Trustis deploys managed PKIs based on nCipher HSMs
How a PKI managed service company uses nCipher Security hardware security modules to provide on-demand digital certificates to government agencies
THE GOAL: EXPAND BUSINESS BY ENABLING STRONG AUTHENTICATION FOR MOBILE DEVICES – QUICKLY AND ON DEMAND
As one of the UK’s leading authorities on public key infrastructure (PKI) and identity assurance, Trustis has provided on-demand managed PKI and identity services for a wide range of public and private organizations from a high security hosting facility since 1998.
More recently, Trustis sought to launch a new service offering – the Mobile Device Certificate Service (MDCS). This would provide ondemand digital certificates for public and private organizations that wanted to give their employees secure access to their networks via smart phones, tablets and other mobile devices.
Two major factors drove this business decision. First, the UK government realized they must embrace mobile devices to support reduced expenditure. So for the first time the government would permit agencies to use iPhones and iPads up to Restricted level, as long as each device was authenticated using a valid digital certificate (among other provisions). Secondly, with G-cloud – the UK government’s program that promotes the use of cloud-based IT services (similar to President Obama’s Cloud First initiative in the US) – gaining traction, Trustis could provide their innovative service directly, saving agencies much needed money.
Trustis’ plan was to create a service that would allow government agencies to purchase on-demand PKI services for their mobile device users. It would also service private companies looking to reap the employee productivity benefits of Bring Your Own Device (BYOD) solutions that enable secure access to corporate networks. The service would target users that wanted to quickly and securely implement mobile technology, and wished to avoid the cost and/ or effort of deploying a new or upgraded in-house PKI to support certificate issuance for mobile devices.
THE BENEFITS: SECURITY, RELIABILITY, SPEED AND COST-EFFECTIVENESS
Robert Hann, Business Development Director at Trustis, says nCipher HSMs provide a number of benefits for the Trustis service:
- Security. When you add an nCipher HSM to your PKI you are deploying a high assurance, independently certified, tamperresistant device to secure some of the most sensitive keys and business processes within an organization. nCipher HSMs enable Trustis to deliver the high level of security assurance and reliability necessary for such a widely trusted service.
- Resilience. Running a service at high availability, we have to have the most reliable HSMs. We have absolute confidence in the operation, security and control of nCipher HSMs.
- Speed. With the ability to perform fast elliptic curve cryptography, nCipher HSMs can provide added speed, which becomes increasingly valuable as the volume of transactions increases in very large scale managed services.
- Cost-efficiency. nCipher HSMs provide a much more economic backup model than alternative solutions – a key differentiator when operating 24x7 managed services.
- Accreditation. nCipher products have a long history of multiple and international certifications including, what is standard for Trustis, FIPS 140-2 Level 3.
- Simplicity. The nCipher product line is simple to understand and explain. There is an efficient backup and recovery model, which is critical for Managed Service Providers.
- Support. We’ve had an excellent track record with nCiphersupport. Their support team is always available and their service staff are well trained.
- Partnership. Cloud services are still relatively new to government and enterprise and there can be many security issues to deal with. Having a partner like nCipher that understands PKI and cloud services is vital to our shared success.
Trustis knew the service could be revolutionary. It would give public and private organizations alike an easy, cloud-based process for adopting mobile technology without having to invest in new or upgraded PKI technology. It could for example allow agencies to roll out a few dozen smartphones or 100,000 iPads quickly and without a lengthy IT security project. It would provide mobile device management products with a robust and compliant PKI to underpin their security features. And it would make mobile technology easier to manage, giving administrators the ability to control all credentials on a user-to-user basis. By making strong authentication easy, costeffective and quick to deploy, it would allow organizations to achieve all the gains in productivity and collaboration that mobile devices can offer.
THE CHALLENGE: PROVIDING HIGH ASSURANCE AND SCALING FOR GROWTH
One major hurdle for Trustis was to ensure the authentication enabled by their PKI services would provide an appropriate level of assurance to meet the strict standards of UK government classification as well as private sector usage. But the technology couldn’t be too costly or it would defeat the government’s objective of achieving cost savings through cloud-based services. It also couldn’t be too slow or too cumbersome – speed and ease-of-use were critical to delivering the value that would draw customers to the solution. And finally it needed to be in a position to scale to accommodate rapid growth.
From their long history and experience implementing PKI best practices, Trustis recognized the importance of using hardware security modules (HSMs) to protect private signing keys and signing operations for root and issuing certificate authorities (CAs) – even though their operations are operated in a highly secure ex-military facility. Combining dedicated hardware-based cryptography with proper procedures and processes, Trustis could offer a provable, auditable, high-assurance PKI foundation. But to meet the remaining requirements in their managed service environment, Trustis would need to deploy HSMs that could provide the type of operational efficiencies that do not often go hand-in-hand with high levels of security.
THE SOLUTION: NCIPHER HSMS
Trustis chose to build its Mobile Device Certificate Service solution using nCipher nShield Connect HSMs. nShield HSMs provide a hardened, tamper-resistant environment to protect private PKI signing keys and associated cryptographic operations from vulnerabilities such as key theft that could undermine the trust of the entire system. The nCipher HSMs not only enabled Trustis to comply with the government’s exacting security standards and the assurance needs of private enterprises, but also to achieve the reliability, scalability and high availability it would need for a cloud service.
“It wasn’t a difficult decision,” says Robert Hann, Business Development Director at Trustis. “We provide managed service PKIs for a wide variety of organizations, and all of our managed PKI solutions rely on nCipher HSMs because of their unique combination of strong security and operational ease for critical functions like key backup. They are also interoperable with multiple PKI products, highly reliable, and the company provides excellent customer service – which all combines to make them the most cost-effective choice for us.”
nShield Connect, the device deployed for this solution, is a highperformance network-attached hardware security module (HSM). nShield Connect delivers highly secure cryptographic services that provide a cost-effective way to establish appropriate levels of physical and logical controls for PKIs and many other business applications. Fully supporting the unique nCipher Security World architecture, nShield Connect provides an ideal combination of high assurance and operational ease, which is critical in a managed service environment. The benefits for both in-house and managed service PKI deployments include:
- Easily deployed and independently certified security for high assurance key management and certificate issuance processes
- Accelerated cryptographic signing processes to boost performance and enable application and process scalability
- Tightly enforced key management policies to simplify compliance demonstration and responses to audit requests
- Choice from a range of form factors and performance ratings to meet deployment scenarios ranging from low volume, offline root CAs to high volume, redundant, network-attached CAs
ABOUT NCIPHER SECURITY
Today’s fast moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency. It also multiplies the security risks. nCipher Security empowers world-leading organizations by delivering trust, integrity and control to their business critical information and applications.
Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments – and help meet new compliance mandates, using the same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, at all times.
To find out more how nCipher Security can deliver trust, integrity and control to your business critical information and applications, visit www.ncipher.com.