
The Role of Encryption and HSMs in Creating Trust

.jpg)
Peter DiToro, VP of Customer Services, Thales e Security, Peter DiToro Vice President Advanced Solutions, Thales e-Security. He is Responsible for the Advanced Solutions Group at Thales e-Security, Peter and ... More >>
Humans have been encrypting secrets for as long as there have been secrets to protect. That’s because for as long as there have been humans, some of them have wanted access to information that doesn’t belong to them. In the digital age, this translates into data— and it’s getting increasingly harder to keep it safe. That’s why hardware security modules (HSMs) were invented.
The HSM has become the de facto standard for securing the foundation of any modern crypto system. HSMs are specialized devices used to protect cryptographic keys both at rest and in use. Today’s digital HSM provides a secure platform for managing cryptographic keys and their use over the life cycle of both cryptographic material and associated data. However, a breach of cryptographic keys destroys the integrity of any crypto system, no matter how elegant its implementation.
The number of “things” connected to the Internet will reach 6.4 billion in 2016, according to Gartner Group, an internet consultancy. Each of these “things” can assume an identity, secure a communications channel, gather data on its environment and share that data widely. Clever cryptography will form the basis for establishing IoT identities and protecting the resulting flood of data. HSMs provide the highest level of trust and protection available when it comes to establishing and protecting the cryptographic infrastructure on which trust in a fully functional IoT depends.
Today's digital HSM provides a secure platform for managing cryptographic keys and their use over the life cycle of both cryptographic material and associated data
There are a couple of issues with HSMs, however. First, they are expensive. Second, the world of crypto is not well understood within the broader IT community. As cryptographic applications have surged into the mainstream, it can be tempting to cut corners, to deploy sensitive cryptographic operations without sufficient protection. Until the recent explosion in crypto deployments and the corresponding surge in highly public breaches, few thought about securing the foundational aspects of key generation, key management and protection of core crypto applications. Things just had to work to pass first-level scrutiny.
That was before the IoT came along. A smartphone, for instance, has to have an identity. It stores encryption keys and digital certificates. It can easily become a proxy for its owner’s identity in transacting over the internet. Suddenly, we find ourselves transacting with countless things on the internet. Nowadays, HSMs, the means by which trustworthy digital identities are secured, have become more pertinent. The risk of brand damage caused by exploitation of a weak crypto system dwarfs the cost and hassle of HSM deployment. Shortcuts no longer make sense, even in the stingiest applications environments.
Devices and sensors bound for the IoT must have identities, most likely based on digital certificates issued by a Public Key Infrastructure (PKI). When an autonomous entity on the Internet presents its credential and asserts an identity and associated trust level, you want to be able to rely on it. This means that the cryptographic materials that underpin that identity cannot be forged or stolen. You want to trust that you are transacting with the intended entity and not some fraudulent man in the middle.
Digital certificates and keys are being generated by thousands of device manufacturers today. All of these devices need to identify themselves. We assume, often wistfully, that the cryptographic infrastructure that underpins the integrity of these identity assertions is solid. Suddenly, the idea that one’s keys and PKI could get compromised and millions of devices could be put in jeopardy hits home. The scope of the business problem rises from an interesting niche problem set to one with existential implications for modern eCommerce.
Need Proof?
An example of just how real this threat is comes from the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library. Heartbleed acts like a guided missile looking for SSL keys. Once a hacker exfiltrates a copy of those keys, he or she can act as a man in the middle. But Heartbleed is a memory scraper; it works only if the organization is doing its crypto on the server, in which case the keys are in plain text in memory. However, if the organization is securing its SSL keys within an HSM, Heartbleed can’t see them.
Another example comes from Stuxnet, whose creators stole code-signing certificates and their associated private keys from two Taiwanese component manufacturers. This enabled the Worm to replicate itself across servers, quietly installing copies of itself using stolen code signing keys to mask its origin. If those code-signing keys had been maintained and used within an HSM, Stuxnet would have happened to someone else.
Best Practices
Cryptography depends on the integrity of its key management systems and practices. For example, if the root key of a PKI is compromised, the entire system collapses. To avoid this and other disasters, follow these simple best practices:
■ Determine what data is important and where it is: In order to encrypt your data effectively, you have to know where it is. Start with the process of data categorization.
■ If it’s critical, encrypt it: It’s too dangerous to leave data in the clear during any phase of its lifecycle.
■ Deploy an HSM: Get the hardened, secure root of trust needed to enable a higher degree of security when deploying crypto.
■ Choose hard over soft: Recognize that keys should only be used within the parameters of an HSM.
■ Make the knowledge investments needed: Crypto is a tool; using that tool wisely implies understanding how it works. Invest in your people and in the basics building blocks of cryptographic technology.
The online landscape has changed so dramatically in the last few years that organizations cannot afford to NOT use HSMs—there’s just too much to lose. These modules increase the likelihood of securely deploying cryptography, which is especially important for organizations dealing with a high volume of keys.
Check out: Top Endpoint Security Consulting Companies
ON THE DECK
Featured Vendors
Adirondack Information Security LLC: Effective and Affordable Cybersecurity Consulting For All Businesses
LBMC Information Security: Fortifying Your Data with Real-Time Monitoring and Dedicated Professionals
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Why Every CISO Should Develop a Secure Software Supply Chain?
Are Your Value Props Still Relevant in the Changing Market?
Building and Maintaining a Risk Averse Security Program
The Race to Digitize the Insurance Industry
FinTech Down, "But Not Out"
The Softer Side of Directing Digital Transformation
