Volume 5
Protecting Your Data from the Internet’s “Things”: The Benefits of Encryption and HSMs
June 2016 Edition
sensitive cryptographic operations without sufficient
protection. A little over a decade ago, only about two
percent of crypto was performed in an HSM. Until
the recent explosion in crypto deployments and the
By Peter DiToro, Vice President of Customer Services, Thales concomitant surge in highly public breaches, little
thought was given to securing the foundational ase-Security
pects of key generation, key management and proThe practice of encrypting information and protect- tection of core crypto applications. Things just had to
ing encryption methods is almost as old as the writ- work to pass first-level scrutiny.
ten word. Hardware security modules (HSMs) are
used to protect cryptographic keys both at rest and But when literally billions of things came online, all
in use; they are designed according to rigorous that changed. A smartphone, for instance, has to
standards, usually set by governments, because have an identity. It stores encryption keys and digital certificates. It can easily become a proxy for its
protecting data is that important.
owner’s identity in transacting over the Internet.
Over the life cycle of both cryptographic material and Suddenly,
associated data, today’s digital HSM provides a secure platform for managing cryptographic keys and we find ourselves transacting with countless things
their use. However, even given the vast progress in on the Internet, hoping to trust digital identities and
crypto system design, power and flexibility, one fac- the intent of their creators. Now, HSMs, the means
tor remains painfully true: a breach of cryptographic by which trustworthy digital identities are secured,
keys destroys the integrity of any crypto system, no have become more pertinent. The risk of brand and
matter how elegant its implementation. The HSM identity damage caused by exploi tation of a weak
has become the de facto standard for securing the crypto system dwarfs the cost and hassle of HSM
deployment. Shortcuts no longer make sense, even
foundation of any modern crypto system.
in the most parsimonious applications environments.
The evangelists of the early days of modern, applied
crypto could not have foreseen the importance cryp- If an organization creates devices that can connect
tography has assumed in this era of IoT and BYOD. to the Internet, those devices must have identities,
The number of “things” attached to and communi- most likely based on digital certificates issued by a
cating over the Internet will reach 6.4 Billion in 2016 Public Key Infrastructure (PKI). When an autonoaccording to Garner Group, an Internet consultancy. mous entity on the Internet, be it a help bot from a
Each of these “things” can assume an identity, se- major retailer or your home security system, prescure a communications channel, gather up data on ents its credential and asserts an identity and asits environment and share that data widely. Clever sociated trust level, you want to be able to rely on
cryptography will form the basis for establishing IoT it. This means, as a first principal, that the cryptoidentities and protecting the resulting flood of data. graphic materials that underpin that identity cannot
HSMs provide the highest level of trust and protec- be forged or stolen. You want to trust that you are
tion available when it comes to establishing and transacting with the intended entity and not some
protecting the cryptographic infrastructure on which fraudulent man in the middle.
trust in a fully functional IoT depends.
Gaming consoles, smartphones, smart medical deHowever, everything—and especially security—has vices and more must receive digital certificates and
its price. HSMs aren’t cheap. In addition, the niche keys from their manufacturers. All of these devices
and often arcane world of crypto is not well under- need to identify themselves. We assume, often wiststood within the broader IT community. As crypto- fully, that the cryptographic infrastructure that undergraphic applications have surged into the main- pins the integrity of these identity assertions is solid.
stream, it can be tempting to cut corners, to deploy
9