As the number of severe vulnerabilities and attacks targeting encryption keys and processes increases, the need for strong private keys for certificates and SSH throughout the enterprise is becoming more acute. For example, when private keys are stored in files or memory, they are susceptible to file and memory scraping as well as side-channel attacks. Generating keys through a Hardware Security Module (HSM) addresses these risks by producing strong FIPS‐compliant private keys with maximum entropy, using random number generation and secure hardware protection.
HSM security has long been used in security‐conscious industries, including banking, financial services, government agencies and retail. Critical business applications containing sensitive data often use HSM key management and hardware protection. HSMs are also essential for secure PKI as well as to protect SSL/TLS certificates that are deployed to critical business applications. However, the management of certificates in HSM environments has to date been a resource‐intensive, manual process.
Without key life cycle orchestration for certificates and SSH, broad HSM usage creates new challenges for organizations that want complete visibility into all of their keystores. This is a challenge even for the keys stored in the HSM. Organizations that deploy HSMs widely also lack the ability to centrally manage all of their distributed keystores and are unable to consistently apply enterprise policy controls.
Previously, when organizations wanted to use automation to leverage strong HSM keys, manage the entire key life cycle and apply policies or streamline workflows, they had to create custom scripts or run manual processes—both of which required major investments. These largely manual efforts often resulted in high-maintenance, error-prone solutions that did not scale.
By integrating machine identity protection with HSMs, organizations can use their HSMs to generate and store keys securely—without the keys ever leaving the HSM. Such an integration would power the use of safe cryptographic keys by orchestrating HSM-based generation and storage of cryptographically strong keys across the enterprise.
Integrating machine identity protection with a central HSM to generate key pairs will deliver keys created with strong random number generation. This allows the machine identity protection platform to orchestrate the connection to the system that needs the certificate. Key pairs are securely generated in the HSM where they can be accessed by applications, and the private keys never leave the hardened, tamper-resistant HSM appliance. The key pair is securely maintained on the HSM, delivering HSM-based key protection—without the private key ever leaving the HSM.
For applications that do not have the capability to integrate with an HSM, the integrated solution can generate the X.509 and SSH keys in a central HSM, export the key pair from the HSM and install the private key and certificate on the system that will use them.
All operations are performed without an administrator executing manual tasks on servers or virtual machines. This allows operations to be performed according to the common, centralized policy shared across the machine identity protection platform for all key and certificate generation, use and renewal.
By integrating machine identity protection with their HSMs, organizations can expect fast, automated orchestration of secure HSM key generation, installation and hardware protection to improve security, increase efficiencies and meet compliance requirements. An integrated solution strengthens machine identity protection programs by eliminating time-consuming tasks, which can also increase the risk of exposing private keys and introduce errors that threaten application availability.