{"id":5171,"date":"2022-04-25T16:21:40","date_gmt":"2022-04-25T08:21:40","guid":{"rendered":"https:\/\/www.progreso.com.sg\/newsite\/?post_type=all_news&#038;p=5171"},"modified":"2022-04-25T16:51:42","modified_gmt":"2022-04-25T08:51:42","slug":"how-select-hardware-security-modules-hsm","status":"publish","type":"all_news","link":"https:\/\/www.progreso.com.sg\/newsite\/all_news\/how-select-hardware-security-modules-hsm\/","title":{"rendered":"Blog: How to select an HSM"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"5171\" class=\"elementor elementor-5171\" data-elementor-settings=\"[]\">\n\t\t\t<div class=\"elementor-inner\">\n\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-element elementor-element-5187a4a elementor-section-boxed elementor-section-height-default elementor-section-height-default elementor-section elementor-top-section\" data-id=\"5187a4a\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8d4818f elementor-column elementor-col-100 elementor-top-column\" data-id=\"8d4818f\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap  elementor-element-populated\">\n\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t<div class=\"elementor-element elementor-element-16906c0 elementor-widget elementor-widget-text-editor\" data-id=\"16906c0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\"><p>\u00a0As the choice of Hardware Security Module is dependent on the specific application it is used for, in this article some general recommendations are provided by outlining a list of potential criteria to consider, irrespective of what you intend to use the HSM for.<\/p><h2>What kind of implementation services does the vendor offer?<\/h2><p>When analyzing various HSM vendors, it is worth considering their portfolio and assistance during implementation. First of all, make sure a vendor offers a diverse range of HSM solutions and supports all kinds of applications. A wide range of\u00a0<a title=\"General Purpose Solutions\" href=\"https:\/\/utimaco.com\/products\/categories\/general-purpose-solutions\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"10e058be-d54b-4a3c-a1d3-6db43404aeed\">general purpose<\/a>\u00a0and\u00a0<a title=\"Payment HSM\" href=\"https:\/\/utimaco.com\/payment-hsm\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"a3d01735-e743-44db-88d6-a69d960c4ad8\">payment applications<\/a>\u00a0allows you to support any combination of firmware and software options across different deployment models (on-premises, cloud and hybrid). This will help you choose a solution that fits your company needs.<\/p><blockquote><p><strong>Did you know?<\/strong><br \/>The latest Hardware Security Module OEM competitive assessment by ABI Research, announced Utimaco as the \u2018Top Implementer\u2019 in the HSM market. The Utimaco portfolio provides the most comprehensive and diverse range of solutions, serving all types of applications, at all price points (from entry-level to top-of-the-line), and in various form factors. According to the report &#8211; \u2018It is possible because Utimaco has worked from the basis of building a uniform underlying hardware platform upon which various (and multiple) firmware stacks and software options can be added, and which include cloud ready Application Program Interfaces (APIs)\u2019.<\/p><\/blockquote><h2>Technical factors<\/h2><p>Consider the following:<\/p><ul><li><strong>Performance<\/strong>\u00a0\u2013 Look at the performance factors for each type of HSM, but focus specifically on your use case: encryption\/decryption\/key generation\/signing, symmetric, asymmetric, EC, etc. Ask about true performance figures, e.g. for a network-attached HSM, enquire about the network configuration or for embedded cards, ask about standards released after the PCIe bus.<\/li><li><strong>Scalability<\/strong>\u00a0\u2013 What are the limiting factors in terms of scalability, in connection with your application? Do you need a defined number of keys stored inside the HSM? How could you add another HSM? How easy would this be?<\/li><li><strong>Redundancy<\/strong>\u00a0\u2013 What happens if one HSM breaks? How much would this impact on your operations? How easy would it be to replace without loss of service, etc.<\/li><li><strong>Backups<\/strong>\u00a0\u2013 How are backup and restore processes carried out? How much effort would it be for your organization to implement these processes? Are you able to avoid irretrievably losing your data?<\/li><li><strong>API support<\/strong>\u00a0\u2013 The API is the connection to your Application-Host environment. Here are some hints for dealing with questions about supported APIs:<\/li><\/ul><p><u>1.<\/u>\u00a0Microsoft MS CSP\/CNG: The Microsoft \u201cstandard\u201d API is the easiest way to connect to an HSM when using Windows;<\/p><p><u>2.<\/u>\u00a0JCE: The \u201cstandard\u201d Java developer.<\/p><p><u>3.<\/u>\u00a0PKCS#11: The \u201cindustry standard\u201d, but there are some pitfalls such as known security issues and vendor proprietary extensions. ATTENTION: Vendor proprietary extensions or mechanisms are use case-specific API extensions, and are not part of the PKCS#11 standard. This will increase costs when switching vendors.<\/p><h2>Software and Serviceability<\/h2><p>Choose the API that is compatible with your use case and operating system. If you are using Microsoft OS, choose CNG. If you are using an application that supports PKCS#11, choose PKCS#11. Ask for guidance on integration or How-to Guides.<\/p><ul><li><strong>OS \/ hardware support<\/strong>\u00a0\u2013 This requires different issues to be taken into consideration. The first of which is: Which operating systems are supported by the embedded card (PCIe-Driver)? Another issue: Which operating systems are supported by the network-attached HSM? Also: Which OS is supported by the management tools, e.g. GUI\/command line?<\/li><li><strong>Management<\/strong>\u00a0\u2013 Can the HSM be managed remotely? Which functions can be activated and controlled remotely?<\/li><li><strong>Programmability<\/strong>\u00a0\u2013 Most of your development will be at the other end of the APIs, but sometimes it can be useful to have the ability to write applications that run on the device, for greater flexibility or speed and to specify your API.<\/li><li><strong>Physical security<\/strong>\u00a0\u2013 Ask yourself the question: How resistant to direct physical attack does your solution need to be? If, for whatever reason, you decide that it is particularly important, you might want to look for \u201cactive tamper detection and response\u201d, as opposed to just \u201cpassive tamper resistance and evidence\u201d. Or alternatively, in terms of\u00a0<a title=\"FIPS 140-2\" href=\"https:\/\/utimaco.com\/compliance\/certifications-approvals\/fips-140-2\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"7d0ed491-2929-4858-96c4-1bb9eec3dc05\">FIPS 140-2<\/a>, look for FIPS 140-2 level 4 physical, or stick to the conventional FIPS 140-2 level 3.<\/li><li><strong>Algorithms<\/strong>\u00a0\u2013 Does the HSM support the cryptographic algorithm you want to use, via the selected API (primitives, modes of operation and parameters e.g. curves, key sizes)?<\/li><li><strong>Authentication options<\/strong>\u00a0\u2013 passwords; quorums; n-factors; smartcards; etc. At the very least, you should be looking for something that requires a configurable quorum size or password-authenticated users before allowing operations via use of a key.<\/li><li><strong>Policy options<\/strong>\u00a0\u2013 You might want to be able to define policies, such as controlling whether or not: keys can be exported from the HSM (wrapped or unencrypted); a key can only be used for signing\/encryption\/decryption\/\u2026; authentication is required for signing, but not verifying, etc.<\/li><li><strong>Audit capability<\/strong>\u00a0\u2013 Including both HSM-like operations (generated key, something signed with key Y) and handling connection problems or crashes. How easy is it going to be to integrate the logs into your monitoring system (syslog\/snmp\/other network accessible \u2013 or at least non-proprietary \u2013 output)?<\/li><\/ul><h2>Architecture &amp; Deployment<\/h2><p>Hardware Security Modules can be operated on premise, hosted or as a service from the cloud.<\/p><h3>On-premise deployments provide the following options:<\/h3><ul><li>Network-attached HSM: for larger-scale deployments, particularly where multiple applications\/servers\/clients need to utilize HSM services.<\/li><li>Embedded HSM (PCIe card): this is a more cost-effective solution compared to network-attached HSMs. It is worth noting that these types of solutions require greater processing power in order to run multiple applications simultaneously.<\/li><li>Scalable Containerized HSM: for true multi-tenant solutions (for example, in cloud platforms operating independent client accounts), allowing to run independent HSMs-deployments, policies and firmwares per container. We strongly advise against weak multi-tenant solutions operating with one single firmware or policy engine.<\/li><\/ul><h3>Hosted or as-a-service solutions<\/h3><ul><li>Hosted or as a service provides physically independent HSMs in the cloud: This solution offers the highest level of physical protection against unauthorized physical access and is ideally compliant with FIPS 140-2, level 4 per tenant. However, the scalability of such a solution is only on the level of locally deployed physical servers.<\/li><li>As-a-service solution which provides a fully or partially managed shared HSMs. Management functions like key management could be part of the service solution or might be done by the customer on premise or in a different cloud.<\/li><li>As-a-service solution which provides tenants in containerized HSM, FIPS 140-2 level 3 protected per tenant. Such containers provide individual policies and firmware per tenant and provide the scalability advantages of the cloud. They are outside the cloud service provider\u2019s (CSP) infrastructure and preserve the customer\u2019s full control over their encryption requirements<\/li><li>Using the CSP\u2019s HSM-Cluster: Allowing for benefit of the cloud platforms\u2019 services (including AWS, Azure, Google Cloud). Control of the keys is limited.<\/li><\/ul><h2>Certification<\/h2><ul><li><a title=\"Certifications &amp; approvals\" href=\"https:\/\/utimaco.com\/compliance\/certifications-approvals\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"34a14647-329e-4bfe-b003-231f4372b43a\"><strong>Certifications<\/strong><\/a>\u00a0\u2013 One of the biggest areas of false interpretation. If you are buying a FIPS 140-2 level 3 certified product, it has to switch to so-called FIPS mode. FIPS mode means a restriction on API level, a restriction on algorithms (key length, usage, key attributes, etc.) Ask yourself the question: Which level do you actually need? What do you need for regulatory reasons?<\/li><li><strong>FIPS 140-2\u00a0<\/strong>\u2013\u00a0Certification schema by NIST under the CMVP. This framework is useful as it provides confirmation that the NIST-approved algorithms are working normally and that its implementation has passed a runtime known answer test. Regarding physical security, a FIPS 140 certificate with level 3 security tells you that a product fulfills the physical protection baseline, but no more than that!<\/li><li><a title=\"Common Criteria (CC)\" href=\"https:\/\/utimaco.com\/compliance\/certifications-approvals\/common-criteria-cc\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"9093e74e-e77b-49d0-a96a-f965981218cc\"><strong>Common criteria<\/strong><\/a>\u00a0\u2013Product evaluations can vary more in terms of providing assurance: Read the Security Target! At the moment, there is only one decent set of HSM Protection Profiles, so you are going to have to read the Security Problem Definition (threats and assumptions) at the very least, to give you an idea of what the evaluation is providing.<\/li><li><strong>Other Certification Schema<\/strong>\u00a0\u2013 Like e.g. PCI-HSM, DK approval or NITES (Singapore CC approval), these schemas will be useful if you are in the relevant industry. In addition to the certifications, ask for references specific to your relevant industry sector or to government space.<\/li><\/ul><p>Don\u2019t just rely on talk of ISO certification software development lifecycles.<\/p><p>Utimaco is able to offer HSM solutions which can be both PCI-HSM and FIPS 140-2 or 3 compliant (or none at all if not required).<\/p><h2>Soft factors<\/h2><ul><li>What support does the vendor offer? Don\u2019t just consider the different types of options; ask about reputation and for some tests!<\/li><li>What kind of integration services does the vendor offer? If you have complex requirements, it might be worthwhile involving the vendor in your configuration\/programming process.<\/li><li>What does the roadmap look like? Is there an issue you might know of that will arise in years to come?<\/li><li>What is the country of origin (design and manufacture)?<\/li><\/ul><h2>End-of-Life Replacements<\/h2><p>When replacing an existing \/ end of life HSM, proprietary solutions may require the need for changes in all connected applications. The preferable solution would be the choice of a application-agnostic and crypto-agile HSM, which are able to:<\/p><ul><li>Host relevant keys and key blocks<\/li><li>Connect to major key management systems<\/li><li>Connect to typical industry-grade apps with a documented application record<\/li><\/ul><p>As a result, replacements in the frame of service cycles will be fast, without requiring much investment in time or human resources.<\/p><h2 id=\"h-3626\">Important factors<\/h2><ul><li><strong>Cost\u00a0<\/strong>\u2013\u00a0What about the cost per unit(s)? What about the cost for support and maintenance? What is included in the unit pricing? Do you pay per API, etc.?<\/li><li><strong>Lead time<\/strong>\u2013Be realistic! If you feel you need an HSM immediately, you are probably underestimating the complexity of an HSM. HSMs are not mass produced; a certain amount of time is required to manufacture HSMs to ensure quality.<\/li><\/ul><h2 id=\"h-3627\">Leading the Way in the HSMs Market in 2022<\/h2><p><a href=\"https:\/\/www.abiresearch.com\/pages\/about-us\/\" rel=\"noreferrer\">ABI Research<\/a>* is a global technology intelligence company that provides actionable research and strategic guidance to global technology leaders, innovators, and decision makers.\u00a0<\/p><p><strong>Utimaco is proud to have been ranked Overall Leader and Top Implementer in their Competitive Ranking for Hardware Security Module: Original Equipment Manufacturer.<\/strong><\/p><p><strong>According to the report &#8211; \u2018No other HSM vendor currently offers this level of diversity, and Utimaco is unique in this regard\u2019.<\/strong>\u00a0<\/p><p><strong>When selecting your HSMs, why not choose the leader in the market, as awarded by ABI Research. Discover Utimaco\u2019s\u00a0<a title=\"Products\" href=\"https:\/\/utimaco.com\/products\" data-entity-substitution=\"canonical\" data-entity-type=\"node\" data-entity-uuid=\"35380678-ed2d-43fd-8a87-5ee0c2726665\">portfolio<\/a>\u00a0here.<\/strong><\/p><p>Source: <a href=\"https:\/\/utimaco.com\/current-topics\/blog\/how-select-hsm\">Utimaco- How to select an HSM<\/a><\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>&nbsp;As the choice of Hardware Security Module is dependent on the specific application it is used for, in this article some general recommendations are provided by outlining a list of potential criteria to consider, irrespective of what you intend to use the HSM for. What kind of implementation services does the vendor offer? When analyzing [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/5171"}],"collection":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news"}],"about":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/types\/all_news"}],"version-history":[{"count":10,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/5171\/revisions"}],"predecessor-version":[{"id":5181,"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/all_news\/5171\/revisions\/5181"}],"wp:attachment":[{"href":"https:\/\/www.progreso.com.sg\/newsite\/wp-json\/wp\/v2\/media?parent=5171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}