Achieving Agile Cryptography Management with Crypto Service Gateway (CSG)

Cryptomathic's Crypto Service Gateway (CSG) helps you realize business-agile and efficient crypto services, with central control of security policy and crypto hardware. In this article, we will look at some of the uses cases that address common cryptography headaches whilst generating a strong return on investment.

HSM Consolidation & Management

Hardware Security Modules (HSMs) are usually deployed within standalone solutions. This results in an ever-growing number of under-utilized HSMs (often <5% utilization), often from multiple vendors, being operated and managed by different teams that all need training and experience on the HSMs they’re using.

This siloed approach is grossly inefficient in regards to HSM utilization and human resources, and the inevitable different approaches to their management and operation give rise to security and compliance challenges around key management, operational processes and audits.

CSG solves this by helping you build a secure HSM farm that is shared efficiently between all your applications, providing load-sharing, resilience, and business continuity. CSG supports all the major HSM vendors, centralizing the key management and auditing functions, and the savings mean it can pay for itself within a year.

HSM management and monitoring don’t get any easier!

Centralized Policy Management and Crypto Agility

Do you know which algorithm(s) are used by all your applications? What key sizes? Which encryption modes? Which padding types? Are keys being expired and rotated as they should? If an algorithm is no longer considered to be secure, do you know where it is used, and how quickly can you modify all the affected applications?

All too often, cryptographic policy is entrusted to a variety of application developers with little or no expertise in cryptography and hard-coded into each application.

CSG solves this by providing the means to control cryptographic policy centrally under the auspices of a small team of crypto experts. Applications can be limited to white-listed crypto operations and a centrally-defined set of keys and crypto parameters. This also facilitates crypto agility – the ability to swiftly change policy, such as migrating from an insecure algorithm, without re-building and re-testing all your applications. And it centralizes critical functions such as key management and auditing to simplify compliance.

Regain control of crypto policy across the entire enterprise!

Simplifying Crypto Application Development

Expecting each application developer to understand the complexities and nuances of cryptography and get everything right is simply unrealistic. Using APIs such as PKCS#11 is challenging, even for experts – it is quite possible to make a tiny mistake such that the application still works perfectly but is horribly insecure.

This can be mitigated to some extent by careful design, exhaustive peer reviews, and security-focused testing, but this all lengthens the development cycle. Any changes to algorithms, key length, or other crypto parameters require a major rework cycle.

CSG solves this by enabling applications to be developed more quickly and with much lower risk. A RESTful API provides simple operations such as “ENCRYPT” and “SIGN” that don’t require a complex array of parameters or careful management of keys – this is all managed transparently within CSG according to a set of centrally-managed rules.

Build new crypto applications in less time and with less risk.

 

Enhanced Security and Compliance

Too frequently, crypto applications run in software on insecure servers with their keys exposed on disk or in memory. Key compromises can result in the sort of data breaches we see weekly in the press.

HSMs can help to improve security, but they add cost and complexity, require specialist skills, increase the duration of the development project, and need to be managed and monitored on an ongoing basis.

CSG solves this by enabling applications to off-load all their cryptographic processing and key management to a centralized platform and HSM farm for the ultimate in cost efficiency, security and compliance.

Protect your data using CSG’s cryptography-as-a-service operational paradigm.

 

Case Study – Barclays

 

Barclays became one of the top 5 UK banks and was an early adopter of CSG. As they migrated from mainframe-based cryptography in favor of network-based HSMs, the number of project-specific HSMs grew to the hundreds. Apart from the inefficiency and cost of this approach, it also meant that important cryptographic decisions, such as public keys, algorithm choices, or key sizes, were being enforced on a per-project basis, complicating audits and compliance and limiting flexibility.

Barclays now has around 200 applications sharing a handful of HSMs in a centralized HSM farm, resulting in significant year-on-year cost savings.

It also helps to improve the bank’s agility, with the ability to deliver critical new applications into production within weeks rather than months.

See the case study for more details on how Barclays built a scalable cryptography-as-a-service solution.

 

Case Study – Elan Financial Services

Elan Financial Services, part of U.S. Bancorp and a leading issuer and acquirer of debit and credit cards serving ~2,000 banks, credit unions, and other organizations, chose Cryptomathic to deliver a solution to support their migration to EMV and deliver faster and more versatile contact and contactless payment card services.

CSG is a critical element of the overall solution, providing business-agile and efficient crypto services in support of interrogating online cryptograms and offline data authentication to advise the card is authorized as genuine, defined by issuer-determined risk parameters.

See the case study for more details on how Elan Financial Services use CSG as part of an EMV card authorization solution.