Enabling HSM Cryptography as an Integrated Service

An updated version of this article is available under this link.

Development Projects Situations

This second decade since the Millennium is seeing a major uplift in the use of cryptography in existing and new business systems. This uplift is likely to be disproportionately greater than the actual increase in business transaction volumes.

In many instances it is the combined impact of compliance, regulatory and governments
(e.g. the ICO -Information Commissioner's Office - in the UK) and perhaps most importantly organisations' customers are demanding that personal and corporate data are protected.

Otherwise they move to a supplier who does.

Increasingly, the use of encryption techniques is seen as an important part of the solution to the demand for providing secure access to existing business and customer data; via an ever widening range of distribution channels and device form factors.

The simplest development project (if there is such a thing) to deal with, in a project management sense, is the single platform, green field, internal to the organisation project, which is known, or thought, to have few if any new technical challenges. But realistically how many projects fit that category these days?

More likely is the need to introduce additional data protection to an existing business system using encryption. Within that operational system there are almost certainly clearly defined operational characteristics which might state that:

1) You can't fundamentally change the existing systems design and

2) You need to still hit the existing Service Level Agreements and processing windows.

This is much more the real world. The potential complexity of project workflows using cryptography can be illustrated as in figure 1.

CSG art 2

Figure 1: Cryptography Development Project Workflows

The workflow is likely to have more iterations than indicated in figure 1, and one cannot guarantee to solve every real world project situation like the example above, with its two clearly defined operational characteristics - it may be practically impossible to meet these characteristics within the existing system design of the IT application.

The use of cryptography often becomes, or is perceived as, responsible for holding up entire projects. Responding to these development challenges requires organisations to consider moving away from the project by project model and embrace a proactive and sustainable approach to managing cryptography.

Avoiding Choke Points with Crypto Service Gateway

Cryptomathic's Crypto Service Gateway (CSG) is the world's first solution for delivering an integrated cryptographic service model, ideally suited to supporting the use of "application level cryptography". This model can improve workflows and allows an organisation to design and develop its latest business systems, providing, as necessary, End to End (E2E) protection and security of essential data. The organisation can choose to protect as much or as little business data - within transaction flows or as data at rest - as is considered necessary in a disciplined and controlled manner.

CSG art 2

An in-house crypto service model is much easier to use for project managers and developers than the conventional HSM development techniques of the last decade, and can provide a range of advantages, including:

Removing the need for the project to purchase HSM's for both the development and production parts of the project. This activity can be taken off what might be the critical path of that project. (This can lead to project savings of six to eight weeks elapsed time - particularly where cryptography is introduced late and unplanned into the design of a project)
Adoption of CSG will naturally lead to an increasing range of proven tools and techniques that do not have to be re-proven on a per project basis. Techniques will have proven cryptographic performance, which assists in reducing the number of unknowns for all projects.
CSG provides central policy enforcement which contributes significantly to reducing the elapsed time required for independent scrutiny of the cryptography within a new project or enhancement. This is achieved as it is built in as standard to CSG, as are comprehensive levels of auditing and logging. Certain activities can either be dropped completely from the development project plan (you get them as part of using CSG) or they simply become a modest task rather than as set of activities.

Projects using CSG will have access to all available specialist expertise in the organisation more quickly. There may be challenges or difficulties, but the project isn't on its own. Your projects challenge may have been faced by others previously and a solution or explanation may be available.

As deploying cryptographic solutions using CSG becomes your organisation's norm; this leads to a "natural reduction" in single points of failure dependencies within the live system support and enhancement teams. Less reliance on the specialist Fred's of this world!

Further time and cost saving opportunities are discussed in