Reading Time : 5 minutes
Data breaches are an ever-present threat; attackers are constantly looking for ways to intercept data and extort companies for money. Hardware Security Modules, or HSMs, are a valuable tool in your organization’s arsenal for securing sensitive data. In short, HSMs store cryptographic keys used to encrypt data. We will also explore payment HSMs and how their expanded, specific functionality works to protect payment information from being intercepted or stolen.
What is an HSM?
HSMs, or hardware security modules, are devices used to protect keys and perform cryptographic operations in a tamper-safe, secure environment. While some HSMs store keys remotely, these keys are encrypted and unreadable. Only the HSM can decrypt and use these keys internally. By using these cryptographic keys to encrypt data within the secure hardware environment of the HSM, the data being encrypted or decrypted is secure from external attacks.
While encryption does not require an HSM, encryption schemas not utilizing HSMs must address certain issues. Let’s discuss and explore these so we can better understand what an HSM is for and who should use one.
- Data at rest must be encrypted.
- Data in transit can be at risk.
- Decrypting data for use presents a point of attack.
- Keys must be stored separately from the data they protect.
- To meet various standards for security, separation of roles/duties must be enforced
Data at rest must be encrypted
Possibly the most fundamental use case of any security platform or application is the encryption of data at rest. To prevent a database full of sensitive information from being leaked out to the public, the database should be encrypted. This means simple access would not be enough to get the information inside the database. However as opposed to simply encrypting the file it is instead much better to encrypt each of the entries of the database. This minimizes the surface of attack and improves performance in smaller operations that require only a single entry from a database.
Data in transit can be at risk
The above manages data at rest but to eventually use the data it must be unencrypted at some point. The number of points at which this data is exposed can be minimized.
For example, two computers can have a shared set of keys that encrypt a file such that it is not vulnerable while in transit between those two computers.
But when an application by design requires an endpoint that cannot necessarily be isolated or trusted as much as the location of the database the data in transit is more vulnerable than the data at rest. This increased vulnerability presents another reason to limit data in transit. By using an HSM to store keys that encrypt a database’s contents, the unencrypted data is never exposed to internal attack. An employee or attacker that had broken into the data center would never be able to see the contents of the database being called for, which could include sensitive information like credit card numbers.
Decrypting data for use presents a point of attack
When data is decrypted for use, it is inherently vulnerable even when only stored in memory. By providing a tamper-safe machine that users and attackers cannot open, even the users will never know the contents of the keys or files if the application so requires. This additional layer of hardware security sets an HSM apart from a regular computer’s performing operations.
Keys must be stored separately from the data they protect
In order to secure a database properly it’s important to separate the keys from the data they are protecting. If a database is encrypted but the key is stored in the same directory the database might as well not be encrypted at all. The only security provided by encryption is the requirement to have two components from separate locations assembled in the same place in order to access the information.
But when the keys become too difficult to access or use, it presents a problem for automated large-scale applications. HSMs provide an environment where the keys can be stored separately from the Database’s host but remain easily accessible. Authorized applications can utilize the keys by passing the encrypted data to the HSM, and operations can be done on the data within the HSM if so needed.
Enforcing Role and Duty Separation to Meet Security Standards
While differing applications require meeting different standards, a common standard is the separation of roles and duties. This sort of standard refers to the concept that users must only have the minimum level of access required to complete their tasks. A client application that verifies a signature, for example, should not have a key used for signing a file. This protects the key from misuse via attacks such as code injection. HSMs can limit client privileges on a per-client basis.
HSMs can also enforce the requirement of a quorum to fulfill certain operations. This means a single user would not have the privilege to perform the operation without the presence and approval of a set number of other users in the quorum. The ability of HSMs to enforce, at a physical level where necessary, this separation of duties is one of the key benefits of using an HSM.
Payments HSMs are specialized HSMs that perform specific operations for the payment industry. These operations are bundled with operation-specific keys, examples include zone pin keys and zone master keys. A zone pin key is limited to pin translation operations, this differs significantly from a key on a regular HSM which can usually perform a variety of base-level functions. Base-level functions include encryption, decryption verifying signatures, etc. The keys in a payment HSM usually cannot perform these basic or low-level operations and instead have specific multi-step high-level operations.
In payment processing a single transaction may require multiple of these high-level operations such as pin translation, and thus manually programming the operation out of multiple encryption/decryption operations would not only be impractical but might present an attack surface or security risk between operations. Without the use of a specifically designed payment HSM, there is a heightened risk of key misuse. By locking all the keys to specific operations and by ensuring all code is run in the HSM in a single high-level operation, the attack surface is minimized, and key misuse is prevented.
Example Application: Pin Translation
Pin translation is a common operation in the payment industry. It is essential when a pin is being entered at an ATM or POS system that it travels safely and is encrypted on the way to its final destination. But a straight-through path directly to your bank is simply impractical and not how the payments sphere works. Pin translation servers continually protect the pin as it changes hands from point to point until it reaches the bank to verify that the pin is correct. Pin translation keys are locked to utilize this operation, the keys involved will decrypt, and then encrypt the moving pin in a single operation all within the confines of the payment HSM.
The Payment Industry
Payment processing is an environment that presents unique challenges, challenges that differ in many cases from the problems a standard HSM can solve out of the box. However, payment HSMs are equipped not only with the solutions to these challenges, but with a toolbox of operations to make payment processing secure, easy, and efficient. The payment industry is rapidly expanding and ever-present in the world of business, however in order to succeed in the payment industry, it is essential to have a good network of customer trust.
In this case, the customers are the financial institutions your organization is completing these transactions on behalf of. Without their trust, your company will not be able to operate in the sector at all. As such, security is of the utmost importance. A single slip-up can have permanent or long-lasting effects on the customers the financial institutions serve. These institutions are unlikely to take a risk working with an organization that has made significant errors prior.
Data breaches are an ever-present threat in any industry. Consumers trust corporations to protect their data and often do not think about the consequences or the possibility that their data is not protected. When large-scale high-profile attacks occur, the reputational damage to companies can last for years if not decades. Encryption serves as the primary protector of consumer data. Even if an attacker is able to gain access to a database, encryption will protect the database contents from being leaked or used maliciously. Because there is always room for human error or internal bad actors no company can be completely immune to data breaches, however with proper steps data breaches can be made incredibly rare and difficult to gain any value from.
Various Types of Data Breaches
While many forms of attack could potentially plague your organization, common data breaches usually fit into one of a few categories. Man-in-the-middle attacks focus on intercepting data or impersonating endpoints. The attacker can collect user information, putting your clients at risk. Code injection attacks can be more severe and do more damage in a shorter period. By executing malicious code, attackers might compromise data or steal databases sending the information off-premise. The largest threat to user data usually involves members within the organization, data being leaked often by accident presents a huge risk to your organization’s reputation. Encryption using HSMs helps prevent all of these attacks by rendering the data useless.
Data Breaches in the Payment Industry
If a data breach were to occur to an organization in the payment industry, attackers could intercept communications and acquire information ranging from customers’ pins to credit card numbers and other vital account information. With access to these private keys, an attacker could easily acquire this information without your organization ever being aware that the information was compromised. It is for reasons like these that HSMs are necessary for the payment industry.
Only HSMs can properly secure keys in a dedicated hardware environment and enforce the necessary policies to keep those keys safe from attack or misuse. In fact, in order to be compliant with PCI-DSS, payment HSMs are highly recommended. Meanwhile, certain FIPS compliance levels require the use of an HSM to store keys. Investing in an HSM will not only help you remain compliant with these standards but will also minimize the attack surface and adequately protect your company from data breaches.
In conclusion, HSMs serve to protect consumer data by acting as a secure box from which private keys do not leave. Payments HSMs take this concept a step further by enforcing the roles of these keys and limiting operations to high-level industry-specific functions that run within the confines of the HSM. By operating in this manner, transactions can be processed safely and securely without compromising speed. The attack surface is minimal, and meeting changing standards is far more economical than developing original code for each operation. Implementing a payment HSM will greatly reduce the risk of data breaches and all but make certain that any leaked data is in a state where attackers cannot make any use of it.
To enquire about how Encryption Consulting can help you with any encryption advisory, Public Key Infrastructure, or HSM
needs, please contact us at [email protected].