Severe competition and increasingly volatile markets push CIOs and CISOs to rethink their IT and bring costs down.
At the same time, many banks opt for a service platform strategy, which requires the banks’ IT in general, and the crypto architecture in specific to be more flexible and sophisticated.
In this article, we will look at how partitioned HSMs can reduce the total cost of ownership and at the same time make the architecture more flexible and able to rapidly embrace new applications.
Partitioned HSMs represent a new technology based on virtualization and hardware partitioning. This approach contributes to a reduction of TCO – Total Cost of Ownership.
The total cost of ownership of an HSM is a variable, which describes both the direct and indirect costs of an HSM. HSMs can be quite costly, and they also require service and maintenance.
In what follows we will see how using HSM partitioning can help to significantly lower TCO.
An HSM is a computer, it has a motherboard with processors, usually crypto-processors, disks, communication systems (USB, Ethernet, etc).
These hardware resources can be partitioned to create several ‘little’ HSM instances from the hardware HSM.
In logical terms, these HSMs are absolutely identical to a normal HSM, they share exactly the same characteristics and security.
Hardware safety module (HSM) Source: University of Patras.
Windows users know this process when creating separated disk volume from an existing hardware disk. The Windows operating system sees the disk volume with all the characteristics and attributes of a real disk, while it is, in fact, a logical abstraction on the top of a hardware device.
There are many ways to achieve hardware partitioning. Sometimes micro-partitioning can even be used by creating several logical processors from a unique physical processor.
Depending on the hardware capacities, hardware partitioning may even provide isolation between the partitions. E.g., it can create electrical isolation between two HSM instances: if one instance HSM is faulty, the other won’t be affected.
Two of the HSM’s many added values are the cryptoprocessor and an anti-tampering system to protect the ‘cryptographic heart’. Sometimes the resources won’t be used to their maximum capacity.
Therefore, they can be shared between multiple partitioned HSMs. These partitioned HSMs will all use the cryptographic capacity and resources of the hardware HSM.
When partitioning a FIPS-140 based HSM, the instantiations will be also compliant to the standard.
Partitioning HSMs allows separate backup / restore procedures. They also allow separate specialization. For example, one HSM instance can be used as a Payment HSM, while another instance can be used for a general-purpose.
HSM partitions are isolated (‘firewalled’) from each other
by hardware (say, individual stacks registers),
by cryptography – since they have different master keys,
by memory process isolation (like all operating systems do)
through modern virtualization machine isolation
but they share the same cryptographic heart protected from intrusion by a secure grid.
Some manufacturers allow for micro-partitioning of partitioned HSMs. In such a case the partition system controls time slicing and manages
all the hardware interrupts, dynamic movement of resources across multiple operating systems,
and also the dispatching of logical partition workloads
Micro-partitioning allows for a finer granularity for creating HSM instances and can be an ideal solution but depends greatly on the hardware capacities.
Using HSM Partitions
Using HSM partitions is very simple. First, they need to be created by the system administrator using remote access. The procedure for creating such partitions varies with the HSM vendors.
Usually, a private key must be downloaded and the administrator must generate passwords for the selected security officers that will access the newly created partition HSM.
When creating a partition HSM, the administrator will require one or several of the following resources:
The security officer that will use the HSM
The partition password (must usually respect strong rules)
The new TOKEN name for the HSM
The domain, the storage size, and eventually other hardware data.
Advantages Of Partitioned HSM
The purely virtual deployment and its level of automation in creating and managing virtual HSM instances will have a direct impact on TCO
All deployment can be done centrally in a highly automated process with a comfortable UI and with no need for additional hardware or physical installation. Rapid inclusion of new applications as required in a platform strategy is hence made easy.
Key management procedures can also be modified purely virtually and from the same physical location
Risks are minimized and time to deployment reduced as the system administrator does not have to deal with various vendor-specific procedures nor with additional hardware
Time-consuming manual work is avoided. At the same time, the risk of errors is reduced.
HSM partitions involve multi-tenancy. Indeed, hardware partitioning is a technique that allows streaming the hardware components of a machine into, literally, sub-machines made of sub-hardware pieces.
This eliminates the complexity and reduces the overall costs associated with HSMs.
In a public cloud, multi-tenancy enables firewalls inside the secure boundaries of the HSM. This allows the separation of the partitions between each other.
In the context of an organization using cloud applications, HSM partition is therefore ideal to lower TCO.
HSM partitioning allows organizations to consolidate their HSM estate by replacing old or unsupported, phased-out HSMs by a partition HSM which leads to a reduction in TCO.
Therefore, rationalizing the number of HSMs and having but a few modern models of HSMs should be part of operationalized goals when implementing TCO strategies. This also lowers the TCO.
If an HSM partition has a problem, it can be recreated and maintained remotely. Replacing a hardware-based HSM would be much more time and resource-consuming. This reduces the overall cost of maintenance and service, lowering the TCO.
Summary
We looked at the capacities of HSM partitioning. HSM partitions can significantly reduce the TCO of an organization.
HSM partitioning is a relatively new technology and allows building “virtual HSMs” from a single hardware HSM that shares the exact security, cryptographic capacities, and anti-tampering than a hardware one.
Acodez is a renowned web application development services and Emerging Technology Services company in India. We offer all kinds of web design and web development services to our clients using the latest technologies. We are also a leading digital marketing company providing SEO, SMM, SEM, Inbound marketing services, etc at affordable prices. For further information, please contact us.
Looking for a good team
for your next project?
Contact us and we'll give you a preliminary free consultation on the web & mobile strategy that'd suit your needs best.
Rithesh Raghavan, Co-Founder, and Director at Acodez IT Solutions, who has a rich experience of 16+ years in IT & Digital Marketing. Between his busy schedule, whenever he finds the time he writes up his thoughts on the latest trends and developments in the world of IT and software development. All thanks to his master brain behind the gleaming success of Acodez.
