Severe competition and increasingly volatile markets push CIOs and CISOs to rethink their IT and bring costs down.
At the same time, many banks opt for a service platform strategy, which requires the banks’ IT in general, and the crypto architecture in specific to be more flexible and sophisticated.
In this article, we will look at how partitioned HSMs can reduce the total cost of ownership and at the same time make the architecture more flexible and able to rapidly embrace new applications.
Partitioned HSMs represent a new technology based on virtualization and hardware partitioning. This approach contributes to a reduction of TCO – Total Cost of Ownership.
The total cost of ownership of an HSM is a variable, which describes both the direct and indirect costs of an HSM. HSMs can be quite costly, and they also require service and maintenance.
In what follows we will see how using HSM partitioning can help to significantly lower TCO.
Table of Contents
An HSM is a computer, it has a motherboard with processors, usually crypto-processors, disks, communication systems (USB, Ethernet, etc).
These hardware resources can be partitioned to create several ‘little’ HSM instances from the hardware HSM.
In logical terms, these HSMs are absolutely identical to a normal HSM, they share exactly the same characteristics and security.
Windows users know this process when creating separated disk volume from an existing hardware disk. The Windows operating system sees the disk volume with all the characteristics and attributes of a real disk, while it is, in fact, a logical abstraction on the top of a hardware device.
There are many ways to achieve hardware partitioning. Sometimes micro-partitioning can even be used by creating several logical processors from a unique physical processor.
Depending on the hardware capacities, hardware partitioning may even provide isolation between the partitions. E.g., it can create electrical isolation between two HSM instances: if one instance HSM is faulty, the other won’t be affected.
Two of the HSM’s many added values are the cryptoprocessor and an anti-tampering system to protect the ‘cryptographic heart’. Sometimes the resources won’t be used to their maximum capacity.
Therefore, they can be shared between multiple partitioned HSMs. These partitioned HSMs will all use the cryptographic capacity and resources of the hardware HSM.
When partitioning a FIPS-140 based HSM, the instantiations will be also compliant to the standard.
Partitioning HSMs allows separate backup / restore procedures. They also allow separate specialization. For example, one HSM instance can be used as a Payment HSM, while another instance can be used for a general-purpose.
HSM partitions are isolated (‘firewalled’) from each other
but they share the same cryptographic heart protected from intrusion by a secure grid.
Some manufacturers allow for micro-partitioning of partitioned HSMs. In such a case the partition system controls time slicing and manages
Micro-partitioning allows for a finer granularity for creating HSM instances and can be an ideal solution but depends greatly on the hardware capacities.
Using HSM partitions is very simple. First, they need to be created by the system administrator using remote access. The procedure for creating such partitions varies with the HSM vendors.
Usually, a private key must be downloaded and the administrator must generate passwords for the selected security officers that will access the newly created partition HSM.
When creating a partition HSM, the administrator will require one or several of the following resources:
The purely virtual deployment and its level of automation in creating and managing virtual HSM instances will have a direct impact on TCO
HSM partitions involve multi-tenancy. Indeed, hardware partitioning is a technique that allows streaming the hardware components of a machine into, literally, sub-machines made of sub-hardware pieces.
This eliminates the complexity and reduces the overall costs associated with HSMs.
In a public cloud, multi-tenancy enables firewalls inside the secure boundaries of the HSM. This allows the separation of the partitions between each other.
In the context of an organization using cloud applications, HSM partition is therefore ideal to lower TCO.
HSM partitioning allows organizations to consolidate their HSM estate by replacing old or unsupported, phased-out HSMs by a partition HSM which leads to a reduction in TCO.
Therefore, rationalizing the number of HSMs and having but a few modern models of HSMs should be part of operationalized goals when implementing TCO strategies. This also lowers the TCO.
If an HSM partition has a problem, it can be recreated and maintained remotely. Replacing a hardware-based HSM would be much more time and resource-consuming. This reduces the overall cost of maintenance and service, lowering the TCO.
We looked at the capacities of HSM partitioning. HSM partitions can significantly reduce the TCO of an organization.
HSM partitioning is a relatively new technology and allows building “virtual HSMs” from a single hardware HSM that shares the exact security, cryptographic capacities, and anti-tampering than a hardware one.
Acodez is a renowned web application development services and Emerging Technology Services company in India. We offer all kinds of web design and web development services to our clients using the latest technologies. We are also a leading digital marketing company providing SEO, SMM, SEM, Inbound marketing services, etc at affordable prices. For further information, please contact us.
Contact us and we'll give you a preliminary free consultation
on the web & mobile strategy that'd suit your needs best.
What is an Encrypted Virus – Its Threats and Countermeasures?Posted on Dec 29, 2020 | Cyber Security