Re: Compensating controls in place of an HSM

geraldjoyce312 · ‎08-27-2021

I am working on a project to identify compensating controls in lieu of an HSM. We all understand that HSMs are extremely effective in protecting the enterprise, but many companies are not large enough to justify the cost, or don't have the required skillset on staff to design the implementation so that it sits in the correct security zone behind the proper security controls, and manage the device. Additionally, although many cloud service providers offer an HSM option, they too can be very expensive for a small company to justify the cost.

My question is in regard to compensating controls for an HSM. If a company did not have an HSM, do any of the security frameworks identify compensating controls in place of the HSM? If anyone could point me to anything specific, I would be very grateful. Thanks.

SWALTERS · ‎08-28-2021

@geraldjoyce312 wrote:
I am working on a project to identify compensating controls in lieu of an HSM. We all understand that HSMs are extremely effective in protecting the enterprise, but many companies are not large enough to justify the cost, or don't have the required skillset on staff to design the implementation so that it sits in the correct security zone behind the proper security controls, and manage the device. Additionally, although many cloud service providers offer an HSM option, they too can be very expensive for a small company to justify the cost.

My question is in regard to compensating controls for an HSM. If a company did not have an HSM, do any of the security frameworks identify compensating controls in place of the HSM? If anyone could point me to anything specific, I would be very grateful. Thanks.

A YubiHSM is ~USD$700. The smallest Thales HSM is ~USD$7000.

A typical HSM is around ~USD$200,000, but they usually come with software and hardware maintenance for 10 years, so the actual price is more like ~USD$20,000/year in recurrent spending.

None of these are actually out of the realm of possibility, even for small companies.

Compensating controls for not having a HSM really only works for offline CAs or offline code signing - as the control for HSM is hardware level protections on the key material (including tamper detection, which deletes the keys as soon as it believes it's under attack).

As soon the specific requirement is an online use-case (i.e. Transparent Database Encryption (TDE), online CA, online code-signing, or others) it is very difficult to institute any compensating controls that can scale to the needs of the online requirement.

It's not as easy as saying "X" technology is an equivalent control for a HSM. You first have to look at what specific application or requirement is using the HSM (and how it's being used) and then devise a series of policies, processes, training and technologies that do some of the same things as a HSM would "in spirit". Unfortunately, much can go wrong when attempting this.

dhouser · ‎08-28-2021

I would first ensure your risk analysis answers the question, "What is the business problem we are trying to solve?" as HSMs provide a number of functions. A small list:

> Ease of encrypted data key change

> Secure key storage

> Hardware acceleration

> Compliance with regulators

> Segregation of duties (e.g. via key splitting/escrow)

I would also note that there are some pretty inexpensive USB HSMs if cost is the big factor, and those can be physically secured in a rack and then secured with evidence tape (both on the USB HSM and the rack). This would permit you to lay out cost-benefit analysis, and some of the downsides of going cheap on HSMs (e.g. performance, features) vs. the risks of going without.

I'd then do a quantitative analysis (e.g. FAIR-Lite) of probabilistic loss vectors & probabilistic losses compared with the costs of the controls (HSM procurement, continued verification/audit) and the cost avoidance of manual / software-based key management.

Hope this helps!

-ddh

_______

Dan Houser, CISSP-ISSAP-ISSMP CSSLP

Board Candidate, 2021 Election

#20889

-ddh__________
Dan Houser, CISSP-ISSAP-ISSMP CSSLP CCSP
#20889

geraldjoyce312 · ‎08-28-2021

Thanks for the input. It has given me a lot to think about.

Caute_cautim · ‎08-29-2021

@dhouser I have a similar project except it is the replacement of existing HSMs for a financial Institution dealign with Mainframes and batch jobs etc as well as regulatory requirements for both Australia and New Zealand. Their approach is to replace the existing HSMs with similar systems, upgraded by carrying out a migration. However there is room for reviewing the use of Cloud based HSM's on a leased basis, but data sovereignty, latency and business continuity issues become very relevant when weighting up the risk factors.

Much of the influence comes from the application architects, who have spent years developing tools and applications, including integrations for on premise systems. One of the drivers will be in the space of an HSM lifespan being five years or more - normally greater until support runs out altogether is take a lowest risk direction i.e. pay the fees for the replacement, despite not looking to the future of digital banks and electronic fund transfer mechanisms.

Many times the FIPS 140-1 level 3 and banking regulations drive the way forward especially if there is PCI DSS requirements and auditing, integration factors required regularly. In this case the Reserve Bank has its own regulations, which are regularly audited, requiring payment transfer mechanisms only a window of 6 hours outage, before a large penalty is delivered to the offending financial institution

Regards

Caute_Cautim.

geraldjoyce312 · ‎08-30-2021

Great information!