Achieving Agile Cryptography Management with Crypto Service Gateway (CSG)

by Rob Stubbs on 23. January 2019

CSG helps you realize business-agile and efficient crypto services, with central control of security policy and crypto hardware. In this article, we will look at some of the uses cases that address common crypto headaches whilst generating a strong return on investment.

HSM Consolidation & Management

Hardware Security Modules (HSMs) are typically deployed within standalone solutions. This results in an ever-growing number of under-utilized HSMs (often <5% utilization), often from multiple vendors, being operated and managed by different teams that all need training and experience on the HSMs they’re using.

This siloed approach is grossly inefficient in terms of HSM utilization and human resources, and the inevitable different approaches to their management and operation give rise to security and compliance challenges around key management, operational processes and audits.

New Call-to-actionCSG solves this by helping you build a secure HSM farm that is shared efficiently between all your applications, providing load-sharing, resilience and business continuity. CSG supports all the major HSM vendors, centralizing the key management and auditing functions, and the savings mean it can pay for itself within 12 months. See CSG product sheet for more details...

HSM management and monitoring doesn’t get any easier!

Centralized Policy Management and Crypto Agility

Do you know which algorithms all your applications are using? What key sizes? Which encryption modes? Which padding types? Are keys being expired and rotated as they should? If an algorithm is no longer considered to be secure, do you know where it is used, and how quickly can you modify all the affected applications?

All too often, cryptographic policy is entrusted to a multitude of application developers with little or no expertise in cryptography and hard-coded into every application.

CSG solves this by providing the means to control cryptographic policy centrally under the auspices of a small team of crypto experts. Applications can be constrained to white-listed crypto operations and a centrally-defined set of keys and crypto parameters. This also facilitates crypto agility – the ability to swiftly change policy, such as migrating from an insecure algorithm, without re-building and re-testing all your applications. And it centralizes critical functions such as key management and auditing to simplify compliance.

Regain control of crypto policy across the entire enterprise!

Simplifying Crypto Application Development

Expecting each application developer to understand the complexities and nuances of cryptography and get everything right is simply unrealistic. Using API’s such as PKCS#11 is challenging, even for experts – it is quite possible to make a tiny mistake such that the application still works perfectly but is horribly insecure.

This can be mitigated to some extent by careful design, exhaustive peer reviews and security-focused testing, but this all lengthens the development cycle. And any change to algorithms, key lengths, or other crypto parameters necessitates a major re-iteration cycle.

CSG solves this by enabling applications to be developed more quickly and with much lower risk. A RESTful API provides simple operations such as “ENCRYPT” and “SIGN” that don’t require a complex array of parameters or careful management of keys – this is all handled transparently within CSG according to a set of centrally-managed rules.

Build new crypto applications in less time and with less risk.

Enhanced Security and Compliance

All too often, crypto applications run in software on insecure servers with their keys exposed on disk or in memory. Key compromise can result in the sort of data breaches we see in the press every week.

HSMs can be used to improve security, but they add cost and complexity, require specialist skills, increase the duration of the development project and need to be managed and monitored on an on-going basis.

CSG solves this by enabling applications to off-load all their cryptographic processing and key management to a centralized platform and HSM farm for the ultimate in cost efficiency, security and compliance.

Keep your data safe using CSG’s cryptography-as-a-service operational paradigm.

Case Study – Barclays

New Call-to-actionBarclays, one of the top 5 UK banks, was an early adopter of CSG. As they migrated from mainframe-based cryptography in favor of network-based HSMs, the number of project-specific HSMs grew into the hundreds. Apart from the inefficiency and cost of this approach, it also meant that important cryptographic decisions, such as algorithm choices or key sizes, were being enforced on a per-project basis, complicating audits and compliance and limiting flexibility.

Barclays now have around 200 applications sharing a handful of HSMs in a centralized HSM farm, resulting in significant year-on-year cost savings.

It also helps to improve the bank’s agility, with the ability to deliver critical new applications into production within weeks rather than months.

For more details on how Barclays built a scalable cryptography-as-a-service solution, see the case study.

Case Study – Elan Financial Services

New Call-to-actionElan Financial Services, part of U.S. Bancorp and a leading issuer and acquirer for debit and credit cards serving ~2,000 banks, credit unions and other organizations, chose Cryptomathic to deliver a solution to support their migration to EMV and deliver faster and more versatile contact and contactless payment card services.

CSG is a critical element of the overall solution, providing business-agile and efficient crypto services in support of interrogating online cryptograms and offline data authentication to advise the card is authorized as genuine, defined by issuer-determined risk parameters.

For more details on how Elan Financial Services use CSG as part of an EMV card authorization solution, see the case study.

Read White Paper

Other Related Articles: # CSG # Crypto-Agility

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.