Precisely, the trust service providers are organizations that carry out legal and technological operations to guarantee the integrity and authenticity of documents, signatures, files and even digital identities. These trust providers, for example, could help us create, validate and send an electronic invoice, in addition to being a trusted entity between our company and the tax authority. Similarly, they could grant us an online identity through a digital certificate that contains our information or digital identity to carry out operations such as signing a contract or converting our dead file vault to a digital document repository.
For trust providers, as in the case of a Certification Authority (CA), we have observed two main cybersecurity trends that have gained strength to impact their security infrastructure. We can highlight the implementation of hybrid clouds and devices with high security standards such as Hardware Security Modules (HSM) that provides their clients the security and integrity of the most sensitive cryptographic material, but part of the critical infrastructure that provides compliance for certification requirements.
HSMs have evolved since their creation, from a large and complex operating devices to becoming light, dynamic and user-friendly, contributing to the reduction of time and complexity in the implementation of this type of device. This is how FutureX has revolutionized the implementation of Hardware Security Modules in a corporate environment through its virtualization technology of these cryptographic devices (Virtual HSM).
In a solution that by its very own nature typically sees very little innovation or evolution beyond required standards, FutureX has developed groundbreaking technology. With the virtualization of these types of solutions, we can convert our physical HSM into up to 20 independents Virtual HSMs, providing greater security to our most sensitive information. With each virtual device, you get an individual master key, custodians (quorum) and independent cryptographic tokens, isolating all security controls and access to the HSMs.
Likewise, it allows the virtualization of cryptographic services (maintaining both FIPS 140-2 level 3 policies, as well as PCI compliance) by implementing multiple environments with Virtual HSM for the separation of functions such as the issuance/validation of transactions.
Let's move on from theory to the application of this technology in real life. Let's analyze the virtualization’s implementation with different use cases.
But on many occasions, we see providers that only have one HSM in their production environment to satisfy all the transactions of these instances of the application (Fig 1.1); With only one instance, what would happen when updating the firmware of that HSM? This architecture leads us to not only bring offline the HSM, but also the pool of applications accessing that HSM, forcing all transactions to be redirected to a DRP environment (Fig 1.2). In this case, the multi- instance application architectures go to a single HSM.
But on many occasions, we see providers that only have one HSM in their production environment to satisfy all the transactions of these instances of the application (Fig 1.1); With only one instance, what would happen when updating the firmware of that HSM? This architecture leads us to not only bring offline the HSM, but also the pool of applications accessing that HSM, forcing all transactions to be redirected to a DRP environment (Fig 1.2). In this case, the multi- instance application architectures go to a single HSM.
Another implementation case could be a trust provider offering specialized services to a client that requires certified protection of their cryptographic keys that are linked to the processing or service of an application.
Another implementation case could be a trust provider offering specialized services to a client that requires certified protection of their cryptographic keys that are linked to the processing or service of an application.
By having this virtualization service, we provide a higher level of security between the keys that the client gives us for safekeeping. If we store them in a database, directory or any part of the application, they are exposed to third parties who could access them. With virtualization technology, we could create for each client their own Virtual HSM that exclusively protects their keys and has a log that records all their transactions; this provides a new level of security for that client by completely separating it from all the processing of other clients or systems that are stored in our HSM.
As you can see, the implementation of virtualization technology offered by FutureX can help trust providers to strengthen their processing architecture and provide their customers with a more secure environment for sensitive keys and transactions, offering them a Virtual HSM on the device they are currently operating with.
Xaviero Cervera
Project Director
For CEGA Security: Tania López
+52 9988007295
For Futurex: Kelly Stremel
+1360-687-1332
Muy interesante la virtualización de los HSM, voy a consultar si la Ley Chilena, mas bien, en las Guías de Acreditación para PSC me permiten tener el HSM virtualizado y fuera de territorio; me gustaría saber un poco mas al respecto ya que nos estamos constituyendo y ser PSC es un foco de interés.
proximamente en http://www.acredita.org