The pandemic we have been facing since the beginning of 2020 has forced organizations in practically all economic sectors to rethink their digital transformation strategy and what is actually possible and required in order to evolve to a paperless process. With this evolution also comes the need to reinforce the security infrastructure of our information and most sensitive assets, but also those of our customers as well. The design of or cryptographic infrastructure is a fundamental part of the digital evolution or transformation that has become the focus of most companies, especially in the market for digital identity and trust service providers.

Precisely, the trust service providers are organizations that carry out legal and technological operations to guarantee the integrity and authenticity of documents, signatures, files and even digital identities. These trust providers, for example, could help us create, validate and send an electronic invoice, in addition to being a trusted entity between our company and the tax authority. Similarly, they could grant us an online identity through a digital certificate that contains our information or digital identity to carry out operations such as signing a contract or converting our dead file vault to a digital document repository.

For trust providers, as in the case of a Certification Authority (CA), we have observed two main cybersecurity trends that have gained strength to impact their security infrastructure. We can highlight the implementation of hybrid clouds and devices with high security standards such as Hardware Security Modules (HSM) that provides their clients the security and integrity of the most sensitive cryptographic material, but part of the critical infrastructure that provides compliance for certification requirements.

HSMs have evolved since their creation, from a large and complex operating devices to becoming light, dynamic and user-friendly, contributing to the reduction of time and complexity in the implementation of this type of device. This is how FutureX has revolutionized the implementation of Hardware Security Modules in a corporate environment through its virtualization technology of these cryptographic devices (Virtual HSM).

In a solution that by its very own nature typically sees very little innovation or evolution beyond required standards, FutureX has developed groundbreaking technology. With the virtualization of these types of solutions, we can convert our physical HSM into up to 20 independents Virtual HSMs, providing greater security to our most sensitive information. With each virtual device, you get an individual master key, custodians (quorum) and independent cryptographic tokens, isolating all security controls and access to the HSMs.

Likewise, it allows the virtualization of cryptographic services (maintaining both FIPS 140-2 level 3 policies, as well as PCI compliance) by implementing multiple environments with Virtual HSM for the separation of functions such as the issuance/validation of transactions.

Let's move on from theory to the application of this technology in real life. Let's analyze the virtualization’s implementation with different use cases.

The provider can make this architecture more robust through the use of Virtual HSMs. By using virtualization technology for HSMs you could have up to three instances of Hardware Security Module on the same device and make a cluster of Virtual HSMs to respond to the same set of applications, simply alternating the different services of the cryptographic module, round robin (Fig 2.1). Likewise, by cloning the main HSM, we would have the ability to bring the Virtual HSM offline and update it without affecting the service, while the other two are in the cluster attending the workload. We can change and update the hardware one by one and the application could continue operating with one or two instances without a problem (Fig 2.2)

Another implementation case could be a trust provider offering specialized services to a client that requires certified protection of their cryptographic keys that are linked to the processing or service of an application.

The provider can make this architecture more robust through the use of Virtual HSMs. By using virtualization technology for HSMs you could have up to three instances of Hardware Security Module on the same device and make a cluster of Virtual HSMs to respond to the same set of applications, simply alternating the different services of the cryptographic module, round robin (Fig 2.1). Likewise, by cloning the main HSM, we would have the ability to bring the Virtual HSM offline and update it without affecting the service, while the other two are in the cluster attending the workload. We can change and update the hardware one by one and the application could continue operating with one or two instances without a problem (Fig 2.2)

Another implementation case could be a trust provider offering specialized services to a client that requires certified protection of their cryptographic keys that are linked to the processing or service of an application.

To be able to offer trusted services, an HSM must be implemented to protect the keys with which the most sensitive transactions are signed. Generally, this provider can protect their keys through a FIPS 140-2 Level 3 certified HSM, but in some cases users' keys are not protected with the same levels of security. Sometimes these are stored in a directory of the operating system, in a database or in different places that do not offer the end customer all the security and non-repudiation guarantees to their keys.

By having this virtualization service, we provide a higher level of security between the keys that the client gives us for safekeeping. If we store them in a database, directory or any part of the application, they are exposed to third parties who could access them. With virtualization technology, we could create for each client their own Virtual HSM that exclusively protects their keys and has a log that records all their transactions; this provides a new level of security for that client by completely separating it from all the processing of other clients or systems that are stored in our HSM.

As you can see, the implementation of virtualization technology offered by FutureX can help trust providers to strengthen their processing architecture and provide their customers with a more secure environment for sensitive keys and transactions, offering them a Virtual HSM on the device they are currently operating with.