Fortanix Confidential AI Protects Proprietary Model IP and Data for Secure AI Inference in Enterprise AI Factories.

Learn More

Legacy vs Modern HSMs: A Brief Overview 

Vikram Chandrasekaran
Vikram Chandrasekaran
Jun 7, 2026
5mis
Share this post:
a-brief-overview-of-Legacy-vs-Modern-HSM

Hardware Security Modules (HSMs) have traditionally provided the highest level of security for cryptographic applications such as Public Key Infrastructure (PKI). For decades, regulated industries such as banking, financial services, government, defense, and healthcare have used HSMs to generate and protect cryptographic keys and perform cryptographic operations.   

However, as technology advances and the threat landscape changes, so do the requirements of the modern enterprise. As a result, modern HSMs have been developed with enhanced features and functionalities such as REST APIs, custom plugins, cloud integration, and user-defined compliance policies.  

The concept of a standalone HSM is outdated because HSM technology has failed to keep pace with rapidly evolving user requirements. Today, enterprises need a comprehensive security solution that includes enterprise key management, cloud key management, and other data security capabilities where the HSM is just one fundamental capability integrated seamlessly into the platform.

Nevertheless, a few organizations still consider standalone HSMs and understanding how they work can help maintain and secure them.

In this context, it is critical to learn the differences between legacy HSMs and modern security platforms, such as their strengths and weaknesses and how they can meet organizations’ evolving security needs.

What are legacy HSMs? 

Legacy HSMs, or traditional HSMs, are standalone devices that rely heavily on physical security measures such as custom hardware design, anti-tamper mechanisms, secure environments, and smartcard-based authentication to protect sensitive keys and data. This makes them difficult to deploy and operate, requiring physical interaction with the HSM during so-called “key ceremonies.”

They are also difficult to scale, update (require downtime), and integrate with, and quickly become obsolescent when vendors stop supporting them in favor of their newest models (that offer little benefit to justify the replacement cost).

In today’s rapidly evolving cybersecurity landscape, HSMs, once considered cutting-edge solutions for securing sensitive data, may no longer provide a complete and cost-effective solution. One of the most significant drawbacks of legacy HSMs is their lack of scalability and flexibility; they are also difficult to integrate into modern hybrid and multi-cloud environments operated by agile DevOps teams.

Moreover, they offer limited tools for key management, which becomes increasingly important as the volume of data and encryption keys explodes, and the compliance burden increases. 

Who uses legacy HSMs? 

Organizations that demand high security for their sensitive data and cryptographic keys employ legacy HSMs extensively. This covers financial firms, government entities, healthcare organizations, and other sectors that handle sensitive data. 

Legacy HSMs are frequently favored by businesses that have been using them for a long time and are reluctant to convert to newer technology due to the difficulty of migration.

However, with the transition towards cloud-based services and the requirement for more scalability and flexibility, many organizations are now evaluating alternatives to traditional HSMs. 

Why do organizations still use legacy HSMs? 

Legacy HSMs have a proven track record of dependability and security, which has earned them the confidence of many organizations. 

They have typically undergone stringent certification procedures, such as FIPS 140-2 or Common Criteria, which are sometimes necessary for industry compliance. And they are often already incorporated into an organization’s infrastructure, such as PKI, making their replacement time-consuming and resource intensive. 

What are modern HSMs? 

Modern HSMs were developed for the new era of cloud and hybrid environments. They are designed to be scalable, flexible, and easy to integrate with cloud-based services.  

They use cutting-edge technologies like Intel Software Guard Extension (SGX) to create a Trusted Execution Environment (TEE) or “secure enclave” that protects keys and cryptographic operations even in the scenario of a zero-day vulnerability in the underlying operating system.

Modern HSMs are part of scalable, flexible data security platforms without all the associated challenges that plague standalone HSMs. 

By integrating multiple security functions into one platform, organizations benefit from improved security (all code runs inside a TEE and within the FIPS security boundary), ease-of-use (everything managed through a single pane of glass), reduced cost of ownership (lower purchase and operational costs), and fewer vendors to manage.

They can also benefit from customizable role-based access controls, user-defined compliance policies, custom plugins, and powerful REST APIs.

In addition, they have the flexibility to deploy the solution on premises, in a private or public cloud, or consume it as a SaaS service to best meet their business needs.

Avoiding confusion with cloud-native HSMs

Cloud native HSMs, commonly referred as cloud HSMs and categorized as modern HSMs are basically just traditional HSMs hosted by cloud service providers, where customers may be offered an entire dedicated HSM or just a partition and must take responsibility for operating the HSM themselves including providing HA/DR.

Alternatively, the CSP may operate the HSM to store keys belonging to multiple customers, where organizations have no control over the HSM.

A quick look around on legacy vs modern hsm.

Who uses modern HSMs? 

Organizations that must comply with stringent regulatory laws want to accelerate their cloud transition and want an enterprise-wide approach to key management, and cryptographic operations are increasingly deploying modern HSMs. This includes organizations in the fintech, banking, insurance, healthcare, federal, and government sectors that need to secure cloud-based applications. 

Other medium-to-large enterprises that have been unable to justify using HSMs in the past because of their cost and complexity can now attain the same level of security and compliance as those who have always used HSMs.

Even small-to-medium enterprises, especially start-ups in security-critical segments such as cryptocurrencies, web3, fintech, health tech, IoT, and AI/ML, will benefit from the as-a-service model, which offers a lower entry-cost and frees them from managing the solution themselves.

That said, all existing users of standalone HSMs can benefit from migrating to a more secure, flexible, scalable, powerful, and easy-to-use security platform. It will likely also improve efficiency, reduce operational costs, and enhance compliance posture. These benefits will multiply as they onboard additional use cases over time.

What are the key capabilities of modern HSMs? 

  • Centralized Key Management: Organizations can simplify key management across multiple environments and applications, reducing the complexity and costs associated with key management.  External key management services such as AWS XKS and GCP EKM provide an additional layer of security to cloud-based services by ensuring that encryption keys are not managed by the cloud provider and instead stored and managed by organizations in modern HSMs. 
  • High Resiliency and Availability. Modern HSMs are built on a web-scale architecture, meaning they are designed to handle large-scale, cloud-based environments. Modern HSMs offer scalability and ensure that cryptographic keys and data are always accessible.
  • Remote Management: Administrators can use a web-based interface to manage modern HSMs from a central location anywhere globally, eliminating the need for physical device access. This is especially useful in large organizations where HSMs are deployed in multiple locations. 
  • Flexible Deployment Options: Modern HSMs can be deployed as a virtual, cloud-based service or in conjunction with legacy HSMs, depending on the needs of the business. This adaptability enables organizations to select the most cost-effective and secure deployment option for their use case. 

Consider the following when evaluating HSM capabilities for your business:

  • Security: The HSM must meet industry standards, such as FIPS 140-2 Level 3, and have tamper-evident seals, tamper detection systems, regular audits, and firmware updates. 
  • Efficiency:  The HSM must have high-performance processors and optimized cryptographic algorithms, ensuring organizations can access data or applications without interruption. 
  • Scalability: Organizations can protect long-term investments with HSMs that can handle increasing workloads and accommodate future growth as the business expands geographically. 
  • Integration: The HSM must be compatible with new applications and systems the organizations may use in the future, preventing disruptions to operations and minimizing the need for costly upgrades or replacements.  
  • Compliance: The HSM must enable compliance with all applicable regulatory requirements, such as GDPR, Schrems II, PCI DSS, and HIPAA, to ensure the organization meets legal obligations. 
  • Future-Protection: Constantly evolving Industries, such as finance, defense, or healthcare, must consider the HSM implementing emerging cryptographic algorithms (such as post-quantum) and protocols to ensure it remains relevant and effective in the face of evolving threats.
Conclusion  

In conclusion, standalone HSMs have had their day. Their architecture is outdated and no longer serves the needs of their traditional user base, and they cannot even begin to compete in the rest of the market.

While such legacy HSMs may continue to meet the needs of narrow use cases, modern HSMs provide greater flexibility and scalability for cloud-based and hybrid infrastructures. Organizations can evaluate their needs and choose the appropriate HSM solution accordingly.

Organizations should consider a future-proof approach to data security that provides complete control of encryption and key management, is compatible with a multicloud environment, and provides the necessary controls and policies for compliance. 

Buyers Guide for Hardware Security Modules (HSMs)
Share this post:

Platform

Fortanix Platform

Confidential AI

Data Security Manager

Confidential Computing Manager

Armet AI

Key Insight

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Webinars

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of January 2026

SOCISOPCI DSS CompliantFIPSGartner Logo

US

Europe

India

Singapore

4500 Great America Parkway, Ste. 270
Santa Clara, CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712