Blog - Cryptomathic

How to implement efficient Key Management in a Legacy Infrastructure

Written by Ashiq JA (guest) | 19. October 2015

In this article, we discuss the various issues and present Cryptomathic’s approach to central key and crypto management that has been adopted by major banks. Many banking and finance organizations face challenges during implementation and maintenance of cryptography on both new projects and legacy systems.

Over time, major banking organizations adopted network-based Hardware Security Modules (HSMs) for securing mission-critical infrastructure such as PKI and online transactions.

HSMs are dedicated hardware systems designed to store and manage private and public keys. The significant increase of of HSMs in organizations has led to scalability issues and challenges in managing cryptographic implementations.

Do you see an increase in HSM purchases?

Some of the challenges faced by financial organizations dealing with multi-vendor HSMs include:

  1. Increase in cost for training employees
  2. Lack of flexibility and scalability in project implementations
  3. No centralized control and policy management

With the explosion in the number of HSMs purchased in an organization, cryptographic decisions such as algorithms, key sizes and crypto-periods are often enforced on a per-project basis. This reduces the flexibility and scalability of projects.

Experts suggest that deprecating a cryptographic algorithm or hash (MD5, SHA1, DES) in such scenarios will be highly expensive. Another consequence of large numbers of HSMs will also result in additional training costs for developers and architects to get familiar with the different brands of HSM.

Organisations have been searching for solutions to avoid significant financial burdens by utilizing existing HSM infrastructures and capacity within the business. A HSM vendor-neutral cryptographic solution was required in order to solve these challenges.

Cryptomathic was well aware of the problems occurring in large scale deployments. Crypto Service Gateway (CSG) was developed to tackle the issues of scalability and flexibility of multi-vendor HSMs.

Centralized control and policy management

Controlling everything from one place is the most simple and efficient way to manage crypto. One of the toughest jobs in crypto management is policy enforcement. A centralized and granular cryptographic policy can enable seamless updates for all necessary cryptographic functions without any changes in the application code.

Organizations wanted a solution that provides a centralized policy enforcement, where the system collects all relevant information in a single place for easy audit and provides it in human-readable form, so that demonstrating compliance with internal and external policies can be much easier.

Cryptomathic’s CSG product was developed to handle all the above discussed issues to provide a centralized crypto service and monitoring capabilities. Centralized controls allow the business to restrict access to cryptographic function and enforce policies on key length, rotation and mode of operation.

Flexibility and Speed

Every banking and finance organization needs to prevent cryptography becoming a project bottleneck. Cryptography should be scalable and affordable within the organization. The maintenance of cryptography in legacy application is another challenge faced by banks. Crypto Service Gateway provides a solution particularly designed to cater for this issue by effectively (and centralliy) handling cryptography in both new and legacy applications.

To meet the project deadline for critical applications requiring cryptography in banks, speed and cost saving play an important role. Avoiding significant cost for the purchase of new HSM hardware by utilizing existing HSM capacity within the business can save expenditure and time for mission-critical projects.

Crypto Service Gateway provides an interface between business applications and the underlying cryptographic resources. CSG allows multiple applications to share HSM resources without concern over the number or the vendors that supplied them. It reduces hardware dependency with traditional approaches and improves levels of resilience and performance.

References and further reading

Image: "Dont make me say it!", courtesy of Henrik Bennetsen, Flickr (CC BY-SA 2.0)