Skip to main content
banner image
venafi logo

Why You Need Trust, Integrity and Control for Machine Identities in HSMs

Why You Need Trust, Integrity and Control for Machine Identities in HSMs

Hardware security module, HSM, nCipher
March 20, 2019 | Bridget Hildebrand

Organizations are increasingly concerned about protecting the cryptographic keys that serve as machine identities and are the foundation of enterprise information technology systems. As the number of severe vulnerabilities and attacks targeting encryption keys and processes increases, the need for strong private keys for certificates and SSH throughout the enterprise becomes more acute. For example, when private keys are stored in files or memory, they are susceptible to file and memory scraping as well as side-channel attacks.

Generating keys through a Hardware Security Module (HSM) addresses these risks by producing strong FIPS‐compliant private keys with maximum entropy, using random number generation and secure hardware protection. This is all good and well. But while HSMs certainly do provide a trusted, proven and auditable way to secure machine identities, many organizations still opt to create custom scripts and use other manual processes to generate keys, leaving them much more vulnerable to attack and introducing new risks to the global enterprise.

To help address many of these issues, Venafi recently announced an integration with nCipher nShield HSMs. By integrating machine identity protection with HSMs, organizations can use their HSMs to generate and store keys securely—without the keys ever leaving the HSM. This integration powers the use of safe cryptographic keys by orchestrating HSM-based generation and storage of cryptographically strong keys across the enterprise.

In this and the accompanying blog written by Juan Asenjo from nCipher, we discuss the reasons why we must expand machine identity protection and the critical factors to consider.

 

When considering integrated solutions such as this, there are three factors that will help you maximize protection for machine identities in your HSM implementation—trust, integrity and control.

Delivering trust for your business-critical applications

As your organization makes the transition to increasingly digital environments, you need to trust the machines that are used across your network to support critical business functions. In particular, you need to secure machine-to-machine connections, such as web transactions, privileged access and authenticating software code. HSM key generation and hardware protection have long been used in security‐conscious industries to secure critical business applications that contain sensitive data. HSMs are also essential for secure PKI as well as to protect SSL/TLS certificates that are deployed to critical business applications.

Ensuring the integrity of your data

Without key life cycle orchestration for certificates and SSH, broad HSM usage creates new challenges for organizations that want to ensure integrity with complete visibility into all of their keystores. This is a challenge even for the keys stored in the HSM. Organizations that deploy HSMs widely may also lack the ability to centrally manage all of their distributed keystores and are unable to consistently apply enterprise policy controls. If the identities of these machines are not authenticated and protected, then they are open to misuse by cybercriminals.

Putting you in complete control

Through a consistent use of strong cryptographic keys, you can own and control the keys and certificates used to authenticate machine identities and establish trust in your digital transactions. One way to do that is by integrating machine identity protection with a central HSM to generate key pairs to deliver keys created with strong random number generation. Key pairs can be securely generated in the HSM where they can be accessed by applications, and the private keys never leave the hardened, tamper-resistant HSM appliance.

By integrating machine identity protection with your HSMs, you can expect fast, automated orchestration of secure HSM key generation, installation and hardware protection. An automated approach to protecting machine identities in HSMS can help you improve security, increase efficiencies and meet compliance requirements. An integrated solution also strengthens machine identity protection programs by eliminating time-consuming tasks, which can also increase the risk of exposing private keys and introduce errors that threaten application availability.

To learn more about expanding machine identity protection read Juan Asiento’s blog “Trust, integrity, control – critically important factors for machine identity protection,” and check our websites at Venafi and nCipher.

Related posts

Like this blog? We think you will love this.
graphic of a lock on a blue background, casting a shadow
Featured Blog

Secure APIs: Safety Measurements for Your External Interfaces

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Bridget Hildebrand
Bridget Hildebrand

Bridget is Partner Marketing Manager at Venafi. She has over 18 years of experience managing global channel programs and strategic alliances for a broad range of technology and manufacturing organizations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat