HSM – What is it and who needs one?
2 min
What is a HSM?
HSM stands for Hardware Security Module, and is a very secure dedicated hardware for securely storing cryptographic keys.
It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect sensitive data.
Why do you need a HSM?
There are several reasons, but the main one is security, and security on all levels.
In industries like the payment industry where you handle card data, data has to be encrypted in order to comply with PCI DSS. Here, HSM is best practice and often a requirement. From a technical perspective, an HSM is a very secure way to store cryptographic keys.
The hardware is physically protected. You cannot break into it, and it detects and alerts you if something is wrong. If an HSM is stolen and gets switched off, the cryptographic keys can be automatically deleted from its memory.
Thus, it is a secure solution if you need to protect extremely sensitive information.
What are the main benefits of using HSM?
Safety, simplicity and performance. An HSM securely protects your cryptographic keys while making them easily accessible from your applications. It also provides high availability and strong performance for cryptographic operations.
By using an HSM, you offload cryptographic processing from your servers. Encryption and key operations are handled by the HSM hardware instead of your application servers.
Can’t you just encrypt and decrypt without using an HSM?
Yes, you can. However, the keys used for encryption are often generated and stored on the same device performing the encryption. This is rarely a secure approach. If the key is accessible via the computer network, the risk of it being found and stolen increases significantly. Once stolen, it can be used to decrypt and access sensitive data.
What security requirements exist for HSMs?
There are strict standards and certification processes for HSM units. One important standard is FIPS-140 (Federal Information Processing Standards), which defines security requirements for cryptographic hardware. The PCI Council has also published requirements specifically for HSM devices. Using an HSM acts as a strong security indicator for your organization. It signals to auditors and stakeholders that you take encryption and information security seriously.
What kind of companies benefit most from using an HSM?
Companies with strong IT security awareness and a need to encrypt, sign or verify data benefit the most. Organizations across many industries that handle extremely sensitive data need secure storage for cryptographic keys. Additionally, companies handling personal data under GDPR, where there are high requirements for privacy and secure data processing, can benefit greatly from using an HSM to protect encryption keys.
