HSM Security with Cloud Like Economics
I have spent over a decade helping customers derive value from HSMs (Hardware Security Modules). HSMs were first deployed by the military, then made their way through financial services, and now can be found in use for a variety of applications ranging from PKI to code signing. HSMs deliver confidentiality for encryption keys in a physically hardened appliance, protecting against insider and external threats.
Balancing Cost vs Risk
In spite of the strong security benefits, existing HSMs designed with older generation technology present two significant adoption hurdles. First, they are built using proprietary hardware that had a high initial acquisition cost. Second, they bring non-trivial complexity and cost of operations just to keep the lights on. The total cost and complexity would be prohibitive to the point of leading to critical gaps in encryption key management for data protection.
The great news for many organizations today is that the landscape is changing. Newer technologies can enable organizations to reassess their cost/benefit analysis and implement stronger security controls with low initial investment. Leveraging technology advancements, Fortanix Self-Defending KMS™ offers next-gen HSM and Key Management capabilities with a subscription-based approach delivering powerful TCO benefits.
Economic Benefits of a Subscription Model
In the past, organizations only had the CAPEX model to purchase HSMs. The hardware would typically cost at least $20K to deploy, $40K for high availability, and multiple times more for a typical enterprise deployment. Basic utility would require additional components and cost: client-side connectors, partitions, KMIP support, Elliptical Curve algorithms, master key export, remote administration, and maintenance. Deployment costs for real-world use cases would start at $250K. Unfortunately, this is a cost/benefit scenario that has potentially contributed to numerous data breaches & insider attacks.
Fortanix Self-Defending KMS has a subscription, or OPEX, model with flat, predictable pricing and a low barrier of entry, providing an attractive cost/benefit scenario that is within reach for any organization. Fortanix Runtime Encryption Appliance use commercial off-the-shelf (COTS) servers hardened for NIST FIPS 140-2 level-3, significantly reducing the initial acquisition cost. A subscription software license combined with an all-inclusive model offers predictable pricing for current and future use cases. Since Fortanix Self-Defending KMS is a software-defined solution, Fortanix can even accommodate organizations that prefer to use it with their own servers for cost or supply chain efficiency purposes.
The CAPEX model bundles software and hardware together and often leads to paying for the software several times. For example, suppose that a few years after purchasing your solution, you decide it is time to upgrade the hardware for growing demands. At this point, you must purchase another hardware and software bundle, effectively paying for that software again. Instead, with the approach employed by Fortanix Self-Defending KMS, you would just purchase new servers or Fortanix Runtime Encryption Appliance and transfer the software licenses over, thereby lowering your long-term acquisition cost.
An OPEX model gives you the flexibility to more frequently upgrade to the latest Intel x86 processor. A higher performance processor means you can do more with less, which lowers your overall costs. There’s no need to wait every 7 years to make use of the latest technologies.
It shouldn’t take professional services and a weeklong class to get trained on deploying an HSM. The “soft costs” associated with legacy HSM deployment can be significant as well: legacy HSMs have to be offline for firmware/software updates, which means unproductive downtime; admins have to be flown around the globe to “lights-out” data centers to make administrative changes via an m-of-n key ceremony of smart cards; and because they are so difficult to manage, few within a company understand how they work, requiring another training class. With Fortanix Self-Defending KMS, there is no downtime during software updates, and our user-friendly, centralized, remote key management software does not require admins to fly around the globe.
HSMaaS is also now gaining momentum in the market. With Equinix SmartKey, powered by Fortanix, companies can now consume secure key management as-a-service. As more and more companies migrate workloads to the Cloud, it makes sense to also migrate all, or some, of their key management infrastructure to the Cloud. A “pay as you use” pricing model makes sense for many companies today.
Large enterprise companies with large IT departments can now also deploy ITaaS to their internal departments and “charge-back” to the individual departments, now showing the true costs of individual departmental support requests.
Transparent Predictable Consumption
HSMs should be secure, cost-effective, intuitive, and easy to use. They should include:
- Support for all NSA Suite B algorithms.
- Securely generate, manage, and rotate keys; encrypt, hash, and sign.
- Support all common APIs (including REST APIs, KMIP, and traditional cryptographic interfaces) on the same platform.
- Support multi-tenancy (the ability to securely manage multiple users/customers/departments on the same hardware/software).
- Provide true separation of duties (ability to manage firmware/software updates without having access to application keys).
- Provide secure audit logs that integrate with SIEM tools such as Splunk, and offer configurable alerts.
- Deliver built-in high availability and load balancing without costly external appliances.
These are just some of the capabilities used by our customers. Such essential capabilities should not require additional costs. Fortanix Self-Defending KMS delivers all of this and more! Isn’t it about time for you to make a change?