Hardware Security Modules (HSMs) provide organizations with high assurance for their most important and sensitive cryptographic operations. But what is driving organizations to increasingly use the technology, and how will the more digital and connected world impact HSM adoption? Let’s take a look.
#1. Public Key Infrastructure (PKI): When we surveyed our customers, nearly two thirds (61%) said PKI was the main application where they use HSMs. This is very important, especially given an increased dependency on PKI today. In fact, we found that the average PKI is currently being used to support an average of seven enterprise applications and the dependency is only continuing to grow with the rise of cloud and mobile.
Last year, we found that just 27% of UK organizations report that they currently rely on HSMs to protect their PKI. But with the headlight of the Internet of Things starting to round the corner in 2016, this percentage will undoubtedly increase as more devices, applications and “things” will require credentialing and a secure way to communicate.
#2 Custom applications: Protecting sensitive applications from manipulation by hackers or rogue administrators is, of course, critical for safeguarding a company’s intellectual property. Being able to run applications within a highly protected and secure environment, where they are protected from a variety of attacks, is an increasingly popular way to achieve this.
As such, in 2016 we are likely to see organizations, with HSMs capable of doing so, move sensitive apps and business functions off their application servers, where they are most vulnerable, to instead execute them inside the FIPS boundary of an HSM to significantly reduce the risk of a successful attack.
#3 Digital signing: Just over a quarter of our customers (26%) state digital signing as the primary use case for their HSM, and given the rise of the need to digitally sign things like barcodes used in electronic transactions, to ensure integrity and authenticity (think e-tickets for airlines or sporting events where there is high fraud risk), it isn’t hard to see why. In the year ahead, we fully expect to see digital signing become a more significant use case for HSMs, particularly as new regulations come into effect and enterprises increasingly adopt cloud-based signing models, where the signing keys are protected, stored and managed on behalf of the signer by a cloud provider.
#4 SSL: Another 26% of our customers use HSMs for SSL, and this number is poised to grow in 2016. Rising use of application delivery controllers, such as provided by F5 and Citrix, drives HSM adoption not only for security of keys but also to meet performance needs in the demanding networking environment created by today’s world of web applications and cloud-based services
#5 Code signing: In cases like Stuxnet and Duqu, we have seen attackers steal an organization’s private signing key and gain the ability slip in malware in place of the legitimate code – resulting in the double whammy of a successful malware installation and identity fraud, since the malware looks like it came from the victimized organization! That’s one sure way to ruin a reputation in one fell swoop.
While this was once a problem solely for companies producing software, it is today an issue for many industries. Take for example banks who develop mobile apps, manufacturers who produce control systems for cars and media providers that need to control access to content. With such a variety of organizations now at risk, such threats will certainly cause more businesses to take note of how HSMs can help.
It is insightful for us to take stock of the reasons behind the decision to use HSMs but in this constantly evolving industry, it is also beneficial to look ahead and consider what else could impact those decisions in the not so distant future. 2016 will inevitably see increased HSM adoption, as more and more organizations look to trusted cryptography to solve security issues in our highly connected world.