Skip to main content
banner image
venafi logo

Why You Need Trust, Integrity and Control for Machine Identities in HSMs

Why You Need Trust, Integrity and Control for Machine Identities in HSMs

Hardware security module, HSM, nCipher
March 20, 2019 | Bridget Hildebrand

Organizations are increasingly concerned about protecting the cryptographic keys that serve as machine identities and are the foundation of enterprise information technology systems. As the number of severe vulnerabilities and attacks targeting encryption keys and processes increases, the need for strong private keys for certificates and SSH throughout the enterprise becomes more acute. For example, when private keys are stored in files or memory, they are susceptible to file and memory scraping as well as side-channel attacks.

Generating keys through a Hardware Security Module (HSM) addresses these risks by producing strong FIPS‐compliant private keys with maximum entropy, using random number generation and secure hardware protection. This is all good and well. But while HSMs certainly do provide a trusted, proven and auditable way to secure machine identities, many organizations still opt to create custom scripts and use other manual processes to generate keys, leaving them much more vulnerable to attack and introducing new risks to the global enterprise.

To help address many of these issues, Venafi recently announced an integration with nCipher nShield HSMs. By integrating machine identity protection with HSMs, organizations can use their HSMs to generate and store keys securely—without the keys ever leaving the HSM. This integration powers the use of safe cryptographic keys by orchestrating HSM-based generation and storage of cryptographically strong keys across the enterprise.

In this and the accompanying blog written by Juan Asenjo from nCipher, we discuss the reasons why we must expand machine identity protection and the critical factors to consider.

 

When considering integrated solutions such as this, there are three factors that will help you maximize protection for machine identities in your HSM implementation—trust, integrity and control.

Delivering trust for your business-critical applications

As your organization makes the transition to increasingly digital environments, you need to trust the machines that are used across your network to support critical business functions. In particular, you need to secure machine-to-machine connections, such as web transactions, privileged access and authenticating software code. HSM key generation and hardware protection have long been used in security‐conscious industries to secure critical business applications that contain sensitive data. HSMs are also essential for secure PKI as well as to protect SSL/TLS certificates that are deployed to critical business applications.

Ensuring the integrity of your data

Without key life cycle orchestration for certificates and SSH, broad HSM usage creates new challenges for organizations that want to ensure integrity with complete visibility into all of their keystores. This is a challenge even for the keys stored in the HSM. Organizations that deploy HSMs widely may also lack the ability to centrally manage all of their distributed keystores and are unable to consistently apply enterprise policy controls. If the identities of these machines are not authenticated and protected, then they are open to misuse by cybercriminals.

Putting you in complete control

Through a consistent use of strong cryptographic keys, you can own and control the keys and certificates used to authenticate machine identities and establish trust in your digital transactions. One way to do that is by integrating machine identity protection with a central HSM to generate key pairs to deliver keys created with strong random number generation. Key pairs can be securely generated in the HSM where they can be accessed by applications, and the private keys never leave the hardened, tamper-resistant HSM appliance.

By integrating machine identity protection with your HSMs, you can expect fast, automated orchestration of secure HSM key generation, installation and hardware protection. An automated approach to protecting machine identities in HSMS can help you improve security, increase efficiencies and meet compliance requirements. An integrated solution also strengthens machine identity protection programs by eliminating time-consuming tasks, which can also increase the risk of exposing private keys and introduce errors that threaten application availability.

To learn more about expanding machine identity protection read Juan Asiento’s blog “Trust, integrity, control – critically important factors for machine identity protection,” and check our websites at Venafi and nCipher.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Machine Identities Orchestrate Technology

Safeguarding Cyber-Physical Systems: Interview with Accessec

Automating Machine Identities on Multiple API Gateways

Automating Machine Identities on Multiple API Gateways: Interview with APIIDA

Venafi Partner Fund, machine identity protection, Venafi Machine Identity Protection Development fund

3 Ways the Machine Identity Protection Development Fund is Helping to Protect Your Business

About the author

Bridget Hildebrand
Bridget Hildebrand

Bridget Hildebrand writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat