Xaviero Cervera, Project Director, CEGA Security
The pandemic we have been facing since the beginning of 2020 has forced organizations in practically all economic sectors to rethink their digital transformation strategy and what is actually possible and required in order to evolve to a paperless process. With this evolution also comes the need to reinforce the security infrastructure of our information and most sensitive assets, but also those of our customers as well. The design of our cryptographic infrastructure is a fundamental part of the digital evolution or transformation that has become the focus of most companies, especially in the market for digital identity and trust service providers.
Precisely, the trust service providers are organizations that carry out legal and technological operations to guarantee the integrity and authenticity of documents, signatures, files and even digital identities. These trust providers, for example, could help us create, validate and send an electronic invoice, in addition to being a trusted entity between our company and the tax authority. Similarly, they could grant us an online identity through a digital certificate that contains our information or digital identity to carry out operations such as signing a contract or converting our dead file vault to a digital document repository.
For trust providers, as in the case of a Certification Authority (CA), we have observed two main cybersecurity trends that have gained strength to impact their security infrastructure. We can highlight the implementation of hybrid clouds and devices with high security standards such as Hardware Security Modules (HSM) that provide their clients the security and integrity of the most sensitive cryptographic material, as well as the critical infrastructure that provides compliance for certification requirements.
HSMs have evolved since their creation, from large and complex operating devices to becoming light, dynamic and user-friendly, contributing to the reduction of time and complexity in the implementation of this type of device. This is how Futurex has revolutionized the implementation of Hardware Security Modules in a corporate environment through its virtualization technology of these cryptographic devices.
With its offerings, Futurex has developed groundbreaking technology. With the virtualization of these types of solutions, we can convert our physical HSM into up to 20 independent virtual HSMs, providing greater security to our most sensitive information. With each virtual device, you get an individual master key, custodians (quorum) and independent cryptographic tokens, isolating all security controls and access to the HSMs. Likewise, it allows the virtualization of cryptographic services (maintaining both FIPS 140-2 level 3 policies, as well as PCI compliance) by implementing multiple environments with virtual HSMs for the separation of functions such as the issuance/validation of transactions.
Let’s move on from theory to the application of this technology in real life. Let’s analyze the virtualization’s implementation with different use cases.
Every trust provider must maintain high levels of availability in its service and in many cases, the HSM configuration is not as redundant as the architecture used in the application. In other words, an application could run two or three servers or instances of an application so that there is redundancy to maintain the service operating.
But on many occasions, we see providers that only have one HSM in their production environment to satisfy all the transactions of these instances of the application (Fig 1.1); With only one instance, what would happen when updating the firmware of that HSM? This architecture leads us to not only bring offline the HSM, but also the pool of applications accessing that HSM, forcing all transactions to be redirected to a DRP environment (Fig 1.2). In this case, the multi-instance application architectures go to a single HSM.