Hardware security modules (HSMs) were once the sole purview of large enterprises and governmental organizations. The devices were used to enable a higher degree of security when deploying cryptographic technology to physically secure encryption keys. Today’s HSMs provide a secure platform for managing cryptographic keys and their use over the life cycle of both cryptographic material and associated data. In other words, HSMs were specifically designed to make it maximally secure for an organization to use cryptography to obscure its data. Given today’s enhanced threat scape and the increased emphasis on security imposed by the connectedness of the internet, small and mid-sized businesses are beginning to adopt HSM technology as well.
Why is this? Simple: the Internet of Things (IoT). Cisco predicts that there will be 50 billion connected devices by 2020. Each of these “things” can assume an identity, secure a communications channel, gather up data on its environment and share that data widely. A smartphone is a perfect example; it stores encryption keys and digital certificates and can act as a proxy for its owner’s identity in transacting over the internet.
And we’re not limited to smartphones; increasingly intelligent devices include industrial sensors, car navigation equipment, connected home thermostats and on and on. The IoT’s things are everywhere, affecting all areas of business and personal life. Companies and individuals are hoping that the many daily interactions with connected devices and distant servers are secure and trustworthy. But given the internet’s security track record thus far, that’s a slim hope.
This is how IoT security works with respect to authenticating connected devices. Any company that wants to create a device for the Internet of Things must endow their creations with identities, most likely based on digital certificates issued by a Public Key Infrastructure (PKI). When an autonomous entity on the internet, be it a help bot from a major retailer or a smart appliance, presents its credential and asserts an identity and associated trust level, you want to be able to trust it. Trust implies that the cryptographic materials that underpin that identity cannot be forged or stolen. You want to rest in the certainty that you are transacting with the intended entity and not some fraudulent man in the middle.
The non-zero probability that your organization’s PKI and/or the underlying cryptographic keys could be compromised, and that potentially millions of devices could be jeopardized, is starting to hit home. Suddenly, the scope of the problem changes from an interesting niche problem for the big players to one that can affect all of e-commerce. And suddenly, the risk of brand and identity damage caused by exploitation of a weak crypto system dwarfs the cost of HSM deployment.
The internet and the number and diversity of things connected to it have changed dramatically since HSMs first came into being. Organizations that depend on the integrity of cryptographic keys need HSMs as an essential component of the modern, hardened crypto system.