A Green Eggs and Ham Guide to Securing Your Critical Infrastructure

Whether your data are in a box, with a fox, in a house, with a mouse, on a train, in the rain, in a car or on a boat... Wherever the critical data that you manage are located—which brings to mind the Dr. Seuss book Green Eggs and Ham¹—you need a robust infrastructure to secure and protect it. Data are vulnerable to an increasingly diverse and sophisticated set of threats, whether at rest on a server on-premises, in transit, or in the cloud. Add to that a growing remote workforce with a multitude of attack surfaces and everyday business can become an everyday worry.

Would You, Could You…Encrypt?

Encryption is the golden ingredient to counter cyberthreats. Encryption was born out of a need to obscure sensitive data from the eyes of everyone except their intended recipient. At the basic level, encryption is a method of enciphering data into an unreadable format. Sophisticated encryption is the best way to protect sensitive and critical data such as personal identification numbers (PINs), credit card numbers, electronic medical records, Social Security numbers and other forms of personally identifiable information (PII).

Organizations—especially financial services, enterprises and government entities—often look to dedicated encryption devices, known as hardware security modules (HSMs), to provide all the cryptographic power needed to encrypt data and secure critical infrastructures. HSMs are widely recognized as the most secure way to manage encryption, as they are Federal Information Processing Standards (FIPS) publication FIPS 140-2 Level 3 validated—criteria established in the FIPS and the Payment Card Industry Data Security Standard (PCI DSS)—and designed to provide the rigor and security required of the most sensitive information and transactions. Organizations also need HSMs for robust key management to handle the key life cycle as well. Think generation, issuance, revocation, rotation, etc.

We can take a look at everyday data. With people on the move, people working from home and the ever-growing Internet of Things (IoT), sensitive data are in transit more than ever. The COVID-19 pandemic has fueled more “tap-to-pay” systems, with a 150% increase of contactless payments since March 2019, according to a Forbes article.²

HSMs are the backbone of our everyday, security-related transactions. Think about a bank or payment processor. Each time a customer uses a debit card, pays with Apple Pay or types in a PIN, HSMs are providing the security for those transactions. Each time a financial institution issues a payment card, processes a transaction or verifies the user, HSMs are also involved. Contactless payments and the increase of no-touch ways to pay—including biometrics³—are on the rise and will continue to fuel transactions requiring authentication and validation. Visa has the capacity to process more than 65,000 transactions per second.⁴ Imagine the amount of encryption, verification, authentication and processing it takes behind the scenes. This is where certificate management enters the picture.

Just as individual users must verify their identities through passwords, smart cards, biometrics and other methods, each networked device and user must also be verified using a digital certificate.

Just as individual users must verify their identities through passwords, smart cards, biometrics and other methods, each networked device and user must also be verified using a digital certificate. Through a process called certificate management, the HSM creates and issues a unique private key to each user and device involved in the exchange of encrypted information. This private key is used as a digital certificate, which allows for mutual authentication among the various devices and users on an encrypted public key infrastructure (PKI) network.

This is when organizations need to determine whether hardware or cloud options fit best with their infrastructure.

Would You Prefer Hardware?

There are 6 reasons to consider an HSM to secure your critical infrastructure:⁵

1. Security—Look for validation under FIPS 140-2 Level 3 and PCI HSM standards. Ideal for financial use cases such as transaction acquiring, card and mobile issuance, financial issuing and point-to-point encryption
2. Cost—Hardware is capex-centric, cloud is an operating expense model.
3. Compliance—Compliance “just works.” It can be tough to manage this in-house unless your organization has personnel and resources dedicated to compliance and audits. HSMs typically fall under government regulations and must adhere to a variety of security standards.
4. Resources—Do you have a dedicated key management and crypto team? If so, hardware will likely be a much easier.
5. Integration—This allows you to securely manage the keys for third parties.
6. PKI—Management and mutual authentication among various devices and users on an encrypted PKI network

Try the Cloud, You Say?

Now, imagine you are an organization that does not want to—or cannot—maintain a data center or rack space, but you still need large-scale security solutions. The pandemic may be preventing your organization from having an in-person presence. This is when the cloud can be your best choice, saving your employees from making trips to the data center to upload new keys and perform other administrative functions. Some organizations consider software-based encryption to be easier and more accessible. Software encryption uses computer applications, which require encryption keys to be physically typed into the computer to encrypt data.

There are 7 key reasons to consider a cloud HSM:

1. Security—Look for validation under FIPS 140-2 Level 3 and PCI HSM standards. Ideal for financial use cases such as transaction acquiring, card and mobile issuance, financial issuing, point-to-point encryption. If financial services are using the cloud,⁶ then should your organization be using it too?
2. Scalability—Customize based on your organization’s needs.
3. Compliance—Compliance “just works.”
4. Availability—Eliminate single points of failures in real-time.
5. Ease of Use—No disruption to users and existing applications
6. Integration—Look for native integration with public clouds⁷ to simplify the move to the cloud, especially for financial services organizations.
7. Risk—If your organization does not have a dedicated resource to manage a hardware solution, this could reduce your risk.

Try hardware. Try the cloud. Whatever your cryptographic infrastructure mix is currently or will be in the future—on-premises, in the cloud or a combination of both—your organization is likely optimizing encryption to ensure the highest level of security, compliance and scalability. Just as Green Eggs and Ham explores whether experience or reason best informs us, when considering the best cryptographic solutions for your sensitive and critical data, it is important to weigh the different options throughout the information gathering, decision-making and the implementation process.

Adam Cason

Is director of product marketing at Futurex where he is responsible for the company’s global go-to-market strategy, technical documentation portfolio and engagement for customer and partner relationships. He is a subject matter expert in hardware security modules and key management with a strong technical background and deep knowledge of enterprise-class cryptographic ecosystems. Cason started his career at Futurex as a solutions architect, working closely with customers on product deployments, infrastructure analysis and system architecture.

Endnotes

¹ The Prindle Institute for Ethics, Green Eggs and Ham, by Dr. Seuss, USA
² Walden, S.; “Banking After COVID-19: The Rise of Contactless Payments in the U.S.,” Forbes, 12 June 2020
³ Futurex, “Biometrics Fuels Adoption, Sparked by COVID-19,” 29 July 2020
⁴ Visa, Visa Factsheet
⁵ Futurex, Hardware Security Modules
⁶ Futurex, Financial Cloud HSMs
⁷ Amazon Web Services (AWS) Marketplace, VirtuCrypt Financial Cloud HSM—Test