The Importance of Hardware Security Modules in Data Security


Data security has become more critical than ever, irrespective of what type of data it is. One of the methods used for data security can be cryptographic protocols. In this article, Jens Bothe, interim vice president, customer solutions, OTRS Group, describes what a hardware security module is in the context of cryptographic protocols and why it is important. 

Data exchanged in the digital space is not everyone’s business, so encrypting it is important and even vital for some industries. That’s why data security is always a top priority. The primary goal of data security is to protect any kind of data against any kind of loss, manipulation, threats or access by unauthorized persons, regardless of whether the data is personally identifiable or not. Data security is primarily about what measures must be followed to ensure data protection. 

Just how important data security is can be seen from the incidents that have occurred in recent months. The hackers responsible for the attack on the company SolarWinds® are said to have previously attacked 140 other technology service providers within half a year alone. But what methods for data security can the market actually offer? And which are best suited to the respective requirements of different industries?

Cryptographic protocols are among the methods used for data security. Cryptographic protocols allow for secure communication between two parties by using “keys” — strings of data that unlock cryptographic functions — to indicate that it is safe to transfer data.

We use probably the most common form of cryptographic protocol every day. In fact, without realizing it, everyone probably also uses a hardware security module. 

For example, cryptographic communication keys and programs are stored on the physical chips that are part of a banking or credit card. These keys can be used to perform encryption or, for example, PIN verification offline. The chip is the hardware security module. 

But What Exactly Is a Hardware Security Module?

A hardware security module is a device that securely generates, stores and manages cryptographic keys. Within the hardware module, the keys are tamper-proof and protected from unauthorized access, thus ensuring the integrity and confidentiality of the keys. The functions of such a device include the generation of keys, their encryption and decryption, authentication and signature operations. 

An HSM secures numerous applications and transactions, protecting digital identities, critical infrastructure and valuable data. Hardware security modules are evaluated and certified to FIPS 140-1 and 140-2 security standards. Among other things, they are used in cryptographic transaction systems of financial service providers, SSL servers or as security tokens.

But how does this apply in practice? Here’s how it works:

See More: 6 Ways Smart Automation Is Helping Companies Meet SOC 2 Requirements Today

Application of Cryptographic Keys

As in the bank card example above, HSM modules work with cryptographic keys. Digital signing and encryption work with two factors — the public and the private key. For example, in a communication between two people via an email client, both people have a private and a public key. The private key is in the care of the recipient of a message and is used to decrypt and sign information. The other person’s public key is needed to send encrypted emails to the recipient. A kind of key-lock principle that is usually used as a standard in communication software. 

Sometimes, however, this still isn’t secure enough. For example, in one of the solutions, customers usually have very high-security requirements. In the internal security policies of most customers, it is specified that private keys must not be stored on servers but rather on hardware security modules like crypto cards. 

For such customers, they could not use an “ordinary” USB stick; instead, the private key is “wired” into a hardware security module. This means that the key is permanently installed. By means of an additional PIN, the HSM and thus the key can be used to encrypt or sign messages for data traffic. The HSM is connected to the computer and activated by a PIN. Encryption is performed directly on the HSM and not on the computer. If the encryption were done on the computer, the potential attack surface would be much larger because the information for encoding and decoding would be on the hard disk, and other programs could read it. Now, however, the key cannot be cracked using an HSM because it is located externally and is usually additionally protected by a PIN.

Data traffic is often encrypted in everyday life, for example, between a browser and a website. Encrypting data is usually very complex and consumes a lot of a server’s computing time, so CPU utilization is correspondingly high. The physical device has high computing capacities to execute cryptographic procedures. In contrast to the common computer chip, a built-in or stand-alone HSM computes the encryption much faster. The computing power is therefore not provided by a single server but is outsourced by the hardware module — already common practice for a long time in the context of VPN gateways.

Hardware Security Modules Are Becoming Increasingly Important

The topic of cyber security will become increasingly important in the coming decades as IT infrastructures are massively expanded and become ever more complex in view of the increasing digitization of the economy. In the future, and even now, there are high risks involved in encrypting a computer. With an HSM, you no longer have the key as a file on the computer and thus avoid the risk of giving unauthorized third parties access. Another advantage is the speed with which encryption and decryption are performed since the computation is outsourced to an HSM and thus does not tie up any computer power. Additionally, an HSM guarantees that only truly authorized persons have access to certain data, which is particularly important for highly sensitive corporate information and information that should be guaranteed: This is because HSM use guarantees secure handling of cryptographic keys.

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.