Key Management Refresher: Software vs. Hardware

For any organization managing encryption keys, the process of creating, maintaining, and improving a key management system can seem a frustrating or even impossible task. These feelings of frustration often stem from a few prominent mistakes that frequently occur. Beyond simple annoyance with an inefficient system, key management mistakes can have a far more damaging effect: data breaches. Fortunately, these mistakes are easily preventable with some instruction. In our whitepaper, Ten Key Management Mistakes…And How to Avoid Them, we discuss ten actions that can make or break a key management system. This blog post covers the final mistake in the whitepaper.

Imagine that your organization is using a software program to encrypt and manage keys. The computer running this software is kept in a relatively secure environment, but by necessity, certain employees still have access to the area. Realistically, how safe are your encryption keys? The software may be using the strongest encryption algorithms available, but unless the hardware is physically secure, the right hacker could expose your sensitive data fairly easily.

Insider attacks happen quite frequently. If an untrustworthy employee were to gain access to the area and steal the computer on which the software program is installed, he or she could crack the software over time, either through a brute force attack or by exposing other vulnerabilities within the software. Sometimes data can even be extracted directly off the computer’s RAM or hard drive. Without any physical barriers to stop access to these areas, your encryption keys will be exposed.

Hardware security modules (HSM) provide a far more secure method for storing and managing encryption keys. HSMs that are FIPS 140-2 Level 3-validated go through extensive tests to ensure that the devices are durable enough to protect data against physical attacks. The following features give HSMs a significant leg up when compared to software-based encryption methods: