This article discusses the various issues around key management and presents Cryptomathic’s approach to central key and crypto management that has been adopted by major banks. To protect sensitive data, many banking and finance organizations face challenges during the implementation and maintenance of cryptography on both new projects and legacy systems.
Over time, major banking organizations adopted network-based Hardware Security Modules (HSMs) for securing mission-critical infrastructures such as Public Key Infrastructure (PKI) and online transactions.
HSMs are dedicated hardware systems designed to store and manage private and public keys. The significant increase of HSMs in organizations has led to scalability issues and challenges in managing cryptographic implementations.
Do you see an increase in HSM purchases?
Some of the challenges faced by financial organizations dealing with multi-vendor HSMs include:
- Increase in cost for training employees
- Lack of flexibility and scalability in project implementations
- No centralized control and policy management
With the explosion in the number of HSMs purchased in an organization, cryptographic decisions such as algorithms, key sizes, and crypto-periods are often enforced on a per-project basis. This reduces the flexibility and scalability of projects.
According to experts, deprecating a cryptographic algorithm or hash (MD5, SHA1, DES) in such scenarios will be highly expensive. Another consequence of large numbers of HSMs will also result in additional training costs for developers and architects to get familiar with the different brands of HSM.
Organizations have been searching for solutions to avoid significant financial burdens by utilizing existing HSM infrastructure and business capacity. An HSM vendor-neutral cryptographic solution was necessary to address these issues.
Cryptomathic was well aware of the problems occurring in large-scale deployments. Crypto Service Gateway (CSG) was developed to tackle the scalability and flexibility issues of multi-vendor HSMs.
Centralized control and policy management for true crypto-agility
Controlling everything from one place is the most simple and efficient way to manage crypto.
One of the toughest jobs in crypto management is policy enforcement.
A centralized and granular cryptographic policy can enable seamless updates for all required cryptographic functions without any changes in the application code.
Organizations wanted a solution that provides centralized policy enforcement, wherein the system collects all relevant information in a single place for easy audit and provides it in human-readable form so that demonstrating compliance with internal and external policies can be much easier.
The CSG solution offered by Cryptomathic was designed to tackle all of the concerns discussed thus far to offer a centralized crypto service and monitoring capabilities. Centralized controls allow the business to restrict access to cryptographic functions and enforce policies on key length, rotation, and mode of operation.
Flexibility and Speed
Every banking and finance organization needs to prevent cryptography from becoming a project bottleneck.
Cryptography should be scalable and affordable within the organization. The maintenance of cryptography in legacy applications is another challenge faced by banks.
Crypto Service Gateway provides a solution specifically designed to cater to this issue by effectively (and centrally) managing cryptography in both new and legacy applications.
To fulfill the project deadline for critical applications requiring cryptography in banks, speed and cost saving plays an important role.
Avoiding significant costs for the purchase of new HSM hardware by utilizing existing HSM capacity within the business can save expenditure and time for mission-critical projects.
Crypto Service Gateway provides an interface between business applications and the underlying cryptographic resources. CSG allows multiple applications to share HSM resources without concern over the number or vendors supplied. It reduces hardware dependency with traditional approaches and improves levels of resilience and performance.
References and further reading
- Selected articles on HSMs (2013-17), by Ashiq JA, Peter Landrock, Peter Smirnoff, Steva Marshall, Torben Pedersen and more
- CSG - Case Study by Cryptomathic
- Advantages of Centralized Key Management (2015) by Ashiq J.A.
- How to Solve the Biggest Problems with Key Management (2015) by Ashiq J.A.