital objects and users on a network are who they say they are.

In short, hardware security modules can bring about total network security for organizations of any size and scale.

The History of Hardware Security Modules (HSMs)

Now that we've explained hardware security modules (HSMs) and their functions, you may be surprised to learn that they've been around since the early 1970s. At this time, HSMs typically encrypted ATM and PIN pad messages.

How do we know this? Well, to put it simply, we were there.

Not long after the first HSMs were invented, Futurex entered the cryptographic market, supplying cryptographic solutions to enterprise payments organizations.

Decades of strident research and development would culminate in the Vectera HSM, the first HSM on the market to offer virtualization.

Virtualization allows users to create separate instances of HSMs within the secure environment of the host HSM, multiplying the use you get out of a single HSM.

We went on to drive further HSM innovation by combining all of our key management solutions into a powerful all-in-one appliance: the KMES (or Key Management Enterprise Server).

The KMES Series 3 manages and encrypts keys, creates and manages CAs, and more.

In 2024, Futurex launched the industry's first unified HSM, CryptoHub. Leveraging decades of expertise and our Base Architecture Model (BAM), which enabled the interoperability of all HSMs, we developed a single-platform HSM that delivers all cryptographic use cases in a single device.

CryptoHub eliminates the pain of multi-platform, siloed cryptography, where deployment and management costs deteriorate ROI. CryptoHub offers multi-tenancy and up to 75 virtual HSMs per host, deploys cryptographic functions 90% faster than competitive offerings, and scales up and down with your needs seamlessly, deploying on-premises, in the cloud, and a hybrid environment.   

What Is Hardware Security Module in the Cloud Era

While many organizations deploy physical hardware security modules on-premises, deploying HSMs through a cloud service is increasingly common.

Cloud HSMs are based on their physical counterparts and offer the same levels of functionality and compliance.

Cloud HSMs are often deployed and managed from a single web interface, which helps streamline cryptographic infrastructure overall.

Futurex's VirtuCrypt cloud HSM service uses an OpEx-based licensing model to help organizations reduce the costs associated with deploying HSMs.

Cloud HSMs are a great option for large enterprises looking to streamline and centralize infrastructure and small-to-medium organizations that are looking to deploy cryptography for the first time.

The capabilities of cryptography in the cloud extend to the previously mentioned key management, too (at least with our VirtuCrypt platform).

VirtuCrypt users can deploy cutting-edge cloud solutions like bring your own keys (BYOK). BYOK allows an organization to retain exclusive access to its encryption keys, so a public cloud service provider cannot access their keys.

A similar use case is external key management (EKM). EKM is similar to BYOK, but involves a third party managing an organization's keys on its behalf while giving that organization exclusive control.

Conclusion

We hope this article has answered your questions about HSMs, what they do, and why organizations need them, or at least made the concept a little less cryptic.

If you have any further questions about this post or about cryptography, contact our subject matter experts.

Hardware Security Modules (HSMs) FAQs